From bbdf339b4ad4982f99939dd2b34b11e5e77086a9 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Wed, 21 Apr 2021 11:11:21 +0200 Subject: [PATCH] BUG/MEDIUM: mux-h2: Fix dfl calculation when merging CONTINUATION frames When header are splitted over several frames, payload of HEADERS and CONTINUATION frames are merged to form a unique HEADERS frame before decoding the payload. To do so, info about the current frame are updated (dff, dfl..) with info of the next one. Here there is a bug when the frame length (dfl) is update. We must add the next frame length (hdr.dfl) and not only the amount of data found in the buffer (clen). Because HEADERS frames are decoded in one pass, dfl value is the whole frame length or 0. nothing intermediary. This patch must be backported as far as 2.0. (cherry picked from commit cb1847c77285ba6dbd413774fcf2282cafa19bd2) Signed-off-by: Christopher Faulet (cherry picked from commit 55c007ae42cd210506b0d6e99c13238c4ea49d19) Signed-off-by: Christopher Faulet (cherry picked from commit 081474a3ac01871eafdcfbe59df418d52e1ebd16) Signed-off-by: Christopher Faulet --- src/mux_h2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mux_h2.c b/src/mux_h2.c index f76ed1a..2a3008e 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -4320,7 +4320,7 @@ next_frame: * above). The hole moves after the new aggragated frame. */ b_move(&h2c->dbuf, b_peek_ofs(&h2c->dbuf, h2c->dfl + hole + 9), clen, -(h2c->dpl + hole + 9)); - h2c->dfl += clen - h2c->dpl; + h2c->dfl += hdr.len - h2c->dpl; hole += h2c->dpl + 9; h2c->dpl = 0; TRACE_STATE("waiting for next continuation frame", H2_EV_RX_FRAME|H2_EV_RX_FHDR|H2_EV_RX_CONT|H2_EV_RX_HDR, h2c->conn); -- 1.7.10.4