commit 4fb65f421b4d650711e5d8b9dbcbf4bf589d26cc Author: Christopher Faulet Date: Wed Jun 19 09:25:58 2019 +0200 BUG/MEDIUM: mux-h2: Remove the padding length when a DATA frame size is checked When a DATA frame is processed for a message with a content-length, we first take care to not have a frame size that exceeds the remaining to read. Otherwise, an error is triggered. But we must remove the padding length from the frame size because the padding is not included in the announced content-length. This patch must be backported to 2.0 and 1.9. (cherry picked from commit 4f09ec812adbd9336cddc054660a7fb5cd54b459) Signed-off-by: Christopher Faulet diff --git a/src/mux_h2.c b/src/mux_h2.c index c06d5d68..5bb85181 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -2177,7 +2177,7 @@ static int h2c_frt_handle_data(struct h2c *h2c, struct h2s *h2s) goto strm_err; } - if ((h2s->flags & H2_SF_DATA_CLEN) && h2c->dfl > h2s->body_len) { + if ((h2s->flags & H2_SF_DATA_CLEN) && (h2c->dfl - h2c->dpl) > h2s->body_len) { /* RFC7540#8.1.2 */ error = H2_ERR_PROTOCOL_ERROR; goto strm_err;