If the remote sent a frame on a stream it wasn't supposed to (such as a server sending a response on a request stream that hadn't been opened yet), AND that frame was malformed such that it triggered a codec error (and thus not reaching the "you're not allowed to open" error), then the stream store state would get out of sync. It would have stored that a stream "existed", but the next_stream_id could still suggest that ID when sending a new request. Finally, when trying to store that new request, we'd hit a panic that the stream already existed.
The panic was correct, the stream did already exist. We shouldn't send a request with that "used" stream ID. So this patch makes sure that when sending a reset, if applicable, we update the next_stream_id.
It could be argued that we should be converting that reset into a connection error, since the remote shouldn't have send the bad frame in the first place. That'd require more refactoring. And this isn't likely something that is really encountered in practice, but rather something found by fuzzing.
If the remote sent a frame on a stream it wasn't supposed to (such as a server sending a response on a request stream that hadn't been opened yet), AND that frame was malformed such that it triggered a codec error (and thus not reaching the "you're not allowed to open" error), then the stream store state would get out of sync. It would have stored that a stream "existed", but the
next_stream_idcould still suggest that ID when sending a new request. Finally, when trying to store that new request, we'd hit a panic that the stream already existed.The panic was correct, the stream did already exist. We shouldn't send a request with that "used" stream ID. So this patch makes sure that when sending a reset, if applicable, we update the
next_stream_id.It could be argued that we should be converting that reset into a connection error, since the remote shouldn't have send the bad frame in the first place. That'd require more refactoring. And this isn't likely something that is really encountered in practice, but rather something found by fuzzing.
Closes #570