Fix for a fuzzer-discovered integer underflow of the flow control window size

[f0rki]

Fuzzing discovered a integer underflow in the flow control handling that can be triggered by a certain sequence of frames. In release builds this would lead to wrap-around of the negative window. This seems incorrect to me. I did not find anything definitive in the http2 spec.

Removed the SubAssign, etc. syntactic sugar functions and switched to return Result on over/underflow

Whenever possible, switched to returning a library GoAway protocol error. Otherwise we check for over/underflow only with debug_assert!, assuming that those code paths do not over/underflow. In this case I left TODO: comments.

[82marbag]

There are some debug left around here and in other files. Are these on purpose?

[f0rki]

Yes. Whenever it was obvious on how to handle a potential overflow, I did. However, many of the call sites do not have a Result return type, so it is not easy to propagate the Error. I assume that those functions should not be able not fail. I did not want to incur additional overhead in release builds, so I stuck with debug_assert! and left the TODO comment. For those TODOs someone with more experience with the code should check whether they are fine to be left as debug_assert!, whether they should be checked with assert! or whether error propagation is needed.

[f0rki]

FYI: I did more fuzzing runs with this patch and none of the debug_assert! are triggered, so that gives some assurance that the they are indeed not reachable. So I think we could remove the todo comments, but I would leave the debug_assert! as is.

[82marbag]

@f0rki is it ready for review?

[f0rki]

@f0rki is it ready for review?

looks good to me @82marbag @seanmonstar

[seanmonstar]

Excellent work, thank you!

[nox]

In an effort to understand a bit more what's going on in #607, I've been looking at the test from this PR to see if the root cause could be the same here.

I've managed to simplify the test there a great deal, which led me to this (I'll make a PR simplifying it, separately):

#[tokio::test]
async fn window_size_decremented_past_zero() {
    h2_support::trace_init!();
    let (io, mut client) = mock::new();

    let client = async move {
        let settings = client.assert_server_handshake().await;
        assert_default_settings!(settings);

        // HEADERS with invalid hpack stuff.
        client
            .send_bytes(&[
                0, 0, 23, 1, 1, 0, 0, 0, 1, 131, 1, 1, 1, 70, 1, 1, 1, 1, 65, 1, 1, 65, 1, 1,
                65, 1, 1, 1, 1, 1, 1, 190,
            ])
            .await;

        client.send_frame(frames::settings().initial_window_size(666413898)).await;
        client.send_frame(frames::settings().initial_window_size(3809661)).await;
        client.send_frame(frames::settings().initial_window_size(666413898)).await;
        client.send_frame(frames::settings().initial_window_size(3809661)).await;
        client.send_frame(frames::settings().initial_window_size(1467177332)).await;
        client.send_frame(frames::settings().initial_window_size(3844989)).await;
    };

    let srv = async move {
        let builder = server::Builder::new();
        let mut srv = builder.handshake::<_, Bytes>(io).await.expect("handshake");

        // just keep it open
        let res = poll_fn(move |cx| srv.poll_closed(cx)).await;
        tracing::debug!("{:?}", res);
    };

    join(client, srv).await;
}

The test fails if we put back an assertion in FlowControl::dec_send_window, as expected. If I remove any of the frames, the test passes.

So I looked into what happens when the initial window size setting is incremented or decremented, and I've found something suspicious.

h2/src/proto/streams/send.rs

Lines 469 to 480 in 3bce93e

	tracing::trace!(
	"decrementing stream window; id={:?}; decr={}; flow={:?}",
	stream.id,
	dec,
	stream.send_flow
	);
	// TODO: this decrement can underflow based on received frames!
	stream
	.send_flow
	.dec_send_window(dec)
	.map_err(proto::Error::library_go_away)?;

When a stream is already closed and the initial window size setting is incremented, nothing happens to the stream because it is already closed.

h2/src/proto/streams/prioritize.rs

Lines 306 to 309 in 3bce93e

	if stream.state.is_send_closed() && stream.buffered_send_data == 0 {
	// We can't send any data, so don't bother doing anything else.
	return Ok(());
	}

But when the initial window size setting is decremented, the stream window size is also decremented, so there is an imbalance there.

To double check my finding, I managed to reduce the number of frames to cause the assertion failure with:

        client.send_frame(frames::settings().initial_window_size(1329018135)).await;
        client.send_frame(frames::settings().initial_window_size(3809661)).await;
        client.send_frame(frames::settings().initial_window_size(1467177332)).await;
        client.send_frame(frames::settings().initial_window_size(3844989)).await;

Note that 1329018135 = 666413898 * 2 - 3809661, so after the second frame, the stream's window size is the same negative value as after the 4th one in the complete test above.