I have debugged a problem with SSE (server sent events). The internal DoS protection of mod_h2 has a bug, it evaluates stream resets twice. It tolerates the reset the first time. It doesn't tolerate it the second time.
When a stream reset is received, this happens:
- From
on_frame_recv_cb(), h2_mplx_c1_client_rst() is called. reset_is_acceptable() returns 1. (m_be_annoyed() is not called.)
- From
on_stream_close_cb(), h2_stream_rst() is called, this sets stream->rst_error. Then, h2_mplx_c1_client_rst() is called again, this time reset_is_acceptable() returns 0 because stream->rst_error is set. m_be_annoyed() is called.
I have debugged a problem with SSE (server sent events). The internal DoS protection of mod_h2 has a bug, it evaluates stream resets twice. It tolerates the reset the first time. It doesn't tolerate it the second time.
When a stream reset is received, this happens:
on_frame_recv_cb(),h2_mplx_c1_client_rst()is called.reset_is_acceptable()returns 1. (m_be_annoyed()is not called.)on_stream_close_cb(),h2_stream_rst()is called, this setsstream->rst_error. Then,h2_mplx_c1_client_rst()is called again, this timereset_is_acceptable()returns 0 becausestream->rst_erroris set.m_be_annoyed()is called.