From: Amaury Denoyelle Date: Tue, 15 Jul 2025 16:15:36 +0000 (+0200) Subject: BUG/MINOR: h3: ensure that invalid status code are not encoded (FE side) X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=8d4b3efb131477d73aed99bf7caac6c668760817;p=haproxy-3.0.git BUG/MINOR: h3: ensure that invalid status code are not encoded (FE side) On frontend side, H3 layer transcodes HTX status code into HTTP/3 HEADERS frame. This is done by calling qpack_encode_int_status(). Prior to this patch, the latter function was also responsible to reject an invalid value, which guarantee that only valid codes are encoded (between 100 and 999 values). However, this is not practical as it is impossible to differentiate between an invalid code error and a buffer room exhaustation. Changes this so that now HTTP/3 layer first ensures that HTX code is valid. The stream is closed with H3_INTERNAL_ERROR if invalid value is present. Thus, qpack_encode_int_status() will only report an error due to buffer room exhaustion. If a small buffer is used, a standard buffer will be reallocated which should be sufficient to encode the response. The impact of this bug is minimal. Its main benefit is code clarity, while also removing an unnecessary realloc when confronting with an invalid HTTP code. This should be backported at least up to 3.1. Prior to it, smallbuf mechanism isn't present, hence the impact of this patch is less important. However, it may still be backported to older versions, which should facilitate picking patches for HTTP 1xx interim response support. (cherry picked from commit d8b34459b52027d0621ebb0ac146fa277ab8e2ba) Signed-off-by: Amaury Denoyelle (cherry picked from commit eb73c1d08783c49581876c9e95bad0b5a24fd6fc) Signed-off-by: Christopher Faulet (cherry picked from commit 53e0aec26e6636b8a4ad50112e9ddea2f823f015) Signed-off-by: Amaury Denoyelle --- diff --git a/src/h3.c b/src/h3.c index bd6f95d..9ae1b8b 100644 --- a/src/h3.c +++ b/src/h3.c @@ -1700,8 +1700,11 @@ static int h3_resp_headers_send(struct qcs *qcs, struct htx *htx) /* start-line -> HEADERS h3 frame */ BUG_ON(sl); sl = htx_get_blk_ptr(htx, blk); - /* TODO should be on h3 layer */ status = sl->info.res.status; + if (status < 100 || status > 999) { + TRACE_ERROR("invalid response status code", H3_EV_STRM_SEND, qcs->qcc->conn, qcs); + goto err; + } } else if (type == HTX_BLK_HDR) { if (unlikely(hdr >= sizeof(list) / sizeof(list[0]) - 1)) { @@ -1719,6 +1722,9 @@ static int h3_resp_headers_send(struct qcs *qcs, struct htx *htx) } } + /* Current function expects HTX start-line to be present. This also + * ensures conformance has been checked prior to encoding it. + */ BUG_ON(!sl); list[hdr].n = ist(""); @@ -1753,7 +1759,6 @@ static int h3_resp_headers_send(struct qcs *qcs, struct htx *htx) if (qpack_encode_field_section_line(&headers_buf)) goto err; if (qpack_encode_int_status(&headers_buf, status)) { - /* TODO handle invalid status code VS no buf space left */ TRACE_ERROR("error during status code encoding", H3_EV_TX_FRAME|H3_EV_TX_HDR, qcs->qcc->conn, qcs); goto err; } diff --git a/src/qpack-enc.c b/src/qpack-enc.c index 006f1f1..ecccb7d 100644 --- a/src/qpack-enc.c +++ b/src/qpack-enc.c @@ -69,8 +69,8 @@ int qpack_encode_int_status(struct buffer *out, unsigned int status) { int status_size, idx = 0; - if (status < 100 || status > 999) - return 1; + /* HTTP layer must not encode invalid status codes. */ + BUG_ON(status < 100 || status > 999); switch (status) { case 103: idx = 24; break;