fix: remove padded_len() u8 overflow in DATA frame padding release#908
Open
mehrdada wants to merge 1 commit into
Open
fix: remove padded_len() u8 overflow in DATA frame padding release#908mehrdada wants to merge 1 commit into
padded_len() u8 overflow in DATA frame padding release#908mehrdada wants to merge 1 commit into
Conversation
padded_len() returned Option<u8> and computed pad_len + 1 to account for the pad length field byte. When pad_len=255 (the maximum per RFC 7540 Section 6.1), 255u8 + 1 overflows to 0, causing the auto-release in recv_data() to release 0 bytes instead of 256. This leaks 256 bytes of flow control capacity per frame for both the stream and connection windows. Remove padded_len() entirely (it had a single call site) and compute padding overhead inline as flow_controlled_len() - payload().len(), which does not rely on details of the payload construction at all, making it more robust, and uses usize arithmetic and cannot overflow.
mehrdada
force-pushed
the
fix/padded-len-overflow
branch
from
0a21c75 to
6804533
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
padded_len()returnedOption<u8>and computed pad_len + 1 to account for the pad length field byte. Whenpad_len=255 (the maximum per RFC 7540 Section 6.1),255u8 + 1overflows to0, causing the auto-release inrecv_data()to release 0 bytes instead of 256. This leaks 256 bytes of flow control capacity per frame for both the stream and connection windows.Remove
padded_len()entirely (it had a single call site) and compute padding overhead inline asflow_controlled_len() - payload().len(), which does not rely on details of the payload construction at all, making it more robust, and usesusizearithmetic and cannot overflow.