HTTP/3: require that field section base index is not negative.

author Roman Arutyunyan <arut@nginx.com>

Thu, 26 May 2022 12:17:56 +0000 (16:17 +0400)

committer Roman Arutyunyan <arut@nginx.com>

Thu, 26 May 2022 12:17:56 +0000 (16:17 +0400)
author Roman Arutyunyan <arut@nginx.com>
Thu, 26 May 2022 12:17:56 +0000 (16:17 +0400)
committer Roman Arutyunyan <arut@nginx.com>
Thu, 26 May 2022 12:17:56 +0000 (16:17 +0400)
diff --git a/src/http/v3/ngx_http_v3_parse.c b/src/http/v3/ngx_http_v3_parse.c

index cd70bd3bf604640f2694a5cdee00ff091933f1bb..7dc53493cb0ee22c111d3ebcf86e11b7d0d8292c 100644 (file)
--- a/src/http/v3/ngx_http_v3_parse.c
+++ b/src/http/v3/ngx_http_v3_parse.c
@@ -474,7 +474,13 @@ done:
      }
  
      if (st->sign) {
+        if (st->insert_count <= st->delta_base) {
+            ngx_log_error(NGX_LOG_INFO, c->log, 0, "client sent negative base");
+            return NGX_HTTP_V3_ERR_DECOMPRESSION_FAILED;
+        }
+
          st->base = st->insert_count - st->delta_base - 1;
+
      } else {
          st->base = st->insert_count + st->delta_base;
      }
author	Roman Arutyunyan <arut@nginx.com>
	Thu, 26 May 2022 12:17:56 +0000 (16:17 +0400)
committer	Roman Arutyunyan <arut@nginx.com>
	Thu, 26 May 2022 12:17:56 +0000 (16:17 +0400)