Code Review / vpp.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 7538c86)
http: huffman decoder invalid EOS handling fix 85/43485/2
authorMatus Fabian <[email protected]>
Mon, 28 Jul 2025 08:42:35 +0000 (04:42 -0400)
committerFlorin Coras <[email protected]>
Mon, 28 Jul 2025 17:46:30 +0000 (17:46 +0000)
Handle EOS longer than 7 bits

Type: fix

Change-Id: I4cb3ba37efe17dad9245c4d433eac987354d225c
Signed-off-by: Matus Fabian <[email protected]>
src/plugins/http/http2/hpack.c patch | blob | history
src/plugins/http/test/http_test.c patch | blob | history

diff --git a/src/plugins/http/http2/hpack.c b/src/plugins/http/http2/hpack.c
index 8af061e..b94e8eb 100644 (file)
--- a/src/plugins/http/http2/hpack.c
+++ b/src/plugins/http/http2/hpack.c
@@ -198,6 +198,9 @@ hpack_decode_huffman (u8 **src, u8 *end, u8 **buf, uword *buf_len)
           * encoding”
           */
          hpack_huffman_group_t *hg = hpack_huffman_get_group (tmp);
+         /* this might happen with invalid EOS (longer than 7 bits) */
+         if (hg->code_len > accumulator_len)
+           return HTTP2_ERROR_COMPRESSION_ERROR;
          /* trim code to correct length */
          u32 code = (accumulator >> (accumulator_len - hg->code_len)) &
                     ((1 << hg->code_len) - 1);
@@ -215,7 +218,7 @@ hpack_decode_huffman (u8 **src, u8 *end, u8 **buf, uword *buf_len)
          /* there might be one more symbol encoded with short code */
          if (accumulator_len >= 5)
            {
-             /* first check EOF case */
+             /* first check EOS case */
              if (((1 << accumulator_len) - 1) ==
                  (accumulator & ((1 << accumulator_len) - 1)))
                break;
@@ -235,7 +238,7 @@ hpack_decode_huffman (u8 **src, u8 *end, u8 **buf, uword *buf_len)
              if (accumulator_len == 0)
                break;
            }
-         /* we must end with EOF here */
+         /* we must end with EOS here */
          if (((1 << accumulator_len) - 1) !=
              (accumulator & ((1 << accumulator_len) - 1)))
            return HTTP2_ERROR_COMPRESSION_ERROR;
diff --git a/src/plugins/http/test/http_test.c b/src/plugins/http/test/http_test.c
index 0d2e3a7..cf04fc1 100644 (file)
--- a/src/plugins/http/test/http_test.c
+++ b/src/plugins/http/test/http_test.c
@@ -994,6 +994,9 @@ http_test_hpack (vlib_main_t *vm)
   N_TEST ("\x7Fprivate", HTTP2_ERROR_COMPRESSION_ERROR);
   /* invalid EOF */
   N_TEST ("\x81\x8C", HTTP2_ERROR_COMPRESSION_ERROR);
+  N_TEST ("\x98\xDC\x53\xFF\xFF\xFF\xDF\xFF\xFF\xFF\x14\xFF\xFF\xFF\xF7\xFF"
+         "\xFF\xFF\xC5\x3F\xFF\xFF\xFD\xFF\xFF",
+         HTTP2_ERROR_COMPRESSION_ERROR);
   /* not enough space for decoding */
   N_TEST (
     "\x96\xD0\x7A\xBE\x94\x10\x54\xD4\x44\xA8\x20\x05\x95\x04\x0B\x81\x66"
Vector Packet Processing