search

hyperium / h2

HTTP 2.0 client & server implementation for Rust.
MIT License
1.34k stars 269 forks source link

Out of bounds access in h2::hpack::table::Table::index_dynamic #590

Open eaufavor opened 2 years ago

eaufavor commented 2 years ago

On v0.3.7. I saw this panic in our service. Unfortunately I was not able to capture the input that caused this. It seems it is related to the soundness of the index there. But I don't understand it enough. So I just log the issue here in case anyone knows anything about it.

Application Specific Information:
Out of bounds access

Thread 0 Crashed:
0   std                              std::sys_common::backtrace::__rust_end_short_backtrace (backtrace.rs:141)
1   <unknown>                rust_begin_unwind (panicking.rs:515)
2   core                            core::panicking::panic_fmt (panicking.rs:92)
3   core                            core::option::expect_failed (option.rs:1243)
4   core                            [inlined] core::option::Option<T>::expect (option.rs:351)
5   alloc                           [inlined] alloc::collections::vec_deque::VecDeque<T>::index (mod.rs:2724)
6   h2                               [inlined] h2::hpack::table::Table::index_dynamic (table.rs:193)
7   h2                               [inlined] h2::hpack::table::Table::index (table.rs:157)
8   h2                               [inlined] h2::hpack::encoder::Encoder::encode (encoder.rs:77)
9   h2                               h2::frame::headers::HeaderBlock::into_encoding (headers.rs:904)
10  h2                              h2::frame::headers::Headers::encode (headers.rs:268)
11  h2                               [inlined] h2::codec::framed_write::Encoder<T>::buffer (framed_write.rs:264)
12  h2                              [inlined] h2::codec::framed_write::FramedWrite<T>::buffer (framed_write.rs:115)
13  h2                              h2::codec::Codec<T>::buffer (mod.rs:141)
14  h2                              [inlined] h2::proto::streams::prioritize::Prioritize::poll_complete (prioritize.rs:505)
15  h2                              [inlined] h2::proto::streams::send::Send::poll_complete (send.rs:297)
16  h2                              h2::proto::streams::streams::Inner::poll_complete (streams.rs:850)
17  h2                              [inlined] h2::proto::streams::streams::Streams<T>::poll_complete (streams.rs:180)
18  h2                              [inlined] h2::proto::connection::Connection<T>::poll (connection.rs:253)
19  h2                              h2::client::Connection<T>::poll (client.rs:1279)