# HG changeset patch
# User Piotr Sikora <piotrsikora@google.com>
# Date 1443756355 25200
# Node ID 22ee99422329070789536dc8914e1b0cae3450db
# Parent  e769cc88f99683df799299a6ae3702fd282a0ac2
HTTP/2: reject self-dependent streams.

Per RFC7540, a stream cannot depend on itself.

Previously, this requirement was enforced on PRIORITY frames, but not on
HEADERS frames and due to the implementation details nginx worker would
crash (stack overflow) while opening self-dependent stream.

Found with afl-fuzz.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>

diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
--- a/src/http/v2/ngx_http_v2.c
+++ b/src/http/v2/ngx_http_v2.c
@@ -1133,6 +1133,22 @@ ngx_http_v2_state_headers(ngx_http_v2_co
 
     h2c->last_sid = h2c->state.sid;
 
+    if (depend == h2c->state.sid) {
+        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+                      "client sent HEADERS frame for stream %ui "
+                      "with incorrect dependency", h2c->state.sid);
+
+        if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid,
+                                        NGX_HTTP_V2_PROTOCOL_ERROR)
+            != NGX_OK)
+        {
+            return ngx_http_v2_connection_error(h2c,
+                                                NGX_HTTP_V2_INTERNAL_ERROR);
+        }
+
+        return ngx_http_v2_state_skip_headers(h2c, pos, end);
+    }
+
     h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx,
                                          ngx_http_v2_module);