[PATCH] HTTP/3: require that field section base index is not negative
Sergey Kandaurov
pluknet at nginx.com
Thu May 26 13:04:21 UTC 2022
> On 26 May 2022, at 15:45, Roman Arutyunyan <arut at nginx.com> wrote:
>
> # HG changeset patch
> # User Roman Arutyunyan <arut at nginx.com>
> # Date 1653564901 -14400
> # Thu May 26 15:35:01 2022 +0400
> # Branch quic
> # Node ID 9feb0196a87189b573757cc00a15ff0acf4d5f8c
> # Parent c2f5d79cde64457f1fa7344c56a5248a677a7e46
> HTTP/3: require that field section base index is not negative.
>
> RFC 9204 explicitly requires that.
>
> diff --git a/src/http/v3/ngx_http_v3_parse.c b/src/http/v3/ngx_http_v3_parse.c
> --- a/src/http/v3/ngx_http_v3_parse.c
> +++ b/src/http/v3/ngx_http_v3_parse.c
> @@ -474,7 +474,12 @@ done:
> }
>
> if (st->sign) {
> + if (st->insert_count <= st->delta_base) {
> + return NGX_HTTP_V3_ERR_DECOMPRESSION_FAILED;
> + }
> +
> st->base = st->insert_count - st->delta_base - 1;
> +
> } else {
> st->base = st->insert_count + st->delta_base;
> }
>
I'd put something in logs to emphasize bad Base.
Otherwise looks good.
--
Sergey Kandaurov
More information about the nginx-devel
mailing list