http2: reject PADDED frames whose Pad Length exceeds the payload

[robobun]

What does this PR do?

Fixes an integer underflow in the HTTP/2 frame parser when handling HEADERS and DATA frames with the PADDED flag set.

Problem

A peer can send a HEADERS frame with PADDED | END_HEADERS, length=1, and payload [0xFF]. In handleHeadersFrame:

padding = payload[0];           // 255
...
const end = payload.len - padding;  // 1 - 255 -> wraps to ~2^64
...
payload[offset..end]            // out-of-bounds heap read

In Debug/Safe builds this panics with integer overflow at h2_frame_parser.zig:2380. In ReleaseFast (the default release mode) runtime safety is off, so the subtraction silently wraps and the subsequent slice payload[offset..end] reads past the end of the input buffer into adjacent heap memory, which is then fed to the HPACK decoder.

A related issue exists in handleDataFrame where frame.length - padding - 1 can underflow with the same input shape, and both handlers read payload[0] without checking that the payload is non-empty when PADDED is set.

Fix

Per RFC 7540 §6.1 / §6.2, a Pad Length that is equal to or larger than the remaining frame payload MUST be treated as a connection error of type PROTOCOL_ERROR.

• handleHeadersFrame: reject with FRAME_SIZE_ERROR if PADDED is set on a zero-length frame; reject with PROTOCOL_ERROR if offset + padding > payload.len before computing payload.len - padding.
• handleDataFrame: reject with FRAME_SIZE_ERROR if PADDED is set on a zero-length frame; reject with PROTOCOL_ERROR if padding >= frame.length.

How did you verify your code works?

Added three tests to test/js/node/http2/node-http2.test.js that craft the malicious frames from a raw TCP server and assert the client closes the session with the correct error:

• should reject HEADERS frame with Pad Length >= payload length
• should reject zero-length HEADERS frame with PADDED flag
• should reject DATA frame with Pad Length >= payload length

Without the fix, bun bd test panics at h2_frame_parser.zig:2380 with integer overflow, and the release build hangs (silent OOB read). With the fix, all tests pass and the session is closed with ERR_HTTP2_SESSION_ERROR.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9d09511d-2259-434a-b06d-2964233769f9

📥 Commits

Reviewing files that changed from the base of the PR and between f82edd4 and 51338ff.

📒 Files selected for processing (2)

• src/bun.js/api/bun/h2_frame_parser.zig
• test/js/node/http2/node-http2-invalid-padding.test.ts

---

Walkthrough

Adds RFC7540-aligned padding validation and bounds checks to HTTP/2 DATA and HEADERS frame parsing (flag-driven PADDED handling, explicit Pad Length presence checks, and GOAWAY error responses) and adds integration tests that send malformed or split PADDED frames over raw TCP.

Changes

Cohort / File(s)	Summary
HTTP/2 Frame Parser src/bun.js/api/bun/h2_frame_parser.zig	Handles PADDED via the padded flag; requires a Pad Length octet when PADDED (FRAME_SIZE_ERROR if missing); validates padding bounds (PROTOCOL_ERROR when padding ≥ payload); strips Pad Length octet when present; adjusts chunk sizing using a frame-relative data region and saturating subtraction to avoid underflow.
HTTP/2 Padding Tests test/js/node/http2/node-http2-invalid-padding.test.ts	Adds integration tests that send crafted raw HTTP/2 frames over TCP to exercise invalid and edge-case PADDED HEADERS/DATA (e.g., Pad Length too large, PADDED with length=0, truncated PRIORITY, padding ≥ payload) and valid edge cases (Pad Length==0 stripped, split-frame padded DATA); asserts session closure errors and payload bytes received.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main fix: rejecting PADDED frames where Pad Length exceeds the payload, which is the core security issue being addressed.
Description check	✅ Passed	The description fully covers both required template sections with clear problem statement, RFC-compliant fix explanation, and comprehensive test verification details.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Review rate limit: 0/5 reviews remaining, refill in 55 minutes and 37 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[robobun]

^{Updated 6:31 AM PT - Apr 29th, 2026}

❌ @Jarred-Sumner, your commit 4549dd8 has 2 failures in Build #49055 (All Failures):

• test/js/node/watch/fs.watch.test.ts - code 1 on 🍎 26 aarch64
• test/js/node/watch/fs.watch.test.ts - code 1 on 🍎 14 aarch64
• test/cli/install/bun-create.test.ts - code 1 on 🪟 11 aarch64

---

🧪   To try this PR locally:

bunx bun-pr 29905

That installs a local version of the PR into your bun-29905 executable, so you can run:

bun-29905 --bun

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

test/js/node/http2/node-http2-invalid-padding.test.ts (1)

1-224: 🛠️ Refactor suggestion | 🟠 Major

Please colocate these cases in the existing HTTP/2 node test suite.

This new standalone *.test.ts file conflicts with the repository test-placement rule for changed coverage; these cases should be folded into the existing HTTP/2 test file for this area.

As per coding guidelines, test/**/*.test.ts: "Add new tests to existing test files for the code being changed, not in new separate files".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/js/node/http2/node-http2-invalid-padding.test.ts` around lines 1 - 224,
Move the tests from the standalone node-http2-invalid-padding.test.ts into the
existing HTTP/2 node test file that covers similar cases (co-locate rather than
adding a new test file); copy over the helper functions sendFrames and
receiveBody and all test cases (tests titled "should reject HEADERS frame with
Pad Length >= payload length", "should reject zero-length HEADERS frame with
PADDED flag", "should reject HEADERS frame with truncated priority fields",
"should reject DATA frame with Pad Length >= payload length", "should strip Pad
Length octet from DATA frame when Pad Length is 0", and "should not drop
trailing data byte from padded DATA frame split across reads") into that file,
adjust imports to reuse the existing http2utils/http2/net helpers, remove the
new file from the commit, and run the test suite to ensure there are no
duplicate imports or name collisions with existing tests.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@test/js/node/http2/node-http2-invalid-padding.test.ts`:
- Around line 1-224: Move the tests from the standalone
node-http2-invalid-padding.test.ts into the existing HTTP/2 node test file that
covers similar cases (co-locate rather than adding a new test file); copy over
the helper functions sendFrames and receiveBody and all test cases (tests titled
"should reject HEADERS frame with Pad Length >= payload length", "should reject
zero-length HEADERS frame with PADDED flag", "should reject HEADERS frame with
truncated priority fields", "should reject DATA frame with Pad Length >= payload
length", "should strip Pad Length octet from DATA frame when Pad Length is 0",
and "should not drop trailing data byte from padded DATA frame split across
reads") into that file, adjust imports to reuse the existing
http2utils/http2/net helpers, remove the new file from the commit, and run the
test suite to ensure there are no duplicate imports or name collisions with
existing tests.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 29d163a2-b8f5-41ff-8117-a35b70e1f9bf

📥 Commits

Reviewing files that changed from the base of the PR and between c027bf3 and 0060c89.

📒 Files selected for processing (2)

• src/bun.js/api/bun/h2_frame_parser.zig
• test/js/node/http2/node-http2-invalid-padding.test.ts

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/js/node/http2/node-http2-invalid-padding.test.ts`:
- Line 1: The new tests in test/js/node/http2/node-http2-invalid-padding.test.ts
should not live in a separate file; move the test cases into the existing HTTP/2
test file (e.g., node-http2.test.ts) for the same area, remove the new .test.ts
file, and update imports as needed (ensure you use the existing import { expect,
test } from "bun:test"; and preserve any helper setup/teardown already present
in the existing HTTP/2 test file); run the suite to confirm no duplicate test
names or conflicting fixtures after merging.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: d95ceeb7-23b8-40b8-81c6-687cc12e2d73

📥 Commits

Reviewing files that changed from the base of the PR and between 0060c89 and c334248.

📒 Files selected for processing (1)

• test/js/node/http2/node-http2-invalid-padding.test.ts

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/js/node/http2/node-http2-invalid-padding.test.ts`:
- Around line 158-165: The function awaiting `promise` may throw before the
`close` handle is returned, leaking `client`/`server`; modify `receiveBody` (the
block that does `const body = await promise; return { body, close: () => {
client.destroy(); server.close(); } }`) to ensure cleanup on rejection by
wrapping the await in try/catch (or try/finally) so that on error you call
`client.destroy()` and `server.close()` and then rethrow the error, guaranteeing
the http2 handles are closed even when `promise` rejects.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 789105a7-66fb-4209-8499-d9e1d072559d

📥 Commits

Reviewing files that changed from the base of the PR and between c334248 and f82edd4.

📒 Files selected for processing (1)

• test/js/node/http2/node-http2-invalid-padding.test.ts

[claude]

All earlier feedback has been addressed and I have nothing further to flag — deferring to a human for final sign-off since this rewrites offset arithmetic in the network-facing HTTP/2 frame parser (memory-safety fix).

Extended reasoning...

Overview

This PR hardens handleHeadersFrame and handleDataFrame in src/bun.js/api/bun/h2_frame_parser.zig against malformed PADDED frames: it adds zero-length / Pad Length bounds checks (sending FRAME_SIZE_ERROR / PROTOCOL_ERROR per RFC 7540 §4.2/§6.1/§6.2), and rewrites the DATA-frame chunk-slicing math as a frame-offset intersection (data_region_end - max(start_idx, data_region_start) with saturating subtraction) keyed on the PADDED flag rather than padding > 0. A new test file exercises six cases including invalid padding, Pad Length = 0, truncated priority fields, and a padded DATA frame split across reads.

Security risks

The bug being fixed is itself a security issue — a peer-controlled integer underflow leading to an OOB heap read fed into the HPACK decoder in ReleaseFast. The fix only adds bounds checks and reorders subtractions to occur after validation, so it strictly reduces the attack surface. I don't see any new risk introduced; the new error paths reuse the existing sendGoAway(..., true) connection-error machinery.

Level of scrutiny

High. This is a network-facing binary protocol parser handling untrusted input, and the handleDataFrame change is not a one-line guard — it replaces the payload-extent computation with new offset arithmetic that went through three revisions during review (saturating subtraction, then the count-vs-offset off-by-one fix, then the PADDED-flag keying). I've traced the final form for the single-read, split-read, Pad Length = 0, and all-padding-chunk cases and believe it is correct, but a human should confirm the data_region_start = padded ? max(start_idx, 1) : start_idx interaction with the in-place payload = payload[1..] strip.

Other factors

Every inline comment I and CodeRabbit raised across the revisions has been addressed and resolved (split FRAME_SIZE/PROTOCOL_ERROR checks, saturating subtraction, off-by-one on non-first chunks, Pad Length = 0 leak, deterministic split-read test, receiveBody cleanup on rejection, stale comment text). The CI failures reported by robobun (websocket-server.test.ts, serve-stream-reject-flush-leak.test.ts, test-integration-rspack.ts, fetch-http2-client.test.ts ASAN timeout) are pre-existing flakes unrelated to padding handling. Jarred has already engaged on the thread, so this is ready for maintainer review.