[Libwebsockets] empty settings frame from remote client

Andy Green andy at warmcat.com
Wed Aug 26 12:17:27 CEST 2020

On 8/26/20 10:50 AM, Marek 'MMx' Ludha wrote:
> Hi.
> I believe there's a bug here: 
> https://libwebsockets.org/git/libwebsockets/tree/lib/roles/h2/http2.c?h=v4.0-stable#n1109 
> (also in master: 
> https://libwebsockets.org/git/libwebsockets/tree/lib/roles/h2/http2.c#n1119)
> This line disallows remote clients to send a Settings frame with length 
> 0 without ACK flag set. I didn't find any mention in the RFC that this 
> should be an error. On the contrary, it explicitly allows for empty 
> Settings frame after client preface: "This sequence ["PRI * 
> HTTP/2.0\r\n\r\nSM\r\n\r\n"] MUST be followed by a SETTINGS frame 
> (Section 6.5), which MAY be empty." 
> (https://tools.ietf.org/html/rfc7540#section-3.5).
> Is there any intention behind this check or do you consider it a bug?

The only intention was to be paranoid about what was coming in... but as 
you point out the spec is telling that is allowed.

I pushed a patch on master and v4.0-stable removing the check.


> Regards,
> Marek Ludha
> _______________________________________________
> Libwebsockets mailing list
> Libwebsockets at ml.libwebsockets.org
> https://libwebsockets.org/mailman/listinfo/libwebsockets

More information about the Libwebsockets mailing list