Impose upper limit on the frame length of some HTTP/3 frames. This helps
prevent attacks that send malformed data.
gfe-relnote: n/a --unused code.
PiperOrigin-RevId: 242941217
Change-Id: Ic1f97f091afb57a38dc05e98ee1a5c42f1caf95a
diff --git a/quic/core/http/http_decoder_test.cc b/quic/core/http/http_decoder_test.cc
index a4202e1..0f7b60c 100644
--- a/quic/core/http/http_decoder_test.cc
+++ b/quic/core/http/http_decoder_test.cc
@@ -3,7 +3,9 @@
// found in the LICENSE file.
#include "net/third_party/quiche/src/quic/core/http/http_decoder.h"
+
#include "net/third_party/quiche/src/quic/core/http/http_encoder.h"
+#include "net/third_party/quiche/src/quic/core/quic_data_writer.h"
#include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
#include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
@@ -479,4 +481,30 @@
EXPECT_EQ("", decoder_.error_detail());
}
+TEST_F(HttpDecoderTest, MalformedFrameWithOverlyLargePayload) {
+ char input[] = {0x10, // length
+ 0x03, // type (CANCEL_PUSH)
+ 0x15}; // malformed payload
+ // Process the full frame.
+ EXPECT_CALL(visitor_, OnError(&decoder_));
+ EXPECT_EQ(0, decoder_.ProcessInput(input, QUIC_ARRAYSIZE(input)));
+ EXPECT_EQ(QUIC_INTERNAL_ERROR, decoder_.error());
+ EXPECT_EQ("Frame is too large", decoder_.error_detail());
+}
+
+TEST_F(HttpDecoderTest, MalformedSettingsFrame) {
+ char input[30];
+ QuicDataWriter writer(30, input);
+ // Write length.
+ writer.WriteVarInt62(2048 * 1024);
+ // Write type SETTINGS.
+ writer.WriteUInt8(0x04);
+
+ writer.WriteStringPiece("Malformed payload");
+ EXPECT_CALL(visitor_, OnError(&decoder_));
+ EXPECT_EQ(0, decoder_.ProcessInput(input, QUIC_ARRAYSIZE(input)));
+ EXPECT_EQ(QUIC_INTERNAL_ERROR, decoder_.error());
+ EXPECT_EQ("Frame is too large", decoder_.error_detail());
+}
+
} // namespace quic
