From 2101d708dc2bcf6955c3ee394ff8e1af4ccddbdf Mon Sep 17 00:00:00 2001
From: Paolo Insogna <paolo@cowtech.it>
Date: Fri, 17 Jun 2022 13:49:44 +0200
Subject: [PATCH] http: validate HTTP version

---
 src/llhttp/http.ts       | 30 ++++++++++++++++++++++++++++--
 test/request/invalid.md  | 16 ++++++++++++++++
 test/response/invalid.md | 14 ++++++++++++++
 3 files changed, 58 insertions(+), 2 deletions(-)

diff --git a/src/llhttp/http.ts b/src/llhttp/http.ts
index 1c38269e..4b464587 100644
--- a/src/llhttp/http.ts
+++ b/src/llhttp/http.ts
@@ -258,7 +258,20 @@ export class HTTP {
       .otherwise(p.error(ERROR.INVALID_VERSION, 'Expected dot'));
 
     n('res_http_minor')
-      .select(MINOR, this.store('http_minor', 'res_http_end'))
+      .select(MINOR, this.store('http_minor',
+        this.load('http_major', {
+          0: this.load('http_minor', {
+            9: n('res_http_end'),
+          }, p.error(ERROR.INVALID_VERSION, 'Invalid HTTP version')),
+          1: this.load('http_minor', {
+            0: n('res_http_end'),
+            1: n('res_http_end'),
+          }, p.error(ERROR.INVALID_VERSION, 'Invalid HTTP version')),
+          2: this.load('http_minor', {
+            0: n('res_http_end'),
+          }, p.error(ERROR.INVALID_VERSION, 'Invalid HTTP version')),
+        }, p.error(ERROR.INVALID_VERSION, 'Invalid HTTP version')),
+      ))
       .otherwise(p.error(ERROR.INVALID_VERSION, 'Invalid minor version'));
 
     n('res_http_end')
@@ -364,7 +377,20 @@ export class HTTP {
       .otherwise(p.error(ERROR.INVALID_VERSION, 'Expected dot'));
 
     n('req_http_minor')
-      .select(MINOR, this.store('http_minor', 'req_http_end'))
+      .select(MINOR, this.store('http_minor',
+        this.load('http_major', {
+          0: this.load('http_minor', {
+            9: n('req_http_end'),
+          }, p.error(ERROR.INVALID_VERSION, 'Invalid HTTP version')),
+          1: this.load('http_minor', {
+            0: n('req_http_end'),
+            1: n('req_http_end'),
+          }, p.error(ERROR.INVALID_VERSION, 'Invalid HTTP version')),
+          2: this.load('http_minor', {
+            0: n('req_http_end'),
+          }, p.error(ERROR.INVALID_VERSION, 'Invalid HTTP version')),
+        }, p.error(ERROR.INVALID_VERSION, 'Invalid HTTP version')),
+      ))
       .otherwise(p.error(ERROR.INVALID_VERSION, 'Invalid minor version'));
 
     n('req_http_end').otherwise(this.load('method', {
diff --git a/test/request/invalid.md b/test/request/invalid.md
index cea6a91c..ef3d3446 100644
--- a/test/request/invalid.md
+++ b/test/request/invalid.md
@@ -200,3 +200,19 @@ off=22 len=15 span[header_value]="www.example.com"
 off=39 header_value complete
 off=52 error code=10 reason="Invalid header token"
 ```
+
+### Invalid HTTP version
+
+<!-- meta={"type": "request", "noScan": true} -->
+```http
+GET / HTTP/5.6
+
+
+```
+
+```log
+off=0 message begin
+off=4 len=1 span[url]="/"
+off=6 url complete
+off=14 error code=9 reason="Invalid HTTP version"
+```
diff --git a/test/response/invalid.md b/test/response/invalid.md
index 60bd3042..96b8f151 100644
--- a/test/response/invalid.md
+++ b/test/response/invalid.md
@@ -106,3 +106,17 @@ off=21 header_field complete
 off=22 len=1 span[header_value]="1"
 off=24 error code=3 reason="Missing expected LF after header value"
 ```
+
+### Invalid HTTP version
+
+<!-- meta={"type": "response"} -->
+```http
+HTTP/5.6 200 OK
+
+
+```
+
+```log
+off=0 message begin
+off=8 error code=9 reason="Invalid HTTP version"
+```