Signal error in HttpDecoder on empty PUSH_PROMISE frame.
Currently on an empty, invalid PUSH_PROMISE frame HttpDecoder transitions from
STATE_READING_FRAME_LENGTH directly to STATE_FINISH_PARSING, skipping
STATE_READING_FRAME_PAYLOAD, which results in calling
Visitor::OnPushPromiseFrameEnd() without calling
Visitor::OnPushPromiseFrameStart(). This is wrong and can cause QuicSpdyStream
to crash.
This was caught by ClusterFuzz at https://crbug.com/1001823.
Also add tests for other empty frames, and sanity DCHECKs in QuicSpdyStream.
gfe-relnote: n/a, change to QUIC v99-only code. Protected by existing disabled
gfe2_reloadable_flag_quic_enable_version_99.
PiperOrigin-RevId: 270386637
Change-Id: I0c1944d1df300136d27367679e3128dd45e9bfd3
diff --git a/quic/core/http/quic_spdy_stream.cc b/quic/core/http/quic_spdy_stream.cc
index a407d5c..a089345 100644
--- a/quic/core/http/quic_spdy_stream.cc
+++ b/quic/core/http/quic_spdy_stream.cc
@@ -127,7 +127,7 @@
bool OnPushPromiseFrameStart(PushId push_id,
QuicByteCount header_length,
QuicByteCount push_id_length) override {
- if (!VersionHasStreamType(stream_->transport_version())) {
+ if (!VersionUsesQpack(stream_->transport_version())) {
CloseConnectionOnWrongFrame("Push Promise");
return false;
}
@@ -880,6 +880,7 @@
bool QuicSpdyStream::OnHeadersFramePayload(QuicStringPiece payload) {
DCHECK(VersionUsesQpack(transport_version()));
+ DCHECK(qpack_decoded_headers_accumulator_);
if (headers_decompressed_) {
trailers_payload_length_ += payload.length();
@@ -904,6 +905,7 @@
bool QuicSpdyStream::OnHeadersFrameEnd() {
DCHECK(VersionUsesQpack(transport_version()));
+ DCHECK(qpack_decoded_headers_accumulator_);
auto result = qpack_decoded_headers_accumulator_->EndHeaderBlock();
