Skip to content

Commit 0a98fdb

Browse files
committed
BUG/MINOR: hq-interop: reject too big content
hq-interop request parser is minimal. It simply extracts a method and a path until the whitespace delimiter. Parsing is interrupted if the delimiter cannot be found, and MUX is responsible to reinvoke it later with new content added. This patch adjusts hq-interop parsing in case of a missing delimiter. Now it also checks if there is space remaining in the buffer. If this is not the case, it returns a fatal error as parsing cannot be completed at all. This change has the side effect of preventing a BUG_ON() crash in MUX : in case of a truncated parsing, qcs_transfer_rx_data() may be used to realign content from the next buffer. However this function explicitely forbids to be called with a full buffer as it could do nothing in this case, hence this BUG_ON() to ensure parsing is never fully blocked. The impact of this bug remains low despite the potential BUG_ON() crash. This is because hq-interop is only used for QUIC debugging purpose and should not be activated in production. HTTP/3 layer is immune as it already ensures that frame length is never bigger than a buffer size (except for DATA frames which can be parsed in a streaming mode). Thanks to BeaCox <root@beacox.space> for having reported us this issue. This should be backported up to 2.6. From 3.3, qcm_stream_rx_bufsz() is using the older "qmux" prefix and must be renamed. Also, this function does not exists in 3.0 and older so the test must be adjusted there as well.
1 parent 1ad74d6 commit 0a98fdb

1 file changed

Lines changed: 15 additions & 0 deletions

File tree

src/hq_interop.c

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,12 +39,22 @@ static ssize_t hq_interop_rcv_buf_req(struct qcs *qcs, struct buffer *b, int fin
3939
}
4040

4141
if (!data || !HTTP_IS_SPHT(*ptr)) {
42+
if (b_size(b) - b_room(b) >= qcm_stream_rx_bufsz()) {
43+
fprintf(stderr, "content too big\n");
44+
return -1;
45+
}
46+
4247
fprintf(stderr, "truncated stream\n");
4348
return 0;
4449
}
4550

4651
ptr++;
4752
if (!--data) {
53+
if (b_size(b) - b_room(b) >= qcm_stream_rx_bufsz()) {
54+
fprintf(stderr, "content too big\n");
55+
return -1;
56+
}
57+
4858
fprintf(stderr, "truncated stream\n");
4959
return 0;
5060
}
@@ -62,6 +72,11 @@ static ssize_t hq_interop_rcv_buf_req(struct qcs *qcs, struct buffer *b, int fin
6272
}
6373

6474
if (!data) {
75+
if (b_size(b) - b_room(b) >= qcm_stream_rx_bufsz()) {
76+
fprintf(stderr, "content too big\n");
77+
return -1;
78+
}
79+
6580
fprintf(stderr, "truncated stream\n");
6681
return 0;
6782
}

0 commit comments

Comments
 (0)