Merge pull request #4334 from ctiller/lonely-data

Fix fuzzing detected crash
9 years ago · e987b272a1
parent 8344816652 c3218147de
commit e987b272a1
2 changed files with 19 additions and 9 deletions
--- a/src/core/transport/chttp2/hpack_parser.c
+++ b/src/core/transport/chttp2/hpack_parser.c
@ -1418,15 +1418,19 @@ grpc_chttp2_parse_error grpc_chttp2_header_parser_parse(
      GPR_TIMER_END("grpc_chttp2_hpack_parser_parse", 0);
      return GRPC_CHTTP2_CONNECTION_ERROR;
    }
-    if (parser->is_boundary) {
-      stream_parsing
-          ->got_metadata_on_parse[stream_parsing->header_frames_received] = 1;
-      stream_parsing->header_frames_received++;
-      grpc_chttp2_list_add_parsing_seen_stream(transport_parsing,
-                                               stream_parsing);
-    }
-    if (parser->is_eof) {
-      stream_parsing->received_close = 1;
+    /* need to check for null stream: this can occur if we receive an invalid
+       stream id on a header */
+    if (stream_parsing != NULL) {
+      if (parser->is_boundary) {
+        stream_parsing
+            ->got_metadata_on_parse[stream_parsing->header_frames_received] = 1;
+        stream_parsing->header_frames_received++;
+        grpc_chttp2_list_add_parsing_seen_stream(transport_parsing,
+                                                 stream_parsing);
+      }
+      if (parser->is_eof) {
+        stream_parsing->received_close = 1;
+      }
    }
    parser->on_header = on_header_not_set;
    parser->on_header_user_data = NULL;
--- a/test/core/bad_client/tests/headers.c
+++ b/test/core/bad_client/tests/headers.c
@ -195,5 +195,11 @@ int main(int argc, char **argv) {
                           "\x00\x00\x00\x09\x04\x00\x00\x00\x01",
                           0);

+  /* an invalid header found with fuzzing */
+  GRPC_RUN_BAD_CLIENT_TEST(verifier,
+                           PFX_STR 
+                           "\x00\x00\x00\x01\x39\x67\xed\x1d\x64",
+                           GRPC_BAD_CLIENT_DISCONNECT);
+
  return 0;
 }