http: http2_transport_rx_callback hardening

When we receive extra data bytes handle it as connection error to
prevent data leakage.

Type: improvement

Change-Id: I1316d019b252faa29a818b4aeff5d1d5752719e2
Signed-off-by: Matus Fabian <[email protected]>

diff --git a/extras/hs-test/h2spec_extras/h2spec_extras.go b/extras/hs-test/h2spec_extras/h2spec_extras.go
index b2c5c85..db7d4d5 100644 (file)
--- a/extras/hs-test/h2spec_extras/h2spec_extras.go
+++ b/extras/hs-test/h2spec_extras/h2spec_extras.go
@@ -35,6 +35,7 @@ func Spec() *spec.TestGroup {
        tg.AddTestGroup(FlowControl())
        tg.AddTestGroup(ConnectMethod())
        tg.AddTestGroup(ExtendedConnectMethod())
+       tg.AddTestGroup(PingAnomaly())
 
        return tg
 }
@@ -937,3 +938,20 @@ func ConnectUdp() *spec.TestGroup {
 
        return tg
 }
+
+func PingAnomaly() *spec.TestGroup {
+       tg := NewTestGroup("4", "Data Leakage")
+       tg.AddTestCase(&spec.TestCase{
+               Desc:        "1-byte extra",
+               Requirement: "The endpoint MUST terminate the connection with a connection error of type PROTOCOL_ERROR.",
+               Run: func(c *config.Config, conn *spec.Conn) error {
+                       err := conn.Handshake()
+                       if err != nil {
+                               return err
+                       }
+                       conn.Send([]byte("\x00\x00\x08\x06\x00\x00\x00\x00\x00\x00\xDE\xAD\xBE\xEF\xDE\xAD\xBE\xEF"))
+                       return spec.VerifyConnectionError(conn, http2.ErrCodeProtocol)
+               },
+       })
+       return tg
+}

diff --git a/extras/hs-test/infra/suite_http2.go b/extras/hs-test/infra/suite_http2.go
index 69739bc..69b6bfd 100644 (file)
--- a/extras/hs-test/infra/suite_http2.go
+++ b/extras/hs-test/infra/suite_http2.go
@@ -391,6 +391,7 @@ var http2Tests = []h2specTest{
 var extrasTests = []h2specTest{
        {desc: "extras/1/1"},
        {desc: "extras/1/2"},
+       {desc: "extras/4/1"},
 }
 
 const (

diff --git a/src/plugins/http/http2/http2.c b/src/plugins/http/http2/http2.c
index 880d31b..45e2f82 100644 (file)
--- a/src/plugins/http/http2/http2.c
+++ b/src/plugins/http/http2/http2.c
@@ -2882,6 +2882,14 @@ http2_transport_rx_callback (http_conn_t *hc)
       http_io_ts_drain (hc, HTTP2_FRAME_HEADER_SIZE);
       to_deq -= fh.length;
 
+      /* to prevent data leakage */
+      if (to_deq && to_deq < HTTP2_FRAME_HEADER_SIZE)
+       {
+         HTTP_DBG (1, "to_deq %u is less than frame header size", to_deq);
+         http2_connection_error (hc, HTTP2_ERROR_PROTOCOL_ERROR, 0);
+         return;
+       }
+
       HTTP_DBG (1, "frame type 0x%02x len %u", fh.type, fh.length);
 
       if ((h2c->flags & HTTP2_CONN_F_EXPECT_CONTINUATION) &&