From 12ddef72728707026a3d9adbbc28affa76faf688 Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Mon, 26 Feb 2024 12:25:37 -0800
Subject: [PATCH] http2: reject DATA frames after 1xx and before final headers

When checking to see if a DATA frame can be accepted, check to
see if we have received a non-1xx header, not whether we have
received any header.

Fixes golang/go#65927

Change-Id: Id4fae1862de6179f8fc95e02dec7d4c47a7640e1
Reviewed-on: https://go-review.googlesource.com/c/net/+/567175
Reviewed-by: Jonathan Amsterdam <jba@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 http2/transport.go      |  2 +-
 http2/transport_test.go | 29 +++++++++++++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/http2/transport.go b/http2/transport.go
index 04db29275..44845bafd 100644
--- a/http2/transport.go
+++ b/http2/transport.go
@@ -2787,7 +2787,7 @@ func (rl *clientConnReadLoop) processData(f *DataFrame) error {
 		})
 		return nil
 	}
-	if !cs.firstByte {
+	if !cs.pastHeaders {
 		cc.logf("protocol error: received DATA before a HEADERS frame")
 		rl.endStreamError(cs, StreamError{
 			StreamID: f.StreamID,
diff --git a/http2/transport_test.go b/http2/transport_test.go
index f889cd12b..836d45593 100644
--- a/http2/transport_test.go
+++ b/http2/transport_test.go
@@ -6254,3 +6254,32 @@ func TestDialRaceResumesDial(t *testing.T) {
 	case <-successCh:
 	}
 }
+
+func TestTransportDataAfter1xxHeader(t *testing.T) {
+	// Discard logger output to avoid spamming stderr.
+	log.SetOutput(io.Discard)
+	defer log.SetOutput(os.Stderr)
+
+	// https://go.dev/issue/65927 - server sends a 1xx response, followed by a DATA frame.
+	tc := newTestClientConn(t)
+	tc.greet()
+
+	req, _ := http.NewRequest("GET", "https://dummy.tld/", nil)
+	rt := tc.roundTrip(req)
+
+	tc.wantFrameType(FrameHeaders)
+	tc.writeHeaders(HeadersFrameParam{
+		StreamID:   rt.streamID(),
+		EndHeaders: true,
+		EndStream:  false,
+		BlockFragment: tc.makeHeaderBlockFragment(
+			":status", "100",
+		),
+	})
+	tc.writeData(rt.streamID(), true, []byte{0})
+	err := rt.err()
+	if err, ok := err.(StreamError); !ok || err.Code != ErrCodeProtocol {
+		t.Errorf("RoundTrip error: %v; want ErrCodeProtocol", err)
+	}
+	tc.wantFrameType(FrameRSTStream)
+}