Signal error in HttpDecoder on empty PUSH_PROMISE frame. Currently on an empty, invalid PUSH_PROMISE frame HttpDecoder transitions from STATE_READING_FRAME_LENGTH directly to STATE_FINISH_PARSING, skipping STATE_READING_FRAME_PAYLOAD, which results in calling Visitor::OnPushPromiseFrameEnd() without calling Visitor::OnPushPromiseFrameStart(). This is wrong and can cause QuicSpdyStream to crash. This was caught by ClusterFuzz at https://crbug.com/1001823. Also add tests for other empty frames, and sanity DCHECKs in QuicSpdyStream. gfe-relnote: n/a, change to QUIC v99-only code. Protected by existing disabled gfe2_reloadable_flag_quic_enable_version_99. PiperOrigin-RevId: 270386637 Change-Id: I0c1944d1df300136d27367679e3128dd45e9bfd3

commit: fcd42350a9ee1016591c1ffc038fc28c12ffee96 [log] [tgz]
author: bnc <bnc@google.com> Fri Sep 20 17:55:47 2019 -0700
committer: Copybara-Service <copybara-worker@google.com> Tue Sep 24 08:32:07 2019 -0700
tree: de7096a2e7b8a5acc63306f0b9916510bcad6384
parent: f97492c63e718825e7d50d34bf383b70fb280f15 [diff] [blame]
diff --git a/quic/core/http/http_decoder.cc b/quic/core/http/http_decoder.cc
index c9519fe..e1fa36e 100644
--- a/quic/core/http/http_decoder.cc
+++ b/quic/core/http/http_decoder.cc

@@ -153,6 +153,10 @@
       continue_processing = visitor_->OnSettingsFrameStart(header_length);
       break;
     case static_cast<uint64_t>(HttpFrameType::PUSH_PROMISE):
+      if (current_frame_length_ == 0) {
+        RaiseError(QUIC_INVALID_FRAME_DATA, "Corrupt PUSH_PROMISE frame.");
+        return false;
+      }
       break;
     case static_cast<uint64_t>(HttpFrameType::GOAWAY):
       break;
commit	fcd42350a9ee1016591c1ffc038fc28c12ffee96	[log] [tgz]
author	bnc <bnc@google.com>	Fri Sep 20 17:55:47 2019 -0700
committer	Copybara-Service <copybara-worker@google.com>	Tue Sep 24 08:32:07 2019 -0700
tree	de7096a2e7b8a5acc63306f0b9916510bcad6384
parent	f97492c63e718825e7d50d34bf383b70fb280f15 [diff] [blame]