BUG/MEDIUM: h3: do not crash on invalid response status code

A crash occurs in h3_resp_headers_send() if an invalid response code is
received from the backend side. Fix this by properly flagging the
connection on error. This will cause a CONNECTION_CLOSE.

This should fix github issue #2422.

Big thanks to ygkim (@yokim-git) for his help and reactivity. Initially,
GDB reported an invalid code source location due to heavy functions
inlining inside h3_snd_buf(). The issue was found after using -Og flag.

This must be backported up to 2.6.

(cherry picked from commit 5d2fe1871a1ec4ec68a8ed262f4526e02e8e9fc1)
[wt: dropped H3_EV_TX_FRAME from trace flags]
Signed-off-by: Willy Tarreau <w@1wt.eu>

diff --git a/src/h3.c b/src/h3.c
index bf8d3cb..4aa1a52 100644 (file)
--- a/src/h3.c
+++ b/src/h3.c
@@ -1573,8 +1573,11 @@ static int h3_resp_headers_send(struct qcs *qcs, struct htx *htx)
 
        if (qpack_encode_field_section_line(&headers_buf))
                ABORT_NOW();
-       if (qpack_encode_int_status(&headers_buf, status))
-               ABORT_NOW();
+       if (qpack_encode_int_status(&headers_buf, status)) {
+               TRACE_ERROR("invalid status code", H3_EV_TX_HDR, qcs->qcc->conn, qcs);
+               h3c->err = H3_INTERNAL_ERROR;
+               goto err;
+       }
 
        for (hdr = 0; hdr < sizeof(list) / sizeof(list[0]); ++hdr) {
                if (isteq(list[hdr].n, ist("")))