Merge pull request from GHSA-ccw9-q5h2-8c2w

glbrntt · web-flow · commit 93215774aa7d · 2022-02-11T09:17:56.000Z
* Validate HEADERS frame length accounts for priority data

Motivation:

When parsing a HEADERS frame payload which includes priority data the
expected length of the frame is not validated to ensure that it is large
enough to account for the stream data. This can lead to the expected
payload length being negative.

Modifications:

- Validate that when stream priority data is present that the frame
  length is at least that size
- Add fuzz testing failure case

Result:

The frame decoder will throw a protocol error when parsing a HEADERS
frame if the length of the frame is less than the number of bytes
required for stream priority data and the priority flag is set.

* Add additional tests

* Fix weirdo formatting
diff --git a/FuzzTesting/FailCases/clusterfuzz-testcase-minimized-ServerFuzzer-release-4565313872592896 b/FuzzTesting/FailCases/clusterfuzz-testcase-minimized-ServerFuzzer-release-4565313872592896
diff --git a/Sources/NIOHTTP2/HTTP2FrameParser.swift b/Sources/NIOHTTP2/HTTP2FrameParser.swift
@@ -686,6 +686,11 @@ struct HTTP2FrameDecoder {
 
         let priorityData: HTTP2Frame.StreamPriorityData?
         if flags.contains(.priority) {
+            // Validate that the length includes the priority data.
+            guard bytesToRead >= 5 else {
+                throw InternalError.codecError(code: .protocolError)
+            }
+
             let raw: UInt32 = bytes.readInteger()!
             priorityData = HTTP2Frame.StreamPriorityData(exclusive: (raw & 0x8000_0000 != 0),
                                                          dependency: HTTP2StreamID(networkID: raw),
diff --git a/Tests/NIOHTTP2Tests/HTTP2FrameParserTests+XCTest.swift b/Tests/NIOHTTP2Tests/HTTP2FrameParserTests+XCTest.swift
@@ -48,6 +48,8 @@ extension HTTP2FrameParserTests {
                 ("testHeadersFrameDecodingWithPriorityNoPadding", testHeadersFrameDecodingWithPriorityNoPadding),
                 ("testHeadersFrameDecodingWithPriorityWithPadding", testHeadersFrameDecodingWithPriorityWithPadding),
                 ("testHeadersFrameDecodeFailures", testHeadersFrameDecodeFailures),
+                ("testHeadersFrameDecodingWithPriorityAndIncorrectLength", testHeadersFrameDecodingWithPriorityAndIncorrectLength),
+                ("testHeadersFrameDecodingWithPriorityAndCorrectLength", testHeadersFrameDecodingWithPriorityAndCorrectLength),
                 ("testHeadersFrameEncodingNoPriority", testHeadersFrameEncodingNoPriority),
                 ("testHeadersFrameEncodingWithPriority", testHeadersFrameEncodingWithPriority),
                 ("testPriorityFrameDecoding", testPriorityFrameDecoding),
diff --git a/Tests/NIOHTTP2Tests/HTTP2FrameParserTests.swift b/Tests/NIOHTTP2Tests/HTTP2FrameParserTests.swift
@@ -647,6 +647,48 @@ class HTTP2FrameParserTests: XCTestCase {
             }
         })
     }
+
+    func testHeadersFrameDecodingWithPriorityAndIncorrectLength() throws {
+        for invalidLength in UInt8(0) ... UInt8(4) {
+            let frameBytes: [UInt8] = [
+                0x00, 0x00, invalidLength,  // 3-byte payload length ('invalidLength' bytes)
+                0x01,                       // 1-byte frame type (HEADERS)
+                0x24,                       // 1-byte flags (END_HEADERS, PRIORITY)
+                0x00, 0x00, 0x00, 0x03,     // 4-byte stream identifier
+                0x80, 0x00, 0x00, 0x01,     // 4-byte stream dependency (top bit = exclusive)
+                0x01,                       // 1-byte weight (1)
+            ]
+
+            var buf = self.byteBuffer(withBytes: frameBytes)
+            var decoder = HTTP2FrameDecoder(allocator: self.allocator, expectClientMagic: false)
+
+            decoder.append(bytes: &buf)
+            XCTAssertThrowsError(try decoder.nextFrame(), "Should throw a protocol error", { err in
+                guard let connErr = err as? InternalError, case .codecError(code: .protocolError) = connErr else {
+                    XCTFail("Should have thrown a codec error of type PROTOCOL_ERROR")
+                    return
+                }
+            })
+        }
+    }
+
+    func testHeadersFrameDecodingWithPriorityAndCorrectLength() throws {
+        let frameBytes: [UInt8] = [
+            0x00, 0x00, 0x05,           // 3-byte payload length (5 bytes)
+            0x01,                       // 1-byte frame type (HEADERS)
+            0x24,                       // 1-byte flags (END_HEADERS, PRIORITY)
+            0x00, 0x00, 0x00, 0x03,     // 4-byte stream identifier
+            0x80, 0x00, 0x00, 0x01,     // 4-byte stream dependency (top bit = exclusive)
+            0x01,                       // 1-byte weight (1)
+        ]
+
+        let priorityData = HTTP2Frame.StreamPriorityData(exclusive: true, dependency: HTTP2StreamID(1), weight: 1)
+        let expectedFrame = HTTP2Frame(streamID: HTTP2StreamID(3),
+                                       payload: .headers(.init(headers: [:], priorityData: priorityData, endStream: false)))
+
+        var buf = byteBuffer(withBytes: frameBytes)
+        try assertReadsFrame(from: &buf, matching: expectedFrame)
+    }
     
     func testHeadersFrameEncodingNoPriority() throws {
         let streamID = HTTP2StreamID(1)
