From c0aaef30b176f1be7f11bd3a7c1c7aff34491df7 Mon Sep 17 00:00:00 2001
From: Timur Pocheptsov <timur.pocheptsov@theqtcompany.com>
Date: Mon, 25 Jul 2016 17:41:00 +0200
Subject: HTTP/2 - fix 'GOAWAY' frame size validation

Found while implementing cleartext http2 (and sending some erroneous
frames) - GOAWAY can have some 'opaque debug information payload' so the
frame's size is at least 8 bytes, but can be more.

Change-Id: I90fb8a3df22768673c4f40ba3bf6a3f5ffe33058
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
---
 src/network/access/http2/http2frames.cpp | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'src/network/access/http2')

diff --git a/src/network/access/http2/http2frames.cpp b/src/network/access/http2/http2frames.cpp
index 471fb2c7fb..55e9f93b19 100644
--- a/src/network/access/http2/http2frames.cpp
+++ b/src/network/access/http2/http2frames.cpp
@@ -73,11 +73,15 @@ FrameStatus validate_frame_header(FrameType type, FrameFlags flags, quint32 payl
             return FrameStatus::sizeError;
         break;
     case FrameType::PING:
-    case FrameType::GOAWAY:
-        // 6.7 PING, 6.8 GOAWAY
+        // 6.7 PING
         if (payloadSize != 8)
             return FrameStatus::sizeError;
         break;
+    case FrameType::GOAWAY:
+        // 6.8 GOAWAY
+        if (payloadSize < 8)
+            return FrameStatus::sizeError;
+        break;
     case FrameType::RST_STREAM:
     case FrameType::WINDOW_UPDATE:
         // 6.4 RST_STREAM, 6.9 WINDOW_UPDATE
-- 
cgit v1.2.3