From 6086803e136a84fef1cd022d583e3c21dd56167d Mon Sep 17 00:00:00 2001 From: Matus Fabian Date: Mon, 28 Jul 2025 04:42:35 -0400 Subject: [PATCH] http: huffman decoder invalid EOS handling fix Handle EOS longer than 7 bits Type: fix Change-Id: I4cb3ba37efe17dad9245c4d433eac987354d225c Signed-off-by: Matus Fabian --- src/plugins/http/http2/hpack.c | 7 +++++-- src/plugins/http/test/http_test.c | 3 +++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/src/plugins/http/http2/hpack.c b/src/plugins/http/http2/hpack.c index 8af061eb753..b94e8ebc220 100644 --- a/src/plugins/http/http2/hpack.c +++ b/src/plugins/http/http2/hpack.c @@ -198,6 +198,9 @@ hpack_decode_huffman (u8 **src, u8 *end, u8 **buf, uword *buf_len) * encoding” */ hpack_huffman_group_t *hg = hpack_huffman_get_group (tmp); + /* this might happen with invalid EOS (longer than 7 bits) */ + if (hg->code_len > accumulator_len) + return HTTP2_ERROR_COMPRESSION_ERROR; /* trim code to correct length */ u32 code = (accumulator >> (accumulator_len - hg->code_len)) & ((1 << hg->code_len) - 1); @@ -215,7 +218,7 @@ hpack_decode_huffman (u8 **src, u8 *end, u8 **buf, uword *buf_len) /* there might be one more symbol encoded with short code */ if (accumulator_len >= 5) { - /* first check EOF case */ + /* first check EOS case */ if (((1 << accumulator_len) - 1) == (accumulator & ((1 << accumulator_len) - 1))) break; @@ -235,7 +238,7 @@ hpack_decode_huffman (u8 **src, u8 *end, u8 **buf, uword *buf_len) if (accumulator_len == 0) break; } - /* we must end with EOF here */ + /* we must end with EOS here */ if (((1 << accumulator_len) - 1) != (accumulator & ((1 << accumulator_len) - 1))) return HTTP2_ERROR_COMPRESSION_ERROR; diff --git a/src/plugins/http/test/http_test.c b/src/plugins/http/test/http_test.c index 0d2e3a7b495..cf04fc1a2af 100644 --- a/src/plugins/http/test/http_test.c +++ b/src/plugins/http/test/http_test.c @@ -994,6 +994,9 @@ http_test_hpack (vlib_main_t *vm) N_TEST ("\x7Fprivate", HTTP2_ERROR_COMPRESSION_ERROR); /* invalid EOF */ N_TEST ("\x81\x8C", HTTP2_ERROR_COMPRESSION_ERROR); + N_TEST ("\x98\xDC\x53\xFF\xFF\xFF\xDF\xFF\xFF\xFF\x14\xFF\xFF\xFF\xF7\xFF" + "\xFF\xFF\xC5\x3F\xFF\xFF\xFD\xFF\xFF", + HTTP2_ERROR_COMPRESSION_ERROR); /* not enough space for decoding */ N_TEST ( "\x96\xD0\x7A\xBE\x94\x10\x54\xD4\x44\xA8\x20\x05\x95\x04\x0B\x81\x66" -- 2.16.6