From b3eb7d172aab6c7f423aea2f97c27099d6b65f7a Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 11 Nov 2019 09:56:23 +0100
Subject: quiche: reject headers in the wrong order

Pseudo header MUST come before regular headers or cause an error.

Reported-by: Cynthia Coan
Fixes #4571
Closes #4584
---
 lib/strerror.c     | 4 +++-
 lib/vquic/quiche.c | 7 ++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

(limited to 'lib')

diff --git a/lib/strerror.c b/lib/strerror.c
index 7aaa9f4a7..90e8a3131 100644
--- a/lib/strerror.c
+++ b/lib/strerror.c
@@ -314,8 +314,10 @@ curl_easy_strerror(CURLcode error)
   case CURLE_AUTH_ERROR:
     return "An authentication function returned an error";
 
+  case CURLE_HTTP3:
+    return "HTTP/3 error";
+
     /* error codes not used by current libcurl */
-  case CURLE_OBSOLETE20:
   case CURLE_OBSOLETE24:
   case CURLE_OBSOLETE29:
   case CURLE_OBSOLETE32:
diff --git a/lib/vquic/quiche.c b/lib/vquic/quiche.c
index 0ee360d07..6f9a72579 100644
--- a/lib/vquic/quiche.c
+++ b/lib/vquic/quiche.c
@@ -379,6 +379,9 @@ static int cb_each_header(uint8_t *name, size_t name_len,
               headers->destlen, "HTTP/3 %.*s\n",
               (int) value_len, value);
   }
+  else if(!headers->nlen) {
+    return CURLE_HTTP3;
+  }
   else {
     msnprintf(headers->dest,
               headers->destlen, "%.*s: %.*s\n",
@@ -433,7 +436,9 @@ static ssize_t h3_stream_recv(struct connectdata *conn,
     case QUICHE_H3_EVENT_HEADERS:
       rc = quiche_h3_event_for_each_header(ev, cb_each_header, &headers);
       if(rc) {
-        /* what do we do about this? */
+        *curlcode = rc;
+        failf(data, "Error in HTTP/3 response header");
+        break;
       }
       recvd = headers.nlen;
       break;
-- 
cgit v1.2.3