h3: harden request stream frame processing in clients#2477
Merged
Conversation
Previously, the request-stream frame-type validation in `set_frame_type` was gated on `!self.is_local`, which meant that on a client (where request streams are locally initiated) the entire match block was skipped. As a result, a server could send CANCEL_PUSH, SETTINGS, GOAWAY, MAX_PUSH_ID or PRIORITY_UPDATE frames on a request stream and the client would silently accept them, in some cases mutating connection state (peer_settings, peer_goaway_id) or surfacing spurious events to the application. RFC 9114 requires these frames to be rejected with H3_FRAME_UNEXPECTED regardless of which endpoint opened the stream. This change is focused on hardening illegal-frame-type check gaps that existed for the client; new tests have been added to exercise them. Other types of exchanges already have coverage, or are due for a significant refactor in planned work.
Contributor
Author
|
Note that the H3 stream state prcessing logic also has other pending improvements such as #2153. I want to keep this one as focused as possible. |
ghedo
approved these changes
May 13, 2026
antoniovicente
approved these changes
May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Previously, the request-stream frame-type validation in
set_frame_typewas gated on!self.is_local, which meant thaton a client (where request streams are locally initiated) the entire
match block was skipped. As a result, a server could send CANCEL_PUSH,
SETTINGS, GOAWAY, MAX_PUSH_ID or PRIORITY_UPDATE frames on a request
stream and the client would silently accept them, in some cases
mutating connection state (peer_settings, peer_goaway_id) or surfacing
spurious events to the application.
RFC 9114 requires these frames to be rejected with H3_FRAME_UNEXPECTED
regardless of which endpoint opened the stream.
This change is focused on hardening illegal-frame-type check gaps that
existed for the client; new tests have been added to exercise them. Other
types of exchanges already have coverage, or are due for a significant
refactor in planned work.