Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistency in vtc_http2 parse_hdr #4176

Open
nigoroll opened this issue Sep 12, 2024 · 1 comment
Open

Inconsistency in vtc_http2 parse_hdr #4176

nigoroll opened this issue Sep 12, 2024 · 1 comment
Assignees
@bsdphk

Comments

@nigoroll
Copy link
Member

nigoroll commented Sep 12, 2024
edited
Loading

Coverity CID 1605314 Overflowed return value

varnish-cache/bin/varnishtest/vtc_http2.c

Lines 505 to 514 in 33d8a53

if (f->md.padded >= size) {
vtc_log(s->vl, hp->fatal,
"invalid padding: %d reported,"
"but size is only %d",
f->md.padded, size);
size = 0;
f->md.padded = 0;
}
shift += 1;
size -= f->md.padded;

for f->md.padded >= size increminting shift by one actually looks wrong to me. And why shift += 1 in the first place and not shift += f->md.padded?

Edit: Very similar issue here:

varnish-cache/bin/varnishtest/vtc_http2.c

Lines 417 to 426 in 33d8a53

if (f->md.padded >= size) {
vtc_log(s->vl, hp->fatal,
"invalid padding: %d reported,"
"but size is only %d",
f->md.padded, size);
size = 0;
f->md.padded = 0;
}
data++;
size -= f->md.padded + 1;

@bsdphk
Copy link
Contributor

bsdphk commented Sep 16, 2024

I think this looks mostly correct.

shift is where data starts, and the length of the padding goes in front of the data (rfc7540 p30)

But I'm wondering now if it shouldn't be size -= 1 + f->md.padded also in line 514 ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bsdphk bsdphk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bsdphk @nigoroll