diff options
| author |  Yang Gao <yangg@google.com> | 2015-12-08 10:13:48 -0800 |
|---|---|---|
| committer | Yang Gao <yangg@google.com> | 2015-12-08 10:13:48 -0800 |
| commit | e987b272a1075a6f75e93be9d3f6d4378b16f708 (patch) | |
| tree | 02a632dfc299956018e1d1178bc7fb51f0d3e87a | |
| parent | 8344816652332fc8e3eefcdf0b19236e0aed54e3 (diff) | |
| parent | c3218147de0cc8109804f8959d7bfa6eac44b6ef (diff) | |
Merge pull request #4334 from ctiller/lonely-data
Fix fuzzing detected crash
| -rw-r--r-- | src/core/transport/chttp2/hpack_parser.c | 22 | ||||
| -rw-r--r-- | test/core/bad_client/tests/headers.c | 6 |
2 files changed, 19 insertions, 9 deletions
diff --git a/src/core/transport/chttp2/hpack_parser.c b/src/core/transport/chttp2/hpack_parser.c index e5453000ec..30f0d469e3 100644 --- a/src/core/transport/chttp2/hpack_parser.c +++ b/src/core/transport/chttp2/hpack_parser.c @@ -1418,15 +1418,19 @@ grpc_chttp2_parse_error grpc_chttp2_header_parser_parse( GPR_TIMER_END("grpc_chttp2_hpack_parser_parse", 0); return GRPC_CHTTP2_CONNECTION_ERROR; } - if (parser->is_boundary) { - stream_parsing - ->got_metadata_on_parse[stream_parsing->header_frames_received] = 1; - stream_parsing->header_frames_received++; - grpc_chttp2_list_add_parsing_seen_stream(transport_parsing, - stream_parsing); - } - if (parser->is_eof) { - stream_parsing->received_close = 1; + /* need to check for null stream: this can occur if we receive an invalid + stream id on a header */ + if (stream_parsing != NULL) { + if (parser->is_boundary) { + stream_parsing + ->got_metadata_on_parse[stream_parsing->header_frames_received] = 1; + stream_parsing->header_frames_received++; + grpc_chttp2_list_add_parsing_seen_stream(transport_parsing, + stream_parsing); + } + if (parser->is_eof) { + stream_parsing->received_close = 1; + } } parser->on_header = on_header_not_set; parser->on_header_user_data = NULL; diff --git a/test/core/bad_client/tests/headers.c b/test/core/bad_client/tests/headers.c index 1d18a8241a..c16bfd623b 100644 --- a/test/core/bad_client/tests/headers.c +++ b/test/core/bad_client/tests/headers.c @@ -195,5 +195,11 @@ int main(int argc, char **argv) { "\x00\x00\x00\x09\x04\x00\x00\x00\x01", 0); + /* an invalid header found with fuzzing */ + GRPC_RUN_BAD_CLIENT_TEST(verifier, + PFX_STR + "\x00\x00\x00\x01\x39\x67\xed\x1d\x64", + GRPC_BAD_CLIENT_DISCONNECT); + return 0; } |