diff options
| author |  Craig Tiller <ctiller@google.com> | 2015-12-08 08:53:09 -0800 |
|---|---|---|
| committer | Craig Tiller <ctiller@google.com> | 2015-12-08 08:53:09 -0800 |
| commit | d391b560ece42fd3cae93df5551dbd2a42785535 (patch) | |
| tree | 32b39cb4f7ce80ea1d802d0c5ccf7ff95e767cfe | |
| parent | e9307929d440d9323a3aa5655c65deed5f367e81 (diff) | |
Add integer overflow cases
| -rw-r--r-- | src/core/transport/chttp2/hpack_parser.c | 5 | ||||
| -rw-r--r-- | test/core/bad_client/tests/headers.c | 25 |
2 files changed, 28 insertions, 2 deletions
diff --git a/src/core/transport/chttp2/hpack_parser.c b/src/core/transport/chttp2/hpack_parser.c index e5453000ec..35a0d2a6b4 100644 --- a/src/core/transport/chttp2/hpack_parser.c +++ b/src/core/transport/chttp2/hpack_parser.c @@ -1066,7 +1066,7 @@ static int parse_value4(grpc_chttp2_hpack_parser *p, const gpr_uint8 *cur, error: gpr_log(GPR_ERROR, "integer overflow in hpack integer decoding: have 0x%08x, " - "got byte 0x%02x", + "got byte 0x%02x on byte 5", *p->parsing.value, *cur); return parse_error(p, cur, end); } @@ -1091,7 +1091,8 @@ static int parse_value5up(grpc_chttp2_hpack_parser *p, const gpr_uint8 *cur, gpr_log(GPR_ERROR, "integer overflow in hpack integer decoding: have 0x%08x, " - "got byte 0x%02x sometime after byte 4"); + "got byte 0x%02x sometime after byte 5", + *p->parsing.value, *cur); return parse_error(p, cur, end); } diff --git a/test/core/bad_client/tests/headers.c b/test/core/bad_client/tests/headers.c index c3f7edbd50..036a33ccb7 100644 --- a/test/core/bad_client/tests/headers.c +++ b/test/core/bad_client/tests/headers.c @@ -207,6 +207,20 @@ int main(int argc, char **argv) { "\x00\x00\x08\x01\x04\x00\x00\x00\x01" "\xff\x80\x80\x80\x80\x80\x80\x00", 0); + /* overflow on byte 4 */ + GRPC_RUN_BAD_CLIENT_TEST(verifier, PFX_STR + "\x00\x00\x06\x01\x04\x00\x00\x00\x01" + "\xff\x80\x80\x80\x80\x7f", + GRPC_BAD_CLIENT_DISCONNECT); + GRPC_RUN_BAD_CLIENT_TEST(verifier, PFX_STR + "\x00\x00\x06\x01\x04\x00\x00\x00\x01" + "\xff\xff\xff\xff\xff\x0f", + GRPC_BAD_CLIENT_DISCONNECT); + /* overflow after byte 4 */ + GRPC_RUN_BAD_CLIENT_TEST(verifier, PFX_STR + "\x00\x00\x08\x01\x04\x00\x00\x00\x01" + "\xff\x80\x80\x80\x80\x80\x80\x02", + 0); /* end of headers mid-opcode */ GRPC_RUN_BAD_CLIENT_TEST(verifier, PFX_STR "\x00\x00\x01\x01\x04\x00\x00\x00\x01" @@ -219,11 +233,22 @@ int main(int argc, char **argv) { "\x00\x00\x03\x01\x04\x00\x00\x00\x01" "\x3f\xe1\x1f", GRPC_BAD_CLIENT_DISCONNECT); + /* dynamic table size update: set too large */ GRPC_RUN_BAD_CLIENT_TEST(verifier, PFX_STR "\x00\x00\x03\x01\x04\x00\x00\x00\x01" "\x3f\xf1\x1f", 0); + /* dynamic table size update: set twice */ + GRPC_RUN_BAD_CLIENT_TEST(verifier, PFX_STR + "\x00\x00\x04\x01\x04\x00\x00\x00\x01" + "\x20\x3f\xe1\x1f", + GRPC_BAD_CLIENT_DISCONNECT); + /* dynamic table size update: set thrice */ + GRPC_RUN_BAD_CLIENT_TEST(verifier, PFX_STR + "\x00\x00\x03\x01\x04\x00\x00\x00\x01" + "\x20\x20\x20", + 0); /* non-ending header followed by continuation frame */ GRPC_RUN_BAD_CLIENT_TEST(verifier, |