What happened?
RFC 9114 Section 4.1:“Receipt of an invalid sequence of frames MUST be treated as a connection error of type H3_FRAME_UNEXPECTED. In particular, a DATA frame before any HEADERS frame … is considered invalid.”
xquic的 xqc_h3_stream_process_request() 函数在处理请求流帧时,没有对帧序列进行状态机验证。当收到DATA帧时,不检查是否已经收到过HEADERS帧。如果对端先发送DATA帧再发送HEADERS帧,xquic不会报H3_FRAME_UNEXPECTED错误,而是直接处理DATA帧数据。
xqc_h3_stream.c:859-1053 xqc_h3_stream_process_request() – switch(pctx->frame.type)中直接处理DATA和HEADERS,无帧序列状态检查
nghttp3_conn.c:1489 nghttp3_conn_read_bidi() – 使用 nghttp3_stream_transit_rx_http_state() 状态机严格验证帧序列,DATA帧前必须有HEADERS帧,否则返回 NGHTTP3_ERR_H3_FRAME_UNEXPECTED
修复建议 | 实现HTTP消息帧序列状态机,在收到DATA帧时检查是否已收到HEADERS帧
Steps To Reproduce
Information and Steps to reproduce the behavior.
Relevant log output
What happened?
RFC 9114 Section 4.1:“Receipt of an invalid sequence of frames MUST be treated as a connection error of type H3_FRAME_UNEXPECTED. In particular, a DATA frame before any HEADERS frame … is considered invalid.”
xquic的 xqc_h3_stream_process_request() 函数在处理请求流帧时,没有对帧序列进行状态机验证。当收到DATA帧时,不检查是否已经收到过HEADERS帧。如果对端先发送DATA帧再发送HEADERS帧,xquic不会报H3_FRAME_UNEXPECTED错误,而是直接处理DATA帧数据。
xqc_h3_stream.c:859-1053 xqc_h3_stream_process_request() – switch(pctx->frame.type)中直接处理DATA和HEADERS,无帧序列状态检查
nghttp3_conn.c:1489 nghttp3_conn_read_bidi() – 使用 nghttp3_stream_transit_rx_http_state() 状态机严格验证帧序列,DATA帧前必须有HEADERS帧,否则返回 NGHTTP3_ERR_H3_FRAME_UNEXPECTED
修复建议 | 实现HTTP消息帧序列状态机,在收到DATA帧时检查是否已收到HEADERS帧
Steps To Reproduce
Information and Steps to reproduce the behavior.
Relevant log output