BUG/MAJOR: h3: check body size with content-length on empty FIN

In QUIC, a STREAM frame may be received with no data but with FIN bit
set. Parsing code in haproxy has changed several times to deal with it.
Now, in most of h3_rcv_buf() parsing code is skipped and the common
function qcs_http_handle_standalone_fin() is used to deal with it at the
HTX level.

However, this bypass an important HTTP/3 validation check on the
received body size if a content-length header was present. Under some
conditions, this could cause a desynchronization with the backend server
which could be exploited for request smuggling.

Fix this by using h3_check_body_size() if content-length is present when
dealing with a standalone FIN in h3_rcv_buf(). If the received body size
is incorrect, the stream is immediately resetted with H3_MESSAGE_ERROR
code and the error is forwarded to the stream layer.

Thanks to Martino Spagnuolo for his detailed report on this issue and
for having contacting us about it via the security mailing list.

This must be backported up to 2.6.

Author: a-denoyelle

src/h3.c

@@ -1754,6 +1754,14 @@ static ssize_t h3_rcv_buf(struct qcs *qcs, struct buffer *b, int fin)
 
 	if (!b_data(b) && fin && quic_stream_is_bidi(qcs->id)) {
 		TRACE_PROTO("received FIN without data", H3_EV_RX_FRAME, qcs->qcc->conn, qcs);
+
+		/* FIN received, ensure body length is conform to any content-length header. */
+		if ((h3s->flags & H3_SF_HAVE_CLEN) && h3_check_body_size(qcs, 1)) {
+			qcc_abort_stream_read(qcs);
+			qcc_reset_stream(qcs, h3s->err);
+			goto done;
+		}
+
 		if (qcs_http_handle_standalone_fin(qcs)) {
 			TRACE_ERROR("cannot set EOM", H3_EV_RX_FRAME, qcs->qcc->conn, qcs);
 			qcc_set_error(qcs->qcc, H3_ERR_INTERNAL_ERROR, 1);