From 69df62f0ea490d6039a7ec00b9068a2b5628a4f9 Mon Sep 17 00:00:00 2001
From: Joris Vink <joris@coders.se>
Date: Mon, 1 Jul 2013 12:34:18 +0200
Subject: [PATCH] when receiving SETTINGS verify that the number of settings
 received by the client matches the length of the SPDY frame we received.
 Otherwise bad clients could potentially cause us to misbehave.

---
 src/spdy.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/spdy.c b/src/spdy.c
index 2cfb284..0a255d8 100644
--- a/src/spdy.c
+++ b/src/spdy.c
@@ -447,12 +447,19 @@ static int
 spdy_ctrl_frame_settings(struct netbuf *nb)
 {
 	u_int8_t		*buf, flags;
-	u_int32_t		ecount, i, id, val;
+	u_int32_t		ecount, i, id, val, length;
 	struct connection	*c = (struct connection *)nb->owner;
 
 	ecount = net_read32(nb->buf + SPDY_FRAME_SIZE);
 	kore_debug("SPDY_SETTINGS: %d settings present", ecount);
 
+	length = net_read32(nb->buf + 4) & 0xffffff;
+	if (length != ((ecount * 8) + 4)) {
+		kore_debug("ecount is not correct (%d != %d)", length,
+		    (ecount * 8) + 4);
+		return (KORE_RESULT_ERROR);
+	}
+
 	buf = nb->buf + SPDY_FRAME_SIZE + 4;
 	for (i = 0; i < ecount; i++) {
 		flags = *(u_int8_t *)buf;