|
| 1 | +From bab1c67758dcc35ee7dedeb6ac1248334b1224eb Mon Sep 17 00:00:00 2001 |
| 2 | +From: AllSpark <allspark@microsoft.com> |
| 3 | +Date: Tue, 14 Apr 2026 22:02:44 +0000 |
| 4 | +Subject: [PATCH] BUG/MAJOR: h3: check body size with content-length on empty |
| 5 | + FIN |
| 6 | + |
| 7 | +In QUIC, a STREAM frame may be received with no data but with FIN bit set. This |
| 8 | +situation is tedious to handle and haproxy parsing code has changed several |
| 9 | +times to deal with this situation. Now, H3 and H09 layers parsing code are |
| 10 | +skipped in favor of the shared function qcs_http_handle_standalone_fin() used to |
| 11 | +handle the HTX EOM emission. |
| 12 | + |
| 13 | +However, this shortcut bypasses an important HTTP/3 validation check on the |
| 14 | +received body size vs the announced content-length header. Under some |
| 15 | +conditions, this could cause a desynchronization with the backend server which |
| 16 | +could be exploited for request smuggling. |
| 17 | + |
| 18 | +Fix HTTP/3 parsing code by adding a call to h3_check_body_size() prior to |
| 19 | +qcs_http_handle_standalone_fin() if content-length header has been found. If the |
| 20 | +body size is incorrect, the stream is immediately resetted with H3_MESSAGE_ERROR |
| 21 | +code and the error is forwarded to the stream layer. |
| 22 | + |
| 23 | +Thanks to Martino Spagnuolo for his detailed report on this issue and for having |
| 24 | +contacting us about it via the security mailing list. |
| 25 | + |
| 26 | +This must be backported up to 2.6. |
| 27 | + |
| 28 | +(cherry picked from commit 05a295441c621089ffa4318daf0dbca2dd756a84) |
| 29 | +Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com> |
| 30 | +(cherry picked from commit 18e450ab412fb9397da36f226db8eed31ab590b6) |
| 31 | +Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com> |
| 32 | +(cherry picked from commit 7ab4ae974c434e62896b3c68b7b485b9dceb7a25) |
| 33 | +[ad: remove usage of qcs_http_handle_standalone_fin() introduced in 3.2] |
| 34 | +Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com> |
| 35 | +(cherry picked from commit ae54ad97c84cd6173f134c1f052a5375cf704f5c) |
| 36 | +Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com> |
| 37 | +Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> |
| 38 | +Upstream-reference: AI Backport of https://git.haproxy.org/?p=haproxy-3.0.git;a=patch;h=425b969d6ea4114f4ae260f57802c65ccafc319c |
| 39 | +--- |
| 40 | + src/h3.c | 7 +++++++ |
| 41 | + 1 file changed, 7 insertions(+) |
| 42 | + |
| 43 | +diff --git a/src/h3.c b/src/h3.c |
| 44 | +index 73adf0c..652cdff 100644 |
| 45 | +--- a/src/h3.c |
| 46 | ++++ b/src/h3.c |
| 47 | +@@ -1287,6 +1287,13 @@ static ssize_t h3_decode_qcs(struct qcs *qcs, struct buffer *b, int fin) |
| 48 | + struct htx *htx; |
| 49 | + |
| 50 | + TRACE_PROTO("received FIN without data", H3_EV_RX_FRAME, qcs->qcc->conn, qcs); |
| 51 | ++ /* FIN received, ensure body length is conform to any content-length header. */ |
| 52 | ++ if ((h3s->flags & H3_SF_HAVE_CLEN) && h3_check_body_size(qcs, 1)) { |
| 53 | ++ qcc_abort_stream_read(qcs); |
| 54 | ++ qcc_reset_stream(qcs, h3s->err); |
| 55 | ++ goto done; |
| 56 | ++ } |
| 57 | ++ |
| 58 | + if (!(appbuf = qcs_get_buf(qcs, &qcs->rx.app_buf))) { |
| 59 | + TRACE_ERROR("data buffer alloc failure", H3_EV_RX_FRAME, qcs->qcc->conn, qcs); |
| 60 | + h3c->err = H3_INTERNAL_ERROR; |
| 61 | +-- |
| 62 | +2.45.4 |
| 63 | + |
0 commit comments