PUSH_PROMISE: fix promised stream id validation

Kriechi · pgjones · commit ac7eb884b8d4 · 2020-07-27T18:08:28.000+01:00
https://tools.ietf.org/html/rfc7540#section-6.6 The promised stream identifier MUST be a valid choice for the next stream sent by the sender (see "new stream identifier" in Section 5.1.1). https://tools.ietf.org/html/rfc7540#section-5.1.1 Streams [...] initiated by the server MUST use even-numbered stream identifiers. https://tools.ietf.org/html/rfc7540#section-8.2 [...] servers MUST treat the receipt of a PUSH_PROMISE frame as a connection error
diff --git a/HISTORY.rst b/HISTORY.rst
@@ -12,6 +12,7 @@ Release History
 
 - Fixed padding parsing for ``PushPromiseFrame``.
 - Fixed unchecked frame length for ``PriorityFrame``. It now correctly raises ``InvalidFrameError``.
+- Fixed promised stream id parsing for ``PushPromiseFrame``.
 
 **Other Changes**
 
diff --git a/hyperframe/frame.py b/hyperframe/frame.py
@@ -485,6 +485,12 @@ def parse_body(self, data):
         )
         self.body_len = len(data)
 
+        if self.promised_stream_id == 0 or self.promised_stream_id % 2 != 0:
+            raise InvalidFrameError(
+                "Invalid PUSH_PROMISE promised stream id: %s" %
+                self.promised_stream_id
+            )
+
         if self.pad_length and self.pad_length >= self.body_len:
             raise InvalidPaddingError("Padding is too long.")
 
diff --git a/test/test_frames.py b/test/test_frames.py
@@ -437,13 +437,22 @@ def test_push_promise_frame_with_invalid_padding_fails_to_parse(self):
 
     def test_push_promise_frame_with_no_length_parses(self):
         # Fixes issue with empty data frames raising InvalidPaddingError.
-        f = PushPromiseFrame(1)
+        f = PushPromiseFrame(1, 2)
         f.data = b''
         data = f.serialize()
 
         new_frame = decode_frame(data)
         assert new_frame.data == b''
 
+    def test_push_promise_frame_invalid(self):
+        data = PushPromiseFrame(1, 0).serialize()
+        with pytest.raises(InvalidFrameError):
+            decode_frame(data)
+
+        data = PushPromiseFrame(1, 3).serialize()
+        with pytest.raises(InvalidFrameError):
+            decode_frame(data)
+
     def test_short_push_promise_errors(self):
         s = (
             b'\x00\x00\x0F\x05\x04\x00\x00\x00\x01' +
