From e98b494db77f9b10522cf6a8238deb8d7bd55345 Mon Sep 17 00:00:00 2001 From: Craig Tiller Date: Sat, 30 Apr 2016 14:11:33 -0700 Subject: [PATCH] Fix bug where max_frame_size was ignored Also add corpus entries that helped diagnose this bug --- .../ext/transport/chttp2/transport/internal.h | 8 +- .../ext/transport/chttp2/transport/parsing.c | 21 +- .../03a72675e1969f836094f1ecfec2a7b34418e306 | Bin 0 -> 286 bytes .../0416afd6875d9ba55f1e5f86a6456a5445d5e576 | Bin 0 -> 651 bytes .../08c42ef29eff83052c5887855f2fa3e07ebe470c | Bin 0 -> 650 bytes .../1ba889ea1543297824e99e641e6ca8b91f45732e | Bin 0 -> 650 bytes .../3b09bf453c6f93983c24c4d5481e55d66213f93a | Bin 0 -> 650 bytes .../49cb33cbb60f041e8e99dd718993acd2c3354416 | Bin 0 -> 357 bytes .../59743fe120be6ae1aed1c02230ee1bb460f621ee | Bin 0 -> 628 bytes .../a5ccb8f124d8ddb5350b90bc0d6b96db280cb7c9 | Bin 0 -> 651 bytes .../a7fac1265a384fe9e45a9ee3d708b79c4e80505e | Bin 0 -> 286 bytes .../aaf049720c707d4e14e47e7eb31d6a2dda60e66a | Bin 0 -> 651 bytes .../c4e4c7572e005e18d56eac407033da058737a5ab | Bin 0 -> 651 bytes ...h-dae0f07934a527989f23f06e630710ff6ca8c809 | Bin 0 -> 104 bytes .../e96ad9c17795e52edc810a08d4fc61fe8790002a | Bin 0 -> 651 bytes .../fa202a5f51cd49f8ea5af60c5f403f797c01c504 | Bin 0 -> 651 bytes tools/run_tests/tests.json | 224 ++++++++++++++++++ 17 files changed, 246 insertions(+), 7 deletions(-) create mode 100644 test/core/end2end/fuzzers/server_fuzzer_corpus/03a72675e1969f836094f1ecfec2a7b34418e306 create mode 100644 test/core/end2end/fuzzers/server_fuzzer_corpus/0416afd6875d9ba55f1e5f86a6456a5445d5e576 create mode 100644 test/core/end2end/fuzzers/server_fuzzer_corpus/08c42ef29eff83052c5887855f2fa3e07ebe470c create mode 100644 test/core/end2end/fuzzers/server_fuzzer_corpus/1ba889ea1543297824e99e641e6ca8b91f45732e create mode 100644 test/core/end2end/fuzzers/server_fuzzer_corpus/3b09bf453c6f93983c24c4d5481e55d66213f93a create mode 100644 test/core/end2end/fuzzers/server_fuzzer_corpus/49cb33cbb60f041e8e99dd718993acd2c3354416 create mode 100644 test/core/end2end/fuzzers/server_fuzzer_corpus/59743fe120be6ae1aed1c02230ee1bb460f621ee create mode 100644 test/core/end2end/fuzzers/server_fuzzer_corpus/a5ccb8f124d8ddb5350b90bc0d6b96db280cb7c9 create mode 100644 test/core/end2end/fuzzers/server_fuzzer_corpus/a7fac1265a384fe9e45a9ee3d708b79c4e80505e create mode 100644 test/core/end2end/fuzzers/server_fuzzer_corpus/aaf049720c707d4e14e47e7eb31d6a2dda60e66a create mode 100644 test/core/end2end/fuzzers/server_fuzzer_corpus/c4e4c7572e005e18d56eac407033da058737a5ab create mode 100644 test/core/end2end/fuzzers/server_fuzzer_corpus/crash-dae0f07934a527989f23f06e630710ff6ca8c809 create mode 100644 test/core/end2end/fuzzers/server_fuzzer_corpus/e96ad9c17795e52edc810a08d4fc61fe8790002a create mode 100644 test/core/end2end/fuzzers/server_fuzzer_corpus/fa202a5f51cd49f8ea5af60c5f403f797c01c504 diff --git a/src/core/ext/transport/chttp2/transport/internal.h b/src/core/ext/transport/chttp2/transport/internal.h index 7a8084641d7..04c75619df6 100644 --- a/src/core/ext/transport/chttp2/transport/internal.h +++ b/src/core/ext/transport/chttp2/transport/internal.h @@ -236,9 +236,6 @@ struct grpc_chttp2_transport_parsing { /** was a goaway frame received? */ uint8_t goaway_received; - /** the last sent max_table_size setting */ - uint32_t last_sent_max_table_size; - /** initial window change */ int64_t initial_window_update; @@ -272,6 +269,9 @@ struct grpc_chttp2_transport_parsing { uint32_t incoming_frame_size; uint32_t incoming_stream_id; + /* current max frame size */ + uint32_t max_frame_size; + /* active parser */ void *parser_data; grpc_chttp2_stream_parsing *incoming_stream; @@ -282,6 +282,8 @@ struct grpc_chttp2_transport_parsing { /* received settings */ uint32_t settings[GRPC_CHTTP2_NUM_SETTINGS]; + /* last settings that were sent */ + uint32_t last_sent_settings[GRPC_CHTTP2_NUM_SETTINGS]; /* goaway data */ grpc_status_code goaway_error; diff --git a/src/core/ext/transport/chttp2/transport/parsing.c b/src/core/ext/transport/chttp2/transport/parsing.c index e827a43f7a4..2995066e519 100644 --- a/src/core/ext/transport/chttp2/transport/parsing.c +++ b/src/core/ext/transport/chttp2/transport/parsing.c @@ -79,9 +79,12 @@ void grpc_chttp2_prepare_to_read( GPR_TIMER_BEGIN("grpc_chttp2_prepare_to_read", 0); transport_parsing->next_stream_id = transport_global->next_stream_id; - transport_parsing->last_sent_max_table_size = - transport_global->settings[GRPC_SENT_SETTINGS] - [GRPC_CHTTP2_SETTINGS_HEADER_TABLE_SIZE]; + memcpy(transport_parsing->last_sent_settings, + transport_global->settings[GRPC_SENT_SETTINGS], + sizeof(transport_parsing->last_sent_settings)); + transport_parsing->max_frame_size = + transport_global->settings[GRPC_ACKED_SETTINGS] + [GRPC_CHTTP2_SETTINGS_MAX_FRAME_SIZE]; /* update the parsing view of incoming window */ while (grpc_chttp2_list_pop_unannounced_incoming_window_available( @@ -388,6 +391,12 @@ int grpc_chttp2_perform_read(grpc_exec_ctx *exec_ctx, return 1; } goto dts_fh_0; /* loop */ + } else if (transport_parsing->incoming_frame_size > + transport_parsing->max_frame_size) { + gpr_log(GPR_DEBUG, "Frame size %d is larger than max frame size %d", + transport_parsing->incoming_frame_size, + transport_parsing->max_frame_size); + return 0; } if (++cur == end) { return 1; @@ -840,7 +849,11 @@ static int init_settings_frame_parser( transport_parsing->settings_ack_received = 1; grpc_chttp2_hptbl_set_max_bytes( &transport_parsing->hpack_parser.table, - transport_parsing->last_sent_max_table_size); + transport_parsing + ->last_sent_settings[GRPC_CHTTP2_SETTINGS_HEADER_TABLE_SIZE]); + transport_parsing->max_frame_size = + transport_parsing + ->last_sent_settings[GRPC_CHTTP2_SETTINGS_MAX_FRAME_SIZE]; } transport_parsing->parser = grpc_chttp2_settings_parser_parse; transport_parsing->parser_data = &transport_parsing->simple.settings; diff --git a/test/core/end2end/fuzzers/server_fuzzer_corpus/03a72675e1969f836094f1ecfec2a7b34418e306 b/test/core/end2end/fuzzers/server_fuzzer_corpus/03a72675e1969f836094f1ecfec2a7b34418e306 new file mode 100644 index 0000000000000000000000000000000000000000..503af15fe81ccba6a1300796531f278f34d9be84 GIT binary patch literal 286 zcmY+9%}&EG49DA1#HcnY7p|z{#K*FBNL=;=?0~3fUm$b5#!{L@t&14X%>$5f!?LZP zzx0>uk3;cTytZv!K5wgazRsJsIVVYy#hC3UohcQU`=Hn?%aixzQ4Qj1KZ3y?Gs7HW z)gv3Pv--VhMP~fS*VcowGl>;=$LLt{IpD1d!4fDY@5*inVEBnf8U0gP(rHu+AQb=x zmgvB1a@`H-cu#!ZXgpcPxaqzrhy~-42SpZ#QRLHzgH&ByygMo_!BWIxmXJ_Z+g*Hd bTNU?~-1PMzR(}Jg9{t1@yQ=x$S-dpAwYOHl literal 0 HcmV?d00001 diff --git a/test/core/end2end/fuzzers/server_fuzzer_corpus/0416afd6875d9ba55f1e5f86a6456a5445d5e576 b/test/core/end2end/fuzzers/server_fuzzer_corpus/0416afd6875d9ba55f1e5f86a6456a5445d5e576 new file mode 100644 index 0000000000000000000000000000000000000000..30229f98fd3e7479f61635c604dbb259dddfd23f GIT binary patch literal 651 zcmcIiO;3a{5G@2Fq9i@&op@5Se7Hw0UiDxkE`Oj~y3nNCHtmqO{%(&ZS`cnz_2ML* zbf#}6Gw-!}eM;_<$GWcabymbt9BrNlj}Qvnapog$xOw=b)C9UP-zk-EiNU9(r5)R| zpaak@+B4`>6I3so8b>ARU1T^M&V-^wbjkw0ph^OhkitPTOtco965vYatPKosbWJ<*&a^^0a eIa?_BlZ?S2+mC=#|G^x9XE}~u> z$dEV8o6NjP{rr$#rT0x!7dLsC#7Vq(^d2D;y5nqy0)GqeL8S@wQL$30SQ3K|D@%K} zW?>JY9a=N!RU6h%iw4IP85}YkHb+8HB6?*3pHL-%NyuQM875i_P6==&i_U0@Prc6w zrA$M{Bvmb!-C4_4f&iQI)-heZdH2dSo&k%%5H6UpI36rB8R=X?{p&pFEpVd+XgAOK zlC&8W+>z6<0a}##wG$&R(+k1n@N$W6-@OuncT=mT@So7}*p~$YgAM3Uk0fK}PP=HQ i**BCwtugd#`&!_B3A`Ve;E%0Mf)j8zqV2apN}^Aa{(0R1 literal 0 HcmV?d00001 diff --git a/test/core/end2end/fuzzers/server_fuzzer_corpus/1ba889ea1543297824e99e641e6ca8b91f45732e b/test/core/end2end/fuzzers/server_fuzzer_corpus/1ba889ea1543297824e99e641e6ca8b91f45732e new file mode 100644 index 0000000000000000000000000000000000000000..6ed060d1e33cc75aa2a1c2e40990d19970c94819 GIT binary patch literal 650 zcmcgqJx{|h5VflyLLia{*dr!D%|{utu)=_dX#RlfxQQj#w(N^U`Q402;DlzY0uv|s z$!Fg?-@SA7`jp%yk9A$;_gN7~akPFO5Fr%!~CU|IoJkiy<@LXDAvQ4m_?tu>5X4wzEL zxPg=_rW>K!tA=kS1-=xGXZn20_FWjV03L#+LUQX!)H`ld+WLU%*M86k_N`$w^>e+U zP0FP3)`FIy!#J5#dW>;w*g;6-WcNrn%+ht>dJh$`kUSSCEAX{ji%}I;*i;i-( zWIhKl7A+ZYUHj$3tioYIRu;7a`U9yck-X^uA5pDV!&R)#E{jW_fyP%}De3ObWGnI!D)U&I!+@aTH@{(fdbyI`~K7aJW|o1Xi6#e-auy m5o|nr>A#@-=^1^lJJ>wnt_0pKjPUO++zkCZ8@>h73atUHl!AHy literal 0 HcmV?d00001 diff --git a/test/core/end2end/fuzzers/server_fuzzer_corpus/49cb33cbb60f041e8e99dd718993acd2c3354416 b/test/core/end2end/fuzzers/server_fuzzer_corpus/49cb33cbb60f041e8e99dd718993acd2c3354416 new file mode 100644 index 0000000000000000000000000000000000000000..7f975251ddc4dcbabc73068dc55220f700ed5502 GIT binary patch literal 357 zcmZ`#O;5ux3~fh&QEgI?xNt#LPYl+tNeF2-Zg4%HgUT2mwxd&MaOYG>yv%C6LQJvR#R-|$zG|1cI13(SOYD1 z4WhPL3)ra2%ioIcaU4tHHOkhNRkp)u{L1Kgl4L4M4!5KxaWKwsU-DAT|WZysq zugKNJMU-8JA*-b6O|;|k%s@B5(|=+IPHod+UBO;ZgmwMNHJKsIv7=l-XNce12@$QW zif~7(hzV|C@cS1_9^=fOAWnl@!DaukB8%F!iz9DA^>~t{ZDFZN*O8jp>ZWj<>*Im` O6#XE3Fu>GGR^|s4h-V@I literal 0 HcmV?d00001 diff --git a/test/core/end2end/fuzzers/server_fuzzer_corpus/59743fe120be6ae1aed1c02230ee1bb460f621ee b/test/core/end2end/fuzzers/server_fuzzer_corpus/59743fe120be6ae1aed1c02230ee1bb460f621ee new file mode 100644 index 0000000000000000000000000000000000000000..3038fde54719db4a3f0ce804f452a626f38a0ca2 GIT binary patch literal 628 zcmd5)O-sZu5KWhgwOGhO@5PhK_Ct@oc-4bg-2Q>tbhZs-laNlq^>=&pU|QXSu%O_@ zKpvSPGrW0k>gR{_I=ye2y132DBu?Vhef6XDNai{}m)N<-J(ZUZevYf8|>^`Sj`7ffj#BeJubp GntcG*sBCWl literal 0 HcmV?d00001 diff --git a/test/core/end2end/fuzzers/server_fuzzer_corpus/a5ccb8f124d8ddb5350b90bc0d6b96db280cb7c9 b/test/core/end2end/fuzzers/server_fuzzer_corpus/a5ccb8f124d8ddb5350b90bc0d6b96db280cb7c9 new file mode 100644 index 0000000000000000000000000000000000000000..9d39854fc970a412a7822e0bae9030fa900e56e2 GIT binary patch literal 651 zcmcgqJx{|h5VflyLLia{*dr!D%?BN`u)=_dX#RlfxQQj#w(N^U`Q402;DlzY0uv|s z$!Fg?-@SA7`jp%yk9A$;tE`BlI9fjsh!6_=^0q*D*kN)~8VX&QZ?(=h)RNQEv5xO} z&;c0l?KpJ0396TMO`?+a-m?PsXHqjNJMDm6Fs*K(T!ZGAxXYd`1%`_?d;`nlfF zCS_81axxac@*=zUVq`^fBZcbUZqdW%C7=o^D)c_IJ+ literal 0 HcmV?d00001 diff --git a/test/core/end2end/fuzzers/server_fuzzer_corpus/a7fac1265a384fe9e45a9ee3d708b79c4e80505e b/test/core/end2end/fuzzers/server_fuzzer_corpus/a7fac1265a384fe9e45a9ee3d708b79c4e80505e new file mode 100644 index 0000000000000000000000000000000000000000..338f61bdce7de24e9f547fea219d7e330cf4cd55 GIT binary patch literal 286 zcmY+9%}&EG49C||#HcnY7p|z{1ZZhHBrf9x*a1<|zCh-9jioe+S{E^%n+G7}hGknn zf9WsRABX%ge{I{kd@8CT8~ zs~*{So!0M7D^lY}zP28eok^_0J4VNn&jD{$2$n!Gc~^ErfEPA2%IKfUl1`#p0I2{l zutW!5lk09s$9v-QR^!Pk#%=daK`a?pJSeg_j3S#x9Hi>v;@wec36>(}vxJ1QDt7V3 cqRQ_rx#{actp5f~J^G0+c2)DgvwUuT0lv*v&;S4c literal 0 HcmV?d00001 diff --git a/test/core/end2end/fuzzers/server_fuzzer_corpus/aaf049720c707d4e14e47e7eb31d6a2dda60e66a b/test/core/end2end/fuzzers/server_fuzzer_corpus/aaf049720c707d4e14e47e7eb31d6a2dda60e66a new file mode 100644 index 0000000000000000000000000000000000000000..dab9c75822fa7c75554351917d686c8e18ddad75 GIT binary patch literal 651 zcmcgqJx{|h5VflyLLia{*dr!D%?FHGSYfD$X#RlfxQQj#w(N^U`Q402;DlzY0uv|s z$!Fg?-@SA7`kdS)Pjy}84_OgMakO3yh!6_=^0q*D*kN)~8VX&QZ?(=h)RNQEv5xO} z&;c0l?KpJ0396TMO`?+a-m?PsXHqjNJMDm6Fs*K(T!ZGAxXYd`1%`_?d;`nlfF zCS_81axxac@*=zUVq`^fBZcbUZqeiCCMua0FR`YJNi1Rc7~T9)(f3dUhTmKwGqB(5l)mUse?k3({L;IPA`ZqC~W+1AIZ11STPYoo1M5EjT5>mCPEWDZX?* zA(S!=36oUSTsBuV+Xw<|!E2jo>n)mhuJH_50ETeEOozk1V9`#UcDBbUyUe0fD}Im`^v g!N}Q>lt0PnJK25&JW^un=xc9NG45{vFOZVx8}uT1hyVZp literal 0 HcmV?d00001 diff --git a/test/core/end2end/fuzzers/server_fuzzer_corpus/crash-dae0f07934a527989f23f06e630710ff6ca8c809 b/test/core/end2end/fuzzers/server_fuzzer_corpus/crash-dae0f07934a527989f23f06e630710ff6ca8c809 new file mode 100644 index 0000000000000000000000000000000000000000..b6dfd77e676bc7c6dc4500e2b4533846853e1dcc GIT binary patch literal 104 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=9k%Dpo*}fkA?uk%i&80^|Px6tyDhMFq*a iiOI>S1&l_idCB=HnR)3PK&1?fAYF|A8{mMUfdK$pcNnJt literal 0 HcmV?d00001 diff --git a/test/core/end2end/fuzzers/server_fuzzer_corpus/e96ad9c17795e52edc810a08d4fc61fe8790002a b/test/core/end2end/fuzzers/server_fuzzer_corpus/e96ad9c17795e52edc810a08d4fc61fe8790002a new file mode 100644 index 0000000000000000000000000000000000000000..df9241dd0c6f33819a08674d0a1514907cf16c66 GIT binary patch literal 651 zcmcIiJx{|h5VflyLLia{*dwNbnhzMWu)=_dX#RlfxQQj#w&IIK`Q402V25_7R0S4J z^2yJ>JKw$M>h&qPO&;sI%I~uxj^b$f>^(v#aLd^YVZX!Vq%;(|Fkfq(uV_zBOUpXG z;Xwyr9NKW`bQ4rB%bG+b9USTfY|o@-RCd||xnNoWSCGQia6*ldf>97!CyK`h@MKYH{4R1H-;nOpLy*sq>5dIT7AN#UEVX$~U^+-HM?zs#1 foE=H|lZ=6v?MJ{PC8mzPb~Y8`?{@zJX@$N4#wK}E literal 0 HcmV?d00001 diff --git a/test/core/end2end/fuzzers/server_fuzzer_corpus/fa202a5f51cd49f8ea5af60c5f403f797c01c504 b/test/core/end2end/fuzzers/server_fuzzer_corpus/fa202a5f51cd49f8ea5af60c5f403f797c01c504 new file mode 100644 index 0000000000000000000000000000000000000000..0ba5935164ce79aad888bbb5bb41a191d02e561e GIT binary patch literal 651 zcmcgqO-sZu5KWefwOYtQ@5PhK_Cvu-FJAQ^7Po&On`YZUHVMfTTz|JmLDRauE!C3) zd1R7#lbJWEUZ0YivBM$cldtp{dkO=v