Fix Stack Buffer Overflow in QuicClientPromisedInfo::OnPromiseHeaders

BUG=777728 Cq-Include-Trybots: master.tryserver.chromium.android:android_cronet_tester;master.tryserver.chromium.mac:ios-simulator-cronet Change-Id: I6a80db88aafdf20c7abd3847404b818565681310 Reviewed-on: https://chromium-review.googlesource.com/748425Reviewed-by: Zhongyi Shi <zhongyi@chromium.org> Commit-Queue: Ryan Hamilton <rch@chromium.org> Cr-Commit-Position: refs/heads/master@{#513105}

Fix Stack Buffer Overflow in QuicClientPromisedInfo::OnPromiseHeaders
BUG=777728 Cq-Include-Trybots: master.tryserver.chromium.android:android_cronet_tester;master.tryserver.chromium.mac:ios-simulator-cronet Change-Id: I6a80db88aafdf20c7abd3847404b818565681310 Reviewed-on: https://chromium-review.googlesource.com/748425Reviewed-by: Zhongyi Shi <zhongyi@chromium.org> Commit-Queue: Ryan Hamilton <rch@chromium.org> Cr-Commit-Position: refs/heads/master@{#513105}
7a6484fa · Ryan Hamilton · Commit Bot · 0ab62831 · 7a6484fa · 7a6484fa
Commit 7a6484fa authored Nov 01, 2017 by Ryan Hamilton Committed by Commit Bot Nov 01, 2017
Showing with 18 additions and 1 deletion

net/quic/core/quic_client_promised_info.cc net/quic/core/quic_client_promised_info.cc +5 -1

net/quic/core/quic_client_promised_info_test.cc net/quic/core/quic_client_promised_info_test.cc +13 -0

No files found.
--- a/net/quic/core/quic_client_promised_info.cc
+++ b/net/quic/core/quic_client_promised_info.cc
@@ -43,7 +43,11 @@ void QuicClientPromisedInfo::OnPromiseHeaders(const SpdyHeaderBlock& headers) {
  // RFC7540, Section 8.2, requests MUST be safe [RFC7231], Section
  // 4.2.1.  GET and HEAD are the methods that are safe and required.
  SpdyHeaderBlock::const_iterator it = headers.find(kHttp2MethodHeader);
-  DCHECK(it != headers.end());
+  if (it == headers.end()) {
+    QUIC_DVLOG(1) << "Promise for stream " << id_ << " has no method";
+    Reset(QUIC_INVALID_PROMISE_METHOD);
+    return;
+  }
  if (!(it->second == "GET" || it->second == "HEAD")) {
    QUIC_DVLOG(1) << "Promise for stream " << id_ << " has invalid method "
                  << it->second;

--- a/net/quic/core/quic_client_promised_info_test.cc
+++ b/net/quic/core/quic_client_promised_info_test.cc
@@ -154,6 +154,19 @@ TEST_F(QuicClientPromisedInfoTest, PushPromiseInvalidMethod) {
  EXPECT_EQ(session_.GetPromisedByUrl(promise_url_), nullptr);
 }

+TEST_F(QuicClientPromisedInfoTest, PushPromiseMissingMethod) {
+  // Promise with a missing method
+  push_promise_.erase(":method");
+
+  EXPECT_CALL(*connection_,
+              SendRstStream(promise_id_, QUIC_INVALID_PROMISE_METHOD, 0));
+  ReceivePromise(promise_id_);
+
+  // Verify that the promise headers were ignored
+  EXPECT_EQ(session_.GetPromisedById(promise_id_), nullptr);
+  EXPECT_EQ(session_.GetPromisedByUrl(promise_url_), nullptr);
+}
+
 TEST_F(QuicClientPromisedInfoTest, PushPromiseInvalidUrl) {
  // Remove required header field to make URL invalid
  push_promise_.erase(":authority");