Re: Suspected errata on 7540 wrt stream states from Kazuho Oku on 2017-12-27 (ietf-http-wg@w3.org from October to December 2017)

From: Kazuho Oku <kazuhooku@gmail.com>
Date: Thu, 28 Dec 2017 05:19:16 +0900
To: Willy Tarreau <w@1wt.eu>, summerwind.jp@gmail.com
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CANatvzySLZiZ9WCdP3RZO+UsNkhnkqcc8wQTCv5kyn3jc2RGFA@mail.gmail.com>

Hi,

2017-12-27 17:57 GMT+09:00 Willy Tarreau <w@1wt.eu>:

> Hi all,
>
> while taking a closer look at some of the issues reported by h2spec on
> haproxy's h2 implementation, I found that it reported something that I
> thought I had properly handled, namely the receipt of frames after the
> ES flag. Taking a closer look, I implemented what is indicated in 5.1 :
>
>    open:
>       (...) an endpoint receiving an END_STREAM flag causes the
>       stream state to become "half-closed (remote)".
>
>    half-closed (remote):
>       (...) If an endpoint receives additional frames, other than
>       WINDOW_UPDATE, PRIORITY, or RST_STREAM, for a stream that is in
>       this state, it MUST respond with a stream error (Section 5.4.2) of
>       type STREAM_CLOSED.
>
> And indeed, when haproxy sees, say, a DATA frame after ES, it sends an
> RST_STREAM with error type STREAM_CLOSED.
>
> But h2spec expects to see a connection error here, which surprized me a
> bit. So I continued to read and found what rule it relies on :
>
>    closed:
>       (...) Similarly, an endpoint
>       that receives any frames after receiving a frame with the
>       END_STREAM flag set MUST treat that as a connection error
>       (Section 5.4.1) of type STREAM_CLOSED, unless the frame is
>       permitted as described below.
>
> So in fact here I suspect that this last paragraph has nothing to do with
> the closed state but is in fact related to the half-closed(remote) one,
> and it contradicts the rule dictated in the half-closed(remote)
> description.
>
> Am I overlooking anything ? Should I implement a connection error to be
> more conservative ? Should I file an errata given that we're seeing two
> conflicting MUST ?
>

Let me point out that section 6.1 also has a definition dealing with the
case, which states:


   If a DATA frame is received
   whose stream is not in "open" or "half-closed (local)" state, the
   recipient MUST respond with a stream error (Section 5.4.2
<https://tools.ietf.org/html/rfc7540#section-5.4.2>) of type
   STREAM_CLOSED.


So I agree that there might be an issue here. My personal bet would be that
this is an error in section 5.1 failing to nominate DATA frame as one of
the frames that can end up in a stream-level error when received in closed
state.

FWIW, h2spec version 1 does not report an error if a stream-level error is
returned in this case. So it might be a regression in h2spec version 2.



> Thanks,
> Willy
>
>


-- 
Kazuho Oku

Received on Wednesday, 27 December 2017 20:19:42 UTC