HTTP/3: reject HTTP/2 frames.

As per HTTP/3 draft 30, section 7.2.8:

   Frame types that were used in HTTP/2 where there is no corresponding
   HTTP/3 frame have also been reserved (Section 11.2.1).  These frame
   types MUST NOT be sent, and their receipt MUST be treated as a
   connection error of type H3_FRAME_UNEXPECTED.

1 files changed, 17 insertions, 0 deletions

diff --git a/src/http/v3/ngx_http_v3_parse.c b/src/http/v3/ngx_http_v3_parse.c
index 8f47b4d99..96f87b0b6 100644
--- a/src/http/v3/ngx_http_v3_parse.c
+++ b/src/http/v3/ngx_http_v3_parse.c
@@ -10,6 +10,10 @@
 #include <ngx_http.h>
 
 
+#define ngx_http_v3_is_v2_frame(type)                                         \
+    ((type) == 0x02 || (type) == 0x06 || (type) == 0x08 || (type) == 0x09)
+
+
 static ngx_int_t ngx_http_v3_parse_lookup(ngx_connection_t *c,
     ngx_uint_t dynamic, ngx_uint_t index, ngx_str_t *name, ngx_str_t *value);
 
@@ -182,6 +186,11 @@ ngx_http_v3_parse_headers(ngx_connection_t *c, ngx_http_v3_parse_headers_t *st,
         }
 
         st->type = st->vlint.value;
+
+        if (ngx_http_v3_is_v2_frame(st->type)) {
+            return NGX_HTTP_V3_ERR_FRAME_UNEXPECTED;
+        }
+
         st->state = sw_length;
         break;
 
@@ -986,6 +995,10 @@ ngx_http_v3_parse_control(ngx_connection_t *c, void *data, u_char ch)
         ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
                        "http3 parse frame type:%ui", st->type);
 
+        if (ngx_http_v3_is_v2_frame(st->type)) {
+            return NGX_HTTP_V3_ERR_FRAME_UNEXPECTED;
+        }
+
         if (st->state == sw_first_type
             && st->type != NGX_HTTP_V3_FRAME_SETTINGS)
         {
@@ -1581,6 +1594,10 @@ ngx_http_v3_parse_data(ngx_connection_t *c, ngx_http_v3_parse_data_t *st,
             goto done;
         }
 
+        if (ngx_http_v3_is_v2_frame(st->type)) {
+            return NGX_HTTP_V3_ERR_FRAME_UNEXPECTED;
+        }
+
         st->state = sw_length;
         break;