search

hyperium / h2

HTTP 2.0 client & server implementation for Rust.
MIT License
1.36k stars 272 forks source link

Fix for a fuzzer-discovered integer underflow of the flow control window size #692

Closed f0rki closed 1 year ago

f0rki commented 1 year ago

Fuzzing discovered a integer underflow in the flow control handling that can be triggered by a certain sequence of frames. In release builds this would lead to wrap-around of the negative window. This seems incorrect to me. I did not find anything definitive in the http2 spec.

Removed the SubAssign, etc. syntactic sugar functions and switched to return Result on over/underflow

Whenever possible, switched to returning a library GoAway protocol error. Otherwise we check for over/underflow only with debug_assert!, assuming that those code paths do not over/underflow. In this case I left TODO: comments.

82marbag commented 1 year ago

@f0rki is it ready for review?

f0rki commented 1 year ago

@f0rki is it ready for review?

looks good to me @82marbag @seanmonstar