Invalid flags now result in a GOAWAY

net/spdy/spdy_framer.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // TODO(rtenhove) clean up frame buffer size calculations so that we aren't
 // constantly adding and subtracting header sizes; this is ugly and error-
 // prone.
 
 #include "net/spdy/spdy_framer.h"
 
@@ skipping 189 matching lines @@
     case SPDY_ZLIB_INIT_FAILURE:
       return "ZLIB_INIT_FAILURE";
     case SPDY_UNSUPPORTED_VERSION:
       return "UNSUPPORTED_VERSION";
     case SPDY_DECOMPRESS_FAILURE:
       return "DECOMPRESS_FAILURE";
     case SPDY_COMPRESS_FAILURE:
       return "COMPRESS_FAILURE";
     case SPDY_INVALID_DATA_FRAME_FLAGS:
       return "SPDY_INVALID_DATA_FRAME_FLAGS";
+    case SPDY_INVALID_CONTROL_FRAME_FLAGS:
+      return "SPDY_INVALID_CONTROL_FRAME_FLAGS";
   }
   return "UNKNOWN_ERROR";
 }
 
 const char* SpdyFramer::StatusCodeToString(int status_code) {
   switch (status_code) {
     case RST_STREAM_INVALID:
       return "INVALID";
     case RST_STREAM_PROTOCOL_ERROR:
       return "PROTOCOL_ERROR";
@@ skipping 180 matching lines @@
     if (remaining_data_ > 1000000u &&
         !syn_frame_processed_ &&
           strncmp(current_frame_buffer_.get(), "HTTP/", 5) == 0) {
         LOG(WARNING) << "Unexpected HTTP response to spdy request";
         probable_http_response_ = true;
     }
 
     // if we're here, then we have the common header all received.
     if (!current_frame.is_control_frame()) {
       SpdyDataFrame data_frame(current_frame_buffer_.get(), false);
-      visitor_->OnDataFrameHeader(&data_frame);
+      if (data_frame.flags() & ~DATA_FLAG_FIN) {
+        set_error(SPDY_INVALID_DATA_FRAME_FLAGS);
+      } else {
+        visitor_->OnDataFrameHeader(&data_frame);
 
-      if (current_frame.length() > 0) {
-        CHANGE_STATE(SPDY_FORWARD_STREAM_FRAME);
-      } else {
-        // Empty data frame.
-        if (current_frame.flags() & DATA_FLAG_FIN) {
-          visitor_->OnStreamFrameData(data_frame.stream_id(),
-                                      NULL, 0, DATA_FLAG_FIN);
+        if (current_frame.length() > 0) {
+          CHANGE_STATE(SPDY_FORWARD_STREAM_FRAME);
+        } else {
+          // Empty data frame.
+          if (current_frame.flags() & DATA_FLAG_FIN) {
+            visitor_->OnStreamFrameData(data_frame.stream_id(),
+                                        NULL, 0, DATA_FLAG_FIN);
+          }
+          CHANGE_STATE(SPDY_AUTO_RESET);
         }
-        CHANGE_STATE(SPDY_AUTO_RESET);
       }
     } else {
       ProcessControlFrameHeader();
     }
   }
   return original_len - len;
 }
 
 void SpdyFramer::ProcessControlFrameHeader() {
   DCHECK_EQ(SPDY_NO_ERROR, error_code_);
@@ skipping 21 matching lines @@
   if (current_control_frame.type() == NOOP) {
     DLOG(INFO) << "NOOP control frame found. Ignoring.";
     CHANGE_STATE(SPDY_AUTO_RESET);
     return;
   }
 
   // Do some sanity checking on the control frame sizes.
   switch (current_control_frame.type()) {
     case SYN_STREAM:
       if (current_control_frame.length() <
-          SpdySynStreamControlFrame::size() - SpdyControlFrame::kHeaderSize)
+          SpdySynStreamControlFrame::size() - SpdyControlFrame::kHeaderSize) {
         set_error(SPDY_INVALID_CONTROL_FRAME);
+      } else if (current_control_frame.flags() &
+                 ~(CONTROL_FLAG_FIN | CONTROL_FLAG_UNIDIRECTIONAL)) {
+        set_error(SPDY_INVALID_CONTROL_FRAME_FLAGS);
+      }
       break;
     case SYN_REPLY:
       if (current_control_frame.length() <
-          SpdySynReplyControlFrame::size() - SpdyControlFrame::kHeaderSize)
+          SpdySynReplyControlFrame::size() - SpdyControlFrame::kHeaderSize) {
         set_error(SPDY_INVALID_CONTROL_FRAME);
+      } else if (current_control_frame.flags() & ~CONTROL_FLAG_FIN) {
+        set_error(SPDY_INVALID_CONTROL_FRAME_FLAGS);
+      }
       break;
     case RST_STREAM:
       if (current_control_frame.length() !=
-          SpdyRstStreamControlFrame::size() - SpdyFrame::kHeaderSize)
+          SpdyRstStreamControlFrame::size() - SpdyFrame::kHeaderSize) {
         set_error(SPDY_INVALID_CONTROL_FRAME);
+      } else if (current_control_frame.flags() != 0) {
+        set_error(SPDY_INVALID_CONTROL_FRAME_FLAGS);
+      }
       break;
     case SETTINGS:
       // Make sure that we have an integral number of 8-byte key/value pairs,
       // plus a 4-byte length field.
       if (current_control_frame.length() <
           SpdySettingsControlFrame::size() - SpdyControlFrame::kHeaderSize ||
           (current_control_frame.length() % 8 != 4)) {
         DLOG(WARNING) << "Invalid length for SETTINGS frame: "
                       << current_control_frame.length();
         set_error(SPDY_INVALID_CONTROL_FRAME);
+      } else if (current_control_frame.flags() &
+                 ~SETTINGS_FLAG_CLEAR_PREVIOUSLY_PERSISTED_SETTINGS) {
+        set_error(SPDY_INVALID_CONTROL_FRAME_FLAGS);
       }
       break;
     case GOAWAY:
       {
         // SPDY 2 GOAWAY frames are 4 bytes smaller than in SPDY 3. We account
         // for this difference via a separate offset variable, since
         // SpdyGoAwayControlFrame::size() returns the SPDY 3 size.
         const size_t goaway_offset = (protocol_version() < 3) ? 4 : 0;
         if (current_control_frame.length() + goaway_offset !=
-            SpdyGoAwayControlFrame::size() - SpdyFrame::kHeaderSize)
+            SpdyGoAwayControlFrame::size() - SpdyFrame::kHeaderSize) {
           set_error(SPDY_INVALID_CONTROL_FRAME);
+        } else if (current_control_frame.flags() != 0) {
+          set_error(SPDY_INVALID_CONTROL_FRAME_FLAGS);
+        }
         break;
       }
     case HEADERS:
       if (current_control_frame.length() <
-          SpdyHeadersControlFrame::size() - SpdyControlFrame::kHeaderSize)
+          SpdyHeadersControlFrame::size() - SpdyControlFrame::kHeaderSize) {
         set_error(SPDY_INVALID_CONTROL_FRAME);
+      } else if (current_control_frame.flags() & ~CONTROL_FLAG_FIN) {
+        set_error(SPDY_INVALID_CONTROL_FRAME_FLAGS);
+      }
       break;
     case WINDOW_UPDATE:
       if (current_control_frame.length() !=
           SpdyWindowUpdateControlFrame::size() -
-          SpdyControlFrame::kHeaderSize)
+          SpdyControlFrame::kHeaderSize) {
         set_error(SPDY_INVALID_CONTROL_FRAME);
+      } else if (current_control_frame.flags() != 0) {
+        set_error(SPDY_INVALID_CONTROL_FRAME_FLAGS);
+      }
       break;
     case PING:
       if (current_control_frame.length() !=
-          SpdyPingControlFrame::size() - SpdyControlFrame::kHeaderSize)
+          SpdyPingControlFrame::size() - SpdyControlFrame::kHeaderSize) {
         set_error(SPDY_INVALID_CONTROL_FRAME);
+      } else if (current_control_frame.flags() != 0) {
+        set_error(SPDY_INVALID_CONTROL_FRAME_FLAGS);
+      }
       break;
     case CREDENTIAL:
       if (current_control_frame.length() <
-          SpdyCredentialControlFrame::size() - SpdyControlFrame::kHeaderSize)
+          SpdyCredentialControlFrame::size() - SpdyControlFrame::kHeaderSize) {
         set_error(SPDY_INVALID_CONTROL_FRAME);
+      } else if (current_control_frame.flags() != 0) {
+        set_error(SPDY_INVALID_CONTROL_FRAME_FLAGS);
+      }
       break;
     default:
       LOG(WARNING) << "Valid " << display_protocol_
                    << " control frame with unhandled type: "
                    << current_control_frame.type();
       DLOG(FATAL);
       set_error(SPDY_INVALID_CONTROL_FRAME);
       break;
   }
 
@@ skipping 1349 matching lines @@
     }
   }
   return stream_id;
 }
 
 void SpdyFramer::set_enable_compression(bool value) {
   enable_compression_ = value;
 }
 
 }  // namespace net