Mask reserved bit when parsing GoAway and WindowUpdate frames by bysiber · Pull Request #168 · python-hyper/hyperframe
and others added 2 commits
GoAwayFrame.serialize_body already masks last_stream_id with & 0x7FFFFFFF, but parse_body reads the raw 32-bit value without stripping the reserved top bit. If a peer happens to set that bit, last_stream_id would be read as a value >= 2^31 instead of the actual stream ID. Similarly, WindowUpdateFrame.serialize_body masks window_increment with & 0x7FFFFFFF, but parse_body doesn't. If the reserved bit is set, the unmasked value exceeds 2^31-1 and the frame is rejected with InvalidDataError — even though RFC 9113 Section 6.9 says the reserved bit "MUST be ignored when receiving." The rest of the codebase already follows this pattern: - Frame.parse_frame_header masks stream_id & 0x7FFFFFFF - Priority.parse_priority_data masks depends_on & 0x7FFFFFFF Add the same mask to GoAwayFrame.parse_body and WindowUpdateFrame.parse_body for consistency.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters