diff --git a/src/core/transport/chttp2/hpack_parser.c b/src/core/transport/chttp2/hpack_parser.c
index 30f0d469e38b01580d1be6eaa7b9b57a7ee5448a..fea000089600100efd0c830962c174836c925d4f 100644
--- a/src/core/transport/chttp2/hpack_parser.c
+++ b/src/core/transport/chttp2/hpack_parser.c
@@ -1066,7 +1066,7 @@ static int parse_value4(grpc_chttp2_hpack_parser *p, const gpr_uint8 *cur,
error:
gpr_log(GPR_ERROR,
"integer overflow in hpack integer decoding: have 0x%08x, "
- "got byte 0x%02x",
+ "got byte 0x%02x on byte 5",
*p->parsing.value, *cur);
return parse_error(p, cur, end);
}
@@ -1091,7 +1091,8 @@ static int parse_value5up(grpc_chttp2_hpack_parser *p, const gpr_uint8 *cur,
gpr_log(GPR_ERROR,
"integer overflow in hpack integer decoding: have 0x%08x, "
- "got byte 0x%02x sometime after byte 4");
+ "got byte 0x%02x sometime after byte 5",
+ *p->parsing.value, *cur);
return parse_error(p, cur, end);
}
diff --git a/test/core/bad_client/tests/headers.c b/test/core/bad_client/tests/headers.c
index 5547aca210dbffc090760fddb8dee60082e15583..39ce7838de59f0684236e691dea5d59018355252 100644
--- a/test/core/bad_client/tests/headers.c
+++ b/test/core/bad_client/tests/headers.c
@@ -94,6 +94,10 @@ int main(int argc, char **argv) {
"\x00\x00\x04\x01\x24\x00\x00\x00\x01"
"\x00\x00\x00\x00",
0);
+ GRPC_RUN_BAD_CLIENT_TEST(verifier, PFX_STR
+ "\x00\x00\x05\x01\x24\x00\x00\x00\x01"
+ "",
+ GRPC_BAD_CLIENT_DISCONNECT);
GRPC_RUN_BAD_CLIENT_TEST(verifier, PFX_STR
"\x00\x00\x05\x01\x24\x00\x00\x00\x01"
"\x00",
@@ -171,10 +175,52 @@ int main(int argc, char **argv) {
"\x00\x00\x07\x01\x04\x00\x00\x00\x01"
"\xff\x80\x80\x80\x80\x80\x00",
0);
+ GRPC_RUN_BAD_CLIENT_TEST(verifier, PFX_STR
+ "\x00\x00\x08\x01\x04\x00\x00\x00\x01"
+ "\xff",
+ GRPC_BAD_CLIENT_DISCONNECT);
+ GRPC_RUN_BAD_CLIENT_TEST(verifier, PFX_STR
+ "\x00\x00\x08\x01\x04\x00\x00\x00\x01"
+ "\xff\x80",
+ GRPC_BAD_CLIENT_DISCONNECT);
+ GRPC_RUN_BAD_CLIENT_TEST(verifier, PFX_STR
+ "\x00\x00\x08\x01\x04\x00\x00\x00\x01"
+ "\xff\x80\x80",
+ GRPC_BAD_CLIENT_DISCONNECT);
+ GRPC_RUN_BAD_CLIENT_TEST(verifier, PFX_STR
+ "\x00\x00\x08\x01\x04\x00\x00\x00\x01"
+ "\xff\x80\x80\x80",
+ GRPC_BAD_CLIENT_DISCONNECT);
+ GRPC_RUN_BAD_CLIENT_TEST(verifier, PFX_STR
+ "\x00\x00\x08\x01\x04\x00\x00\x00\x01"
+ "\xff\x80\x80\x80\x80",
+ GRPC_BAD_CLIENT_DISCONNECT);
+ GRPC_RUN_BAD_CLIENT_TEST(verifier, PFX_STR
+ "\x00\x00\x08\x01\x04\x00\x00\x00\x01"
+ "\xff\x80\x80\x80\x80\x80",
+ GRPC_BAD_CLIENT_DISCONNECT);
+ GRPC_RUN_BAD_CLIENT_TEST(verifier, PFX_STR
+ "\x00\x00\x08\x01\x04\x00\x00\x00\x01"
+ "\xff\x80\x80\x80\x80\x80\x80",
+ GRPC_BAD_CLIENT_DISCONNECT);
GRPC_RUN_BAD_CLIENT_TEST(verifier, PFX_STR
"\x00\x00\x08\x01\x04\x00\x00\x00\x01"
"\xff\x80\x80\x80\x80\x80\x80\x00",
0);
+ /* overflow on byte 4 */
+ GRPC_RUN_BAD_CLIENT_TEST(verifier, PFX_STR
+ "\x00\x00\x06\x01\x04\x00\x00\x00\x01"
+ "\xff\x80\x80\x80\x80\x7f",
+ GRPC_BAD_CLIENT_DISCONNECT);
+ GRPC_RUN_BAD_CLIENT_TEST(verifier, PFX_STR
+ "\x00\x00\x06\x01\x04\x00\x00\x00\x01"
+ "\xff\xff\xff\xff\xff\x0f",
+ GRPC_BAD_CLIENT_DISCONNECT);
+ /* overflow after byte 4 */
+ GRPC_RUN_BAD_CLIENT_TEST(verifier, PFX_STR
+ "\x00\x00\x08\x01\x04\x00\x00\x00\x01"
+ "\xff\x80\x80\x80\x80\x80\x80\x02",
+ 0);
/* end of headers mid-opcode */
GRPC_RUN_BAD_CLIENT_TEST(verifier, PFX_STR
"\x00\x00\x01\x01\x04\x00\x00\x00\x01"
@@ -187,11 +233,22 @@ int main(int argc, char **argv) {
"\x00\x00\x03\x01\x04\x00\x00\x00\x01"
"\x3f\xe1\x1f",
GRPC_BAD_CLIENT_DISCONNECT);
+ /* dynamic table size update: set too large */
GRPC_RUN_BAD_CLIENT_TEST(verifier,
PFX_STR
"\x00\x00\x03\x01\x04\x00\x00\x00\x01"
"\x3f\xf1\x1f",
0);
+ /* dynamic table size update: set twice */
+ GRPC_RUN_BAD_CLIENT_TEST(verifier, PFX_STR
+ "\x00\x00\x04\x01\x04\x00\x00\x00\x01"
+ "\x20\x3f\xe1\x1f",
+ GRPC_BAD_CLIENT_DISCONNECT);
+ /* dynamic table size update: set thrice */
+ GRPC_RUN_BAD_CLIENT_TEST(verifier, PFX_STR
+ "\x00\x00\x03\x01\x04\x00\x00\x00\x01"
+ "\x20\x20\x20",
+ 0);
/* non-ending header followed by continuation frame */
GRPC_RUN_BAD_CLIENT_TEST(verifier,