Merge pull request #3377 from ericgribkoff/experimental_settings_id

Avoid index out of bounds with Http/2 settings id in the experimental range
square · Jun 5, 2017 · 7f053b0 · 7f053b0
2 parents 0891a7d + 3819ed0
commit 7f053b0
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/okhttp-tests/src/test/java/okhttp3/internal/http2/Http2Test.java b/okhttp-tests/src/test/java/okhttp3/internal/http2/Http2Test.java
@@ -278,6 +278,21 @@ public void pushPromise(int streamId, int promisedStreamId, List<Header> headerB
     assertEquals(settingValue.intValue(), 1);
   }
 
+  @Test public void readSettingsFrameExperimentalId() throws IOException {
+    writeMedium(frame, 6); // 2 for the code and 4 for the value
+    frame.writeByte(Http2.TYPE_SETTINGS);
+    frame.writeByte(Http2.FLAG_NONE);
+    frame.writeInt(0); // Settings are always on the connection stream 0.
+    frame.write(ByteString.decodeHex("f000")); // Id reserved for experimental use.
+    frame.writeInt(1);
+
+    reader.nextFrame(false, new BaseTestHandler() {
+      @Override public void settings(boolean clearPrevious, Settings settings) {
+        // no-op
+      }
+    });
+  }
+
   @Test public void readSettingsFrameNegativeWindowSize() throws IOException {
     writeMedium(frame, 6); // 2 for the code and 4 for the value
     frame.writeByte(Http2.TYPE_SETTINGS);

diff --git a/okhttp/src/main/java/okhttp3/internal/http2/Settings.java b/okhttp/src/main/java/okhttp3/internal/http2/Settings.java
@@ -56,7 +56,7 @@ void clear() {
   }
 
   Settings set(int id, int value) {
-    if (id >= values.length) {
+    if (id < 0 || id >= values.length) {
       return this; // Discard unknown settings.
     }