Fuzzing discovered a integer underflow in the flow control handling that can be triggered by a certain sequence of frames. In release builds this would lead to wrap-around of the negative window. This seems incorrect to me. I did not find anything definitive in the http2 spec.
Removed the SubAssign, etc. syntactic sugar functions and switched to return Result on over/underflow
Whenever possible, switched to returning a library GoAway protocol error. Otherwise we check for over/underflow only with debug_assert!, assuming that those code paths do not over/underflow. In this case I left TODO: comments.
Fuzzing discovered a integer underflow in the flow control handling that can be triggered by a certain sequence of frames. In release builds this would lead to wrap-around of the negative window. This seems incorrect to me. I did not find anything definitive in the http2 spec.
Removed the SubAssign, etc. syntactic sugar functions and switched to return Result on over/underflow
Whenever possible, switched to returning a library GoAway protocol error. Otherwise we check for over/underflow only with
debug_assert!
, assuming that those code paths do not over/underflow. In this case I leftTODO:
comments.