From 0cd6e7c4d75dd46c9b2350a926927c28a875f5b6 Mon Sep 17 00:00:00 2001 From: Matus Fabian Date: Fri, 1 Aug 2025 05:51:44 -0400 Subject: [PATCH] http: http2_transport_rx_callback hardening When we receive extra data bytes handle it as connection error to prevent data leakage. Type: improvement Change-Id: I1316d019b252faa29a818b4aeff5d1d5752719e2 Signed-off-by: Matus Fabian --- extras/hs-test/h2spec_extras/h2spec_extras.go | 18 ++++++++++++++++++ extras/hs-test/infra/suite_http2.go | 1 + src/plugins/http/http2/http2.c | 8 ++++++++ 3 files changed, 27 insertions(+) diff --git a/extras/hs-test/h2spec_extras/h2spec_extras.go b/extras/hs-test/h2spec_extras/h2spec_extras.go index b2c5c85fb63..db7d4d514c9 100644 --- a/extras/hs-test/h2spec_extras/h2spec_extras.go +++ b/extras/hs-test/h2spec_extras/h2spec_extras.go @@ -35,6 +35,7 @@ func Spec() *spec.TestGroup { tg.AddTestGroup(FlowControl()) tg.AddTestGroup(ConnectMethod()) tg.AddTestGroup(ExtendedConnectMethod()) + tg.AddTestGroup(PingAnomaly()) return tg } @@ -937,3 +938,20 @@ func ConnectUdp() *spec.TestGroup { return tg } + +func PingAnomaly() *spec.TestGroup { + tg := NewTestGroup("4", "Data Leakage") + tg.AddTestCase(&spec.TestCase{ + Desc: "1-byte extra", + Requirement: "The endpoint MUST terminate the connection with a connection error of type PROTOCOL_ERROR.", + Run: func(c *config.Config, conn *spec.Conn) error { + err := conn.Handshake() + if err != nil { + return err + } + conn.Send([]byte("\x00\x00\x08\x06\x00\x00\x00\x00\x00\x00\xDE\xAD\xBE\xEF\xDE\xAD\xBE\xEF")) + return spec.VerifyConnectionError(conn, http2.ErrCodeProtocol) + }, + }) + return tg +} diff --git a/extras/hs-test/infra/suite_http2.go b/extras/hs-test/infra/suite_http2.go index 69739bc8a6b..69b6bfdf565 100644 --- a/extras/hs-test/infra/suite_http2.go +++ b/extras/hs-test/infra/suite_http2.go @@ -391,6 +391,7 @@ var http2Tests = []h2specTest{ var extrasTests = []h2specTest{ {desc: "extras/1/1"}, {desc: "extras/1/2"}, + {desc: "extras/4/1"}, } const ( diff --git a/src/plugins/http/http2/http2.c b/src/plugins/http/http2/http2.c index 880d31bbaf6..45e2f821fe6 100644 --- a/src/plugins/http/http2/http2.c +++ b/src/plugins/http/http2/http2.c @@ -2882,6 +2882,14 @@ http2_transport_rx_callback (http_conn_t *hc) http_io_ts_drain (hc, HTTP2_FRAME_HEADER_SIZE); to_deq -= fh.length; + /* to prevent data leakage */ + if (to_deq && to_deq < HTTP2_FRAME_HEADER_SIZE) + { + HTTP_DBG (1, "to_deq %u is less than frame header size", to_deq); + http2_connection_error (hc, HTTP2_ERROR_PROTOCOL_ERROR, 0); + return; + } + HTTP_DBG (1, "frame type 0x%02x len %u", fh.type, fh.length); if ((h2c->flags & HTTP2_CONN_F_EXPECT_CONTINUATION) && -- 2.16.6