Guard against oversized SPDY frames

dims · thaJeztah · commit cf0ec5d0fe4d · 2026-03-29T12:10:19.000+02:00
Signed-off-by: Davanum Srinivas &lt;davanum@gmail.com&gt;
Signed-off-by: Sebastiaan van Stijn &lt;github@gone.nl&gt;
diff --git a/connection.go b/connection.go
@@ -350,6 +350,9 @@ Loop:
 			} else {
 				debugMessage("(%p) EOF received", s)
 			}
+			if spdyErr, ok := err.(*spdy.Error); ok && spdyErr.Err == spdy.InvalidControlFrame {
+				_ = s.conn.Close()
+			}
 			break
 		}
 		var priority uint8
diff --git a/spdy/read.go b/spdy/read.go
@@ -43,6 +43,11 @@ func (frame *SettingsFrame) read(h ControlFrameHeader, f *Framer) error {
 	if err := binary.Read(f.r, binary.BigEndian, &numSettings); err != nil {
 		return err
 	}
+	// Each setting is 8 bytes (4-byte id + 4-byte value).
+	// Payload is 4 bytes for numSettings + numSettings*8.
+	if h.length < 4 || numSettings > (h.length-4)/8 {
+		return &Error{InvalidControlFrame, 0}
+	}
 	frame.FlagIdValues = make([]SettingsFlagIdValue, numSettings)
 	for i := uint32(0); i < numSettings; i++ {
 		if err := binary.Read(f.r, binary.BigEndian, &frame.FlagIdValues[i].Id); err != nil {
@@ -161,8 +166,19 @@ func (f *Framer) parseControlFrame(version uint16, frameType ControlFrameType) (
 	if err := binary.Read(f.r, binary.BigEndian, &length); err != nil {
 		return nil, err
 	}
+	maxControlFramePayload := uint32(MaxDataLength)
+	if f.maxFrameLength > 0 {
+		maxControlFramePayload = f.maxFrameLength
+	}
+
 	flags := ControlFlags((length & 0xff000000) >> 24)
 	length &= 0xffffff
+	if length > maxControlFramePayload {
+		if _, err := io.CopyN(io.Discard, f.r, int64(length)); err != nil {
+			return nil, err
+		}
+		return nil, &Error{InvalidControlFrame, 0}
+	}
 	header := ControlFrameHeader{version, frameType, flags, length}
 	cframe, err := newControlFrame(frameType)
 	if err != nil {
@@ -174,7 +190,7 @@ func (f *Framer) parseControlFrame(version uint16, frameType ControlFrameType) (
 	return cframe, nil
 }
 
-func parseHeaderValueBlock(r io.Reader, streamId StreamId) (http.Header, error) {
+func (f *Framer) parseHeaderValueBlock(r io.Reader, streamId StreamId) (http.Header, error) {
 	var numHeaders uint32
 	if err := binary.Read(r, binary.BigEndian, &numHeaders); err != nil {
 		return nil, err
@@ -240,7 +256,7 @@ func (f *Framer) readSynStreamFrame(h ControlFrameHeader, frame *SynStreamFrame)
 		}
 		reader = f.headerDecompressor
 	}
-	frame.Headers, err = parseHeaderValueBlock(reader, frame.StreamId)
+	frame.Headers, err = f.parseHeaderValueBlock(reader, frame.StreamId)
 	if !f.headerCompressionDisabled && (err == io.EOF && f.headerReader.N == 0 || f.headerReader.N != 0) {
 		err = &Error{WrongCompressedPayloadSize, 0}
 	}
@@ -272,7 +288,7 @@ func (f *Framer) readSynReplyFrame(h ControlFrameHeader, frame *SynReplyFrame) e
 		}
 		reader = f.headerDecompressor
 	}
-	frame.Headers, err = parseHeaderValueBlock(reader, frame.StreamId)
+	frame.Headers, err = f.parseHeaderValueBlock(reader, frame.StreamId)
 	if !f.headerCompressionDisabled && (err == io.EOF && f.headerReader.N == 0 || f.headerReader.N != 0) {
 		err = &Error{WrongCompressedPayloadSize, 0}
 	}
@@ -304,7 +320,7 @@ func (f *Framer) readHeadersFrame(h ControlFrameHeader, frame *HeadersFrame) err
 		}
 		reader = f.headerDecompressor
 	}
-	frame.Headers, err = parseHeaderValueBlock(reader, frame.StreamId)
+	frame.Headers, err = f.parseHeaderValueBlock(reader, frame.StreamId)
 	if !f.headerCompressionDisabled && (err == io.EOF && f.headerReader.N == 0 || f.headerReader.N != 0) {
 		err = &Error{WrongCompressedPayloadSize, 0}
 	}
diff --git a/spdy/spdy_test.go b/spdy/spdy_test.go
@@ -27,7 +27,8 @@ func TestHeaderParsing(t *testing.T) {
 	var headerValueBlockBuf bytes.Buffer
 	writeHeaderValueBlock(&headerValueBlockBuf, HeadersFixture)
 	const bogusStreamId = 1
-	newHeaders, err := parseHeaderValueBlock(&headerValueBlockBuf, bogusStreamId)
+	f := &Framer{}
+	newHeaders, err := f.parseHeaderValueBlock(&headerValueBlockBuf, bogusStreamId)
 	if err != nil {
 		t.Fatal("parseHeaderValueBlock:", err)
 	}
@@ -223,6 +224,51 @@ func TestCreateParseSettings(t *testing.T) {
 	}
 }
 
+func TestReadFrameRejectsOversizedControlFrame(t *testing.T) {
+	buffer := new(bytes.Buffer)
+	framer, err := NewFramer(buffer, buffer)
+	if err != nil {
+		t.Fatal("Failed to create new framer:", err)
+	}
+	framer.maxFrameLength = 1
+
+	// Control frame header (version 3, SETTINGS, length = 2)
+	_, _ = buffer.Write([]byte{
+		0x80, 0x03, // control frame + version
+		0x00, 0x04, // SETTINGS
+		0x00,             // flags
+		0x00, 0x00, 0x02, // length = 2
+		0x00, 0x01, // payload (2 bytes)
+	})
+
+	_, err = framer.ReadFrame()
+	if err == nil {
+		t.Fatal("expected error for oversized control frame")
+	}
+}
+
+func TestReadFrameRejectsSettingsLengthMismatch(t *testing.T) {
+	buffer := new(bytes.Buffer)
+	framer, err := NewFramer(buffer, buffer)
+	if err != nil {
+		t.Fatal("Failed to create new framer:", err)
+	}
+
+	// SETTINGS frame with declared payload length 0, but includes numSettings.
+	_, _ = buffer.Write([]byte{
+		0x80, 0x03, // control frame + version
+		0x00, 0x04, // SETTINGS
+		0x00,             // flags
+		0x00, 0x00, 0x00, // length = 0
+		0x00, 0x00, 0x00, 0x01, // numSettings = 1
+	})
+
+	_, err = framer.ReadFrame()
+	if err == nil {
+		t.Fatal("expected error for SETTINGS length mismatch")
+	}
+}
+
 func TestCreateParsePing(t *testing.T) {
 	buffer := new(bytes.Buffer)
 	framer, err := NewFramer(buffer, buffer)
diff --git a/spdy/types.go b/spdy/types.go
@@ -255,6 +255,8 @@ type Framer struct {
 	r                         io.Reader
 	headerReader              io.LimitedReader
 	headerDecompressor        io.ReadCloser
+
+	maxFrameLength uint32 // overrides the default frame payload length limit.
 }
 
 // NewFramer allocates a new Framer for a given SPDY connection, represented by

Original file line number	Diff line number	Diff line change
`@@ -350,6 +350,9 @@ Loop:`
`350`	`350`	`} else {`
`351`	`351`	`debugMessage("(%p) EOF received", s)`
`352`	`352`	`}`
	`353`	`+ if spdyErr, ok := err.(*spdy.Error); ok && spdyErr.Err == spdy.InvalidControlFrame {`
	`354`	`+ _ = s.conn.Close()`
	`355`	`+ }`
`353`	`356`	`break`
`354`	`357`	`}`
`355`	`358`	`var priority uint8`
Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,11 @@ func (frame SettingsFrame) read(h ControlFrameHeader, f Framer) error {`
`43`	`43`	`if err := binary.Read(f.r, binary.BigEndian, &numSettings); err != nil {`
`44`	`44`	`return err`
`45`	`45`	`}`
	`46`	`+ // Each setting is 8 bytes (4-byte id + 4-byte value).`
	`47`	`+ // Payload is 4 bytes for numSettings + numSettings*8.`
	`48`	`+ if h.length < 4 \|\| numSettings > (h.length-4)/8 {`
	`49`	`+ return &Error{InvalidControlFrame, 0}`
	`50`	`+ }`
`46`	`51`	`frame.FlagIdValues = make([]SettingsFlagIdValue, numSettings)`
`47`	`52`	`for i := uint32(0); i < numSettings; i++ {`
`48`	`53`	`if err := binary.Read(f.r, binary.BigEndian, &frame.FlagIdValues[i].Id); err != nil {`
`@@ -161,8 +166,19 @@ func (f *Framer) parseControlFrame(version uint16, frameType ControlFrameType) (`
`161`	`166`	`if err := binary.Read(f.r, binary.BigEndian, &length); err != nil {`
`162`	`167`	`return nil, err`
`163`	`168`	`}`
	`169`	`+ maxControlFramePayload := uint32(MaxDataLength)`
	`170`	`+ if f.maxFrameLength > 0 {`
	`171`	`+ maxControlFramePayload = f.maxFrameLength`
	`172`	`+ }`
	`173`	`+`
`164`	`174`	`flags := ControlFlags((length & 0xff000000) >> 24)`
`165`	`175`	`length &= 0xffffff`
	`176`	`+ if length > maxControlFramePayload {`
	`177`	`+ if _, err := io.CopyN(io.Discard, f.r, int64(length)); err != nil {`
	`178`	`+ return nil, err`
	`179`	`+ }`
	`180`	`+ return nil, &Error{InvalidControlFrame, 0}`
	`181`	`+ }`
`166`	`182`	`header := ControlFrameHeader{version, frameType, flags, length}`
`167`	`183`	`cframe, err := newControlFrame(frameType)`
`168`	`184`	`if err != nil {`
`@@ -174,7 +190,7 @@ func (f *Framer) parseControlFrame(version uint16, frameType ControlFrameType) (`
`174`	`190`	`return cframe, nil`
`175`	`191`	`}`
`176`	`192`
`177`		`-func parseHeaderValueBlock(r io.Reader, streamId StreamId) (http.Header, error) {`
	`193`	`+func (f *Framer) parseHeaderValueBlock(r io.Reader, streamId StreamId) (http.Header, error) {`
`178`	`194`	`var numHeaders uint32`
`179`	`195`	`if err := binary.Read(r, binary.BigEndian, &numHeaders); err != nil {`
`180`	`196`	`return nil, err`
`@@ -240,7 +256,7 @@ func (f Framer) readSynStreamFrame(h ControlFrameHeader, frame SynStreamFrame)`
`240`	`256`	`}`
`241`	`257`	`reader = f.headerDecompressor`
`242`	`258`	`}`
`243`		`- frame.Headers, err = parseHeaderValueBlock(reader, frame.StreamId)`
	`259`	`+ frame.Headers, err = f.parseHeaderValueBlock(reader, frame.StreamId)`
`244`	`260`	`if !f.headerCompressionDisabled && (err == io.EOF && f.headerReader.N == 0 \|\| f.headerReader.N != 0) {`
`245`	`261`	`err = &Error{WrongCompressedPayloadSize, 0}`
`246`	`262`	`}`
`@@ -272,7 +288,7 @@ func (f Framer) readSynReplyFrame(h ControlFrameHeader, frame SynReplyFrame) e`
`272`	`288`	`}`
`273`	`289`	`reader = f.headerDecompressor`
`274`	`290`	`}`
`275`		`- frame.Headers, err = parseHeaderValueBlock(reader, frame.StreamId)`
	`291`	`+ frame.Headers, err = f.parseHeaderValueBlock(reader, frame.StreamId)`
`276`	`292`	`if !f.headerCompressionDisabled && (err == io.EOF && f.headerReader.N == 0 \|\| f.headerReader.N != 0) {`
`277`	`293`	`err = &Error{WrongCompressedPayloadSize, 0}`
`278`	`294`	`}`
`@@ -304,7 +320,7 @@ func (f Framer) readHeadersFrame(h ControlFrameHeader, frame HeadersFrame) err`
`304`	`320`	`}`
`305`	`321`	`reader = f.headerDecompressor`
`306`	`322`	`}`
`307`		`- frame.Headers, err = parseHeaderValueBlock(reader, frame.StreamId)`
	`323`	`+ frame.Headers, err = f.parseHeaderValueBlock(reader, frame.StreamId)`
`308`	`324`	`if !f.headerCompressionDisabled && (err == io.EOF && f.headerReader.N == 0 \|\| f.headerReader.N != 0) {`
`309`	`325`	`err = &Error{WrongCompressedPayloadSize, 0}`
`310`	`326`	`}`
Original file line number	Diff line number	Diff line change
`@@ -255,6 +255,8 @@ type Framer struct {`
`255`	`255`	`r io.Reader`
`256`	`256`	`headerReader io.LimitedReader`
`257`	`257`	`headerDecompressor io.ReadCloser`
	`258`	`+`
	`259`	`+ maxFrameLength uint32 // overrides the default frame payload length limit.`
`258`	`260`	`}`
`259`	`261`
`260`	`262`	`// NewFramer allocates a new Framer for a given SPDY connection, represented by`