summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorcbentzel@chromium.org <cbentzel@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2010-07-02 15:26:09 +0000
committercbentzel@chromium.org <cbentzel@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2010-07-02 15:26:09 +0000
commit4411f175490ab73c6395d2e4076568003371617b (patch)
tree3f8ddcc751d5cc70253ef1bc7b0dc2e74bcd8109 /net
parent03c5430b5362b1925a0bb5a1df404304fe09ace1 (diff)
downloadchromium_src-4411f175490ab73c6395d2e4076568003371617b.zip
chromium_src-4411f175490ab73c6395d2e4076568003371617b.tar.gz
chromium_src-4411f175490ab73c6395d2e4076568003371617b.tar.bz2
SPDY: Handle incorrect number of headers when parsing frame headers.
This fix broke some tests which were also fixed. BUG=47480 TEST=net_unittests Contributed by: agayev@google.com Review URL: http://codereview.chromium.org/2805066 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@51533 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
-rw-r--r--net/spdy/spdy_framer.cc6
-rw-r--r--net/spdy/spdy_framer_test.cc57
2 files changed, 55 insertions, 8 deletions
diff --git a/net/spdy/spdy_framer.cc b/net/spdy/spdy_framer.cc
index 0a1c2b7..cd573a5 100644
--- a/net/spdy/spdy_framer.cc
+++ b/net/spdy/spdy_framer.cc
@@ -470,7 +470,8 @@ bool SpdyFramer::ParseHeaderBlock(const SpdyFrame* frame,
void* iter = NULL;
uint16 num_headers;
if (builder.ReadUInt16(&iter, &num_headers)) {
- for (int index = 0; index < num_headers; ++index) {
+ int index = 0;
+ for ( ; index < num_headers; ++index) {
std::string name;
std::string value;
if (!builder.ReadString(&iter, &name))
@@ -485,7 +486,8 @@ bool SpdyFramer::ParseHeaderBlock(const SpdyFrame* frame,
return false;
}
}
- return true;
+ return index == num_headers &&
+ iter == header_data + header_length;
}
return false;
}
diff --git a/net/spdy/spdy_framer_test.cc b/net/spdy/spdy_framer_test.cc
index 6192b40..afedbba 100644
--- a/net/spdy/spdy_framer_test.cc
+++ b/net/spdy/spdy_framer_test.cc
@@ -148,7 +148,7 @@ TEST_F(SpdyFramerTest, HeaderBlock) {
EXPECT_TRUE(frame.get() != NULL);
SpdyHeaderBlock new_headers;
- framer.ParseHeaderBlock(frame.get(), &new_headers);
+ EXPECT_TRUE(framer.ParseHeaderBlock(frame.get(), &new_headers));
EXPECT_EQ(headers.size(), new_headers.size());
EXPECT_EQ(headers["alpha"], new_headers["alpha"]);
@@ -162,6 +162,7 @@ TEST_F(SpdyFramerTest, OutOfOrderHeaders) {
frame.WriteUInt16(SYN_STREAM);
frame.WriteUInt32(0); // Placeholder for the length.
frame.WriteUInt32(3); // stream_id
+ frame.WriteUInt32(0); // associated stream id
frame.WriteUInt16(0); // Priority.
frame.WriteUInt16(2); // Number of headers.
@@ -180,6 +181,51 @@ TEST_F(SpdyFramerTest, OutOfOrderHeaders) {
EXPECT_TRUE(framer.ParseHeaderBlock(control_frame.get(), &new_headers));
}
+TEST_F(SpdyFramerTest, WrongNumberOfHeaders) {
+ SpdyFrameBuilder frame1;
+ SpdyFrameBuilder frame2;
+
+ // a frame with smaller number of actual headers
+ frame1.WriteUInt16(kControlFlagMask | 1);
+ frame1.WriteUInt16(SYN_STREAM);
+ frame1.WriteUInt32(0); // Placeholder for the length.
+ frame1.WriteUInt32(3); // stream_id
+ frame1.WriteUInt32(0); // associated stream id
+ frame1.WriteUInt16(0); // Priority.
+
+ frame1.WriteUInt16(1); // Wrong number of headers (underflow)
+ frame1.WriteString("gamma");
+ frame1.WriteString("gamma");
+ frame1.WriteString("alpha");
+ frame1.WriteString("alpha");
+ // write the length
+ frame1.WriteUInt32ToOffset(4, frame1.length() - SpdyFrame::size());
+
+ // a frame with larger number of actual headers
+ frame2.WriteUInt16(kControlFlagMask | 1);
+ frame2.WriteUInt16(SYN_STREAM);
+ frame2.WriteUInt32(0); // Placeholder for the length.
+ frame2.WriteUInt32(3); // stream_id
+ frame2.WriteUInt32(0); // associated stream id
+ frame2.WriteUInt16(0); // Priority.
+
+ frame2.WriteUInt16(100); // Wrong number of headers (overflow)
+ frame2.WriteString("gamma");
+ frame2.WriteString("gamma");
+ frame2.WriteString("alpha");
+ frame2.WriteString("alpha");
+ // write the length
+ frame2.WriteUInt32ToOffset(4, frame2.length() - SpdyFrame::size());
+
+ SpdyHeaderBlock new_headers;
+ scoped_ptr<SpdyFrame> syn_frame1(frame1.take());
+ scoped_ptr<SpdyFrame> syn_frame2(frame2.take());
+ SpdyFramer framer;
+ FramerSetEnableCompressionHelper(&framer, false);
+ EXPECT_FALSE(framer.ParseHeaderBlock(syn_frame1.get(), &new_headers));
+ EXPECT_FALSE(framer.ParseHeaderBlock(syn_frame2.get(), &new_headers));
+}
+
TEST_F(SpdyFramerTest, DuplicateHeader) {
SpdyFrameBuilder frame;
@@ -217,7 +263,7 @@ TEST_F(SpdyFramerTest, MultiValueHeader) {
frame.WriteUInt32(0); // associated stream id
frame.WriteUInt16(0); // Priority.
- frame.WriteUInt16(2); // Number of headers.
+ frame.WriteUInt16(1); // Number of headers.
SpdyHeaderBlock::iterator it;
frame.WriteString("name");
std::string value("value1\0value2");
@@ -426,9 +472,8 @@ TEST_F(SpdyFramerTest, FinOnSynReplyFrame) {
0x00, 0x02, 'v', 'v',
0x80, 0x01, 0x00, 0x02, // SYN REPLY Stream #1
- 0x01, 0x00, 0x00, 0x14,
+ 0x01, 0x00, 0x00, 0x10,
0x00, 0x00, 0x00, 0x01,
- 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x01,
0x00, 0x02, 'a', 'a',
0x00, 0x02, 'b', 'b',
@@ -547,7 +592,7 @@ TEST_F(SpdyFramerTest, DataCompression) {
TEST_F(SpdyFramerTest, UnclosedStreamDataCompressors) {
SpdyFramer send_framer;
- FramerSetEnableCompressionHelper(&send_framer, true);
+ FramerSetEnableCompressionHelper(&send_framer, false);
const char kHeader1[] = "header1";
const char kHeader2[] = "header2";
@@ -565,7 +610,7 @@ TEST_F(SpdyFramerTest, UnclosedStreamDataCompressors) {
const char bytes[] = "this is a test test test test test!";
scoped_ptr<SpdyFrame> send_frame(
send_framer.CreateDataFrame(1, bytes, arraysize(bytes),
- DATA_FLAG_FIN | DATA_FLAG_COMPRESSED));
+ DATA_FLAG_FIN));
EXPECT_TRUE(send_frame.get() != NULL);
// Run the inputs through the framer.