varnish-cache icon indicating copy to clipboard operation
varnish-cache copied to clipboard
verified publisher icon varnishcache

Inconsistency in vtc_http2 parse_hdr

Open nigoroll opened this issue 1 year ago • 2 comments

Coverity CID 1605314 Overflowed return value

https://github.com/varnishcache/varnish-cache/blob/33d8a53d4e4bc43edd8fe5fd8cfd9bc11db078c8/bin/varnishtest/vtc_http2.c#L505-L514

for f->md.padded >= size increminting shift by one actually looks wrong to me. And why shift += 1 in the first place and not shift += f->md.padded?

Edit: Very similar issue here:

https://github.com/varnishcache/varnish-cache/blob/33d8a53d4e4bc43edd8fe5fd8cfd9bc11db078c8/bin/varnishtest/vtc_http2.c#L417-L426

nigoroll avatar Sep 12 '24 12:09 nigoroll

I think this looks mostly correct.

shift is where data starts, and the length of the padding goes in front of the data (rfc7540 p30)

But I'm wondering now if it shouldn't be size -= 1 + f->md.padded also in line 514 ?

bsdphk avatar Sep 16 '24 13:09 bsdphk

@bsdphk could you maybe have another look? Two reports in this area are still open in coverity: 1605315 and 1605311

nigoroll avatar Jun 03 '25 14:06 nigoroll