Skip to content
Browse files

BUG/CRITICAL: mux-h2: re-check the frame length when PRIORITY is used

Tim Düsterhus reported a possible crash in the H2 HEADERS frame decoder
when the PRIORITY flag is present. A check is missing to ensure the 5
extra bytes needed with this flag are actually part of the frame. As per
RFC7540#4.2, let's return a connection error with code FRAME_SIZE_ERROR.

Many thanks to Tim for responsibly reporting this issue with a working
config and reproducer. This issue was assigned CVE-2018-20615.

This fix must be backported to 1.9 and 1.8.
  • Loading branch information...
Willy Tarreau
Willy Tarreau committed Dec 31, 2018
1 parent 202c6ce commit a01f45e3ced23c799f6e78b5efdbd32198a75354
Showing with 5 additions and 0 deletions.
  1. +5 −0 src/mux_h2.c
@@ -3316,6 +3316,11 @@ static int h2c_decode_headers(struct h2c *h2c, struct buffer *rxbuf, uint32_t *f
goto fail;

if (flen < 5) {
h2c_error(h2c, H2_ERR_FRAME_SIZE_ERROR);
goto fail;

hdrs += 5; // stream dep = 4, weight = 1
flen -= 5;

0 comments on commit a01f45e

Please sign in to comment.
You can’t perform that action at this time.