Ignore read data on PendingStream after invalid type byte is received.
This bug has been discovered by Chromium's ClusterFuzz at
https://crbug.com/969391. I locally verified that this CL fixes the crash
with that particular fuzzer input.
https://quicwg.org/base-drafts/draft-ietf-quic-transport.html#frame-stop-sending
notes that a STOP_SENDING frame communicate that "incoming data is being
discarded on receipt". This CL adds a single line to make PendingStream
actually discard incoming data. Before this change, PendingStream could be
tricked into reading further data bytes by retransmitting the original stream
frame, which could have resulted in creating and activating a unidirectional
stream.
gfe-relnote: n/a, change in QUIC v99 only.
PiperOrigin-RevId: 262674708
Change-Id: Icaf0e700711b7220b36e595deb95620cac1d89af
diff --git a/quic/core/quic_session.cc b/quic/core/quic_session.cc
index 875ec22..ac4ac9b 100644
--- a/quic/core/quic_session.cc
+++ b/quic/core/quic_session.cc
@@ -157,15 +157,15 @@
if (!connection()->connected()) {
return;
}
- if (pending->sequencer()->IsClosed()) {
- ClosePendingStream(stream_id);
- return;
- }
if (ProcessPendingStream(pending)) {
// The pending stream should now be in the scope of normal streams.
DCHECK(IsClosedStream(stream_id) || IsOpenStream(stream_id))
<< "Stream " << stream_id << " not created";
pending_stream_map_.erase(stream_id);
+ return;
+ }
+ if (pending->sequencer()->IsClosed()) {
+ ClosePendingStream(stream_id);
}
}
