Google Git
Sign in
quiche/quiche.git/4ab9d9f83d0daa0306b159c3959ddafb8add7138^!/.
commit
4ab9d9f83d0daa0306b159c3959ddafb8add7138
[log]
author
renjietang <renjietang@google.com>
Wed Apr 10 14:30:26 2019 -0700
committer
Copybara-Service <copybara-worker@google.com>
Wed Apr 10 14:31:41 2019 -0700
tree
da670a653cf2dbc6bd0d4bc8aec6f7094b61eda8
parent
b78bbaf8a3f615597882fc1c31a5e15f70d41a70 [diff]
Impose upper limit on the frame length of some HTTP/3 frames. This helps
prevent attacks that send malformed data.

gfe-relnote: n/a --unused code.
PiperOrigin-RevId: 242941217
Change-Id: Ic1f97f091afb57a38dc05e98ee1a5c42f1caf95a

diff --git a/quic/core/http/http_decoder.cc b/quic/core/http/http_decoder.cc
index 972cb37..0a2ea0d 100644
--- a/quic/core/http/http_decoder.cc
+++ b/quic/core/http/http_decoder.cc

@@ -26,6 +26,10 @@
 
 // Length of the type field of HTTP/3 frames.
 static const QuicByteCount kFrameTypeLength = 1;
+// Length of the weight field of a priority frame.
+static const size_t kPriorityWeightLength = 1;
+// Length of a priority frame's first byte.
+static const size_t kPriorityFirstByteLength = 1;
 
 }  // namespace
 
@@ -98,6 +102,12 @@
     return;
   }
 
+  if (current_frame_length_ > MaxFrameLength(current_frame_type_)) {
+    RaiseError(QUIC_INTERNAL_ERROR, "Frame is too large");
+    visitor_->OnError(this);
+    return;
+  }
+
   // Calling the following two visitor methods does not require parsing of any
   // frame payload.
   if (current_frame_type_ == 0x0) {
@@ -152,15 +162,10 @@
       break;
     }
     case 0x3: {  // CANCEL_PUSH
-      // TODO(rch): Handle partial delivery.
       BufferFramePayload(reader);
       break;
     }
     case 0x4: {  // SETTINGS
-      // TODO(rch): Handle overly large SETTINGS frames. Either:
-      // 1. Impose a limit on SETTINGS frame size, and close the connection if
-      //    exceeded
-      // 2. Implement a streaming parsing mode.
       BufferFramePayload(reader);
       break;
     }
@@ -439,4 +444,26 @@
   return true;
 }
 
+QuicByteCount HttpDecoder::MaxFrameLength(uint8_t frame_type) {
+  switch (frame_type) {
+    case 0x2:  // PRIORITY
+      return kPriorityFirstByteLength + VARIABLE_LENGTH_INTEGER_LENGTH_8 * 2 +
+             kPriorityWeightLength;
+    case 0x3:  // CANCEL_PUSH
+      return sizeof(PushId);
+    case 0x4:  // SETTINGS
+      // This limit is arbitrary.
+      return 1024 * 1024;
+    case 0x7:  // GOAWAY
+      return sizeof(QuicStreamId);
+    case 0xD:  // MAX_PUSH_ID
+      return sizeof(PushId);
+    case 0xE:  // DUPLICATE_PUSH
+      return sizeof(PushId);
+    default:
+      // Other frames require no data buffering, so it's safe to have no limit.
+      return std::numeric_limits<QuicByteCount>::max();
+  }
+}
+
 }  // namespace quic

diff --git a/quic/core/http/http_decoder.h b/quic/core/http/http_decoder.h
index 2318a03..225941d 100644
--- a/quic/core/http/http_decoder.h
+++ b/quic/core/http/http_decoder.h

@@ -164,6 +164,9 @@
   // Parses the payload of a SETTINGS frame from |reader| into |frame|.
   bool ParseSettingsFrame(QuicDataReader* reader, SettingsFrame* frame);
 
+  // Returns the max frame size of a given |frame_type|.
+  QuicByteCount MaxFrameLength(uint8_t frame_type);
+
   // Visitor to invoke when messages are parsed.
   Visitor* visitor_;  // Unowned.
   // Current state of the parsing.

diff --git a/quic/core/http/http_decoder_test.cc b/quic/core/http/http_decoder_test.cc
index a4202e1..0f7b60c 100644
--- a/quic/core/http/http_decoder_test.cc
+++ b/quic/core/http/http_decoder_test.cc

@@ -3,7 +3,9 @@
 // found in the LICENSE file.
 
 #include "net/third_party/quiche/src/quic/core/http/http_decoder.h"
+
 #include "net/third_party/quiche/src/quic/core/http/http_encoder.h"
+#include "net/third_party/quiche/src/quic/core/quic_data_writer.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 
@@ -479,4 +481,30 @@
   EXPECT_EQ("", decoder_.error_detail());
 }
 
+TEST_F(HttpDecoderTest, MalformedFrameWithOverlyLargePayload) {
+  char input[] = {0x10,   // length
+                  0x03,   // type (CANCEL_PUSH)
+                  0x15};  // malformed payload
+  // Process the full frame.
+  EXPECT_CALL(visitor_, OnError(&decoder_));
+  EXPECT_EQ(0, decoder_.ProcessInput(input, QUIC_ARRAYSIZE(input)));
+  EXPECT_EQ(QUIC_INTERNAL_ERROR, decoder_.error());
+  EXPECT_EQ("Frame is too large", decoder_.error_detail());
+}
+
+TEST_F(HttpDecoderTest, MalformedSettingsFrame) {
+  char input[30];
+  QuicDataWriter writer(30, input);
+  // Write length.
+  writer.WriteVarInt62(2048 * 1024);
+  // Write type SETTINGS.
+  writer.WriteUInt8(0x04);
+
+  writer.WriteStringPiece("Malformed payload");
+  EXPECT_CALL(visitor_, OnError(&decoder_));
+  EXPECT_EQ(0, decoder_.ProcessInput(input, QUIC_ARRAYSIZE(input)));
+  EXPECT_EQ(QUIC_INTERNAL_ERROR, decoder_.error());
+  EXPECT_EQ("Frame is too large", decoder_.error_detail());
+}
+
 }  // namespace quic