What happened?
RFC 9114 Section 4.1:
“Receipt of an invalid sequence of frames MUST be treated as a connection error of type H3_FRAME_UNEXPECTED. … a HEADERS or DATA frame after the trailing HEADERS frame, is considered invalid.”
部分实现,但不完整
xquic在 xqc_h3_request_on_recv_header() 中检查了 current_header >= XQC_H3_REQUEST_MAX_HEADERS_CNT(即超过2个HEADERS帧),返回 -XQC_H3_INVALID_HEADER。但这个检查仅覆盖了"第三个HEADERS帧"的情况,没有覆盖"尾部HEADERS帧之后收到DATA帧"的情况。
xqc_h3_request.c:803-806 xqc_h3_request_on_recv_header() 仅检查HEADERS帧数量是否超过2; xqc_h3_stream.c:1000-1033 DATA帧处理无帧序列状态检查
nghttp3_stream.c:1059-1228 nghttp3_stream_transit_rx_http_state() – 完整的状态机,NGHTTP3_HTTP_STATE_REQ_TRAILERS_END和RESP_TRAILERS_END状态下收到任何非MSG_END事件都返回 NGHTTP3_ERR_H3_FRAME_UNEXPECTED
修复建议:
实现完整的帧序列状态机,在trailer HEADERS之后拒绝DATA帧
Steps To Reproduce
Information and Steps to reproduce the behavior.
Relevant log output
What happened?
RFC 9114 Section 4.1:
“Receipt of an invalid sequence of frames MUST be treated as a connection error of type H3_FRAME_UNEXPECTED. … a HEADERS or DATA frame after the trailing HEADERS frame, is considered invalid.”
部分实现,但不完整
xquic在 xqc_h3_request_on_recv_header() 中检查了 current_header >= XQC_H3_REQUEST_MAX_HEADERS_CNT(即超过2个HEADERS帧),返回 -XQC_H3_INVALID_HEADER。但这个检查仅覆盖了"第三个HEADERS帧"的情况,没有覆盖"尾部HEADERS帧之后收到DATA帧"的情况。
xqc_h3_request.c:803-806 xqc_h3_request_on_recv_header() 仅检查HEADERS帧数量是否超过2; xqc_h3_stream.c:1000-1033 DATA帧处理无帧序列状态检查
nghttp3_stream.c:1059-1228 nghttp3_stream_transit_rx_http_state() – 完整的状态机,NGHTTP3_HTTP_STATE_REQ_TRAILERS_END和RESP_TRAILERS_END状态下收到任何非MSG_END事件都返回 NGHTTP3_ERR_H3_FRAME_UNEXPECTED
修复建议:
实现完整的帧序列状态机,在trailer HEADERS之后拒绝DATA帧
Steps To Reproduce
Information and Steps to reproduce the behavior.
Relevant log output