Merge pull request #4334 from ctiller/lonely-data

Fix fuzzing detected crash

src/core/transport/chttp2/hpack_parser.c

@@ -1418,15 +1418,19 @@ grpc_chttp2_parse_error grpc_chttp2_header_parser_parse(
       GPR_TIMER_END("grpc_chttp2_hpack_parser_parse", 0);
       return GRPC_CHTTP2_CONNECTION_ERROR;
     }
-    if (parser->is_boundary) {
-      stream_parsing
-          ->got_metadata_on_parse[stream_parsing->header_frames_received] = 1;
-      stream_parsing->header_frames_received++;
-      grpc_chttp2_list_add_parsing_seen_stream(transport_parsing,
-                                               stream_parsing);
-    }
-    if (parser->is_eof) {
-      stream_parsing->received_close = 1;
+    /* need to check for null stream: this can occur if we receive an invalid
+       stream id on a header */
+    if (stream_parsing != NULL) {
+      if (parser->is_boundary) {
+        stream_parsing
+            ->got_metadata_on_parse[stream_parsing->header_frames_received] = 1;
+        stream_parsing->header_frames_received++;
+        grpc_chttp2_list_add_parsing_seen_stream(transport_parsing,
+                                                 stream_parsing);
+      }
+      if (parser->is_eof) {
+        stream_parsing->received_close = 1;
+      }
     }
     parser->on_header = on_header_not_set;
     parser->on_header_user_data = NULL;

test/core/bad_client/tests/headers.c

@@ -195,5 +195,11 @@ int main(int argc, char **argv) {
                            "\x00\x00\x00\x09\x04\x00\x00\x00\x01",
                            0);
 
+  /* an invalid header found with fuzzing */
+  GRPC_RUN_BAD_CLIENT_TEST(verifier,
+                           PFX_STR 
+                           "\x00\x00\x00\x01\x39\x67\xed\x1d\x64",
+                           GRPC_BAD_CLIENT_DISCONNECT);
+
   return 0;
 }