QPACK: RFC 9204 static-table compliance, decode robustness, and cleanup

[phongn]

QPACK: RFC 9204 static-table compliance, decode robustness, and cleanup

Summary

A set of correctness and cleanup changes to the home-grown HTTP/3 QPACK implementation (src/proxy/http3/QPACK.cc, shared src/proxy/hdrs/XPACK.cc). The headline is an RFC 9204 static-table compliance fix (an interop bug); the rest hardens the decoder against malformed input, refuses a configuration we don't actually implement, and speeds up the static-table lookup. Each is a separate commit so they can be reviewed — or dropped — independently.

Let me know if this is too much for one PR, and it can be split up.

What's in here

1. Restore the RFC 9204 static table (drop zstd entries) — please review closely.
The QPACK static table (RFC 9204 Appendix A) is normative: its 99 indices are wire values shared with every peer and must not be reordered or extended. #12201 ("Add Zstandard compression support") inserted a 100th entry (content-encoding: zstd) into the middle of the table and appended zstd to entry 31's value. The insertion shifts RFC indices 42–98 to 43–99, so a standard peer mis-resolves every static reference at or above 42 (content-type variants, the second :status block, user-agent, x-frame-options, …) in both directions, and content-encoding: zstd itself decodes as br on a compliant client. This restores the table to RFC 9204 exactly. zstd content coding is unaffected — it is still conveyed as a literal field, which is how every compliant QPACK implementation encodes values absent from the static table. (This reverts the static-table portion of #12201; cc: @JakeChampion)

2. Add an RFC 9204 static-table conformance test.
Decodes header blocks referencing static indices spanning the shifted range (31, 42, 52, 71, 98) and asserts each yields the exact RFC name and value. Fails if the table is ever reordered or extended again. (Kept as a separate commit from the fix above so the two can be dropped together if needed.)

3. Fix header-prefix decode bounds and validation.
The Required Insert Count / Delta Base prefix decoding had three defects on malformed input: it read an uninitialized value and used && instead of || (so a failed integer decode usually wasn't caught, then advanced the cursor by a negative return); the Delta Base bound used an inverted comparison; and remain_len was never updated as the cursor advanced, so per-instruction decoders saw an end pointer past the real buffer (a potential over-read on a crafted length). Now decodes against a fixed end, initializes the prefix integers, rejects on || value > 0xFFFF, and recomputes the remaining length per instruction.

4. Reject dynamic references when no dynamic table exists.
A header block with a non-zero Required Insert Count references the dynamic table. ATS only stores dynamic entries once a non-zero table capacity is negotiated (and currently always advertises zero), so such a reference can never be satisfied — the decoder would queue the stream as blocked forever. Fail the decode when the table capacity is zero instead. Includes a test.

5. Refuse unimplemented QPACK dynamic-table configuration.
The dynamic table is not implemented (XpackDynamicTable never stores entries — capacity is fixed at zero and never raised). Advertising a non-zero header_table_size or qpack_blocked_streams would tell a peer it may insert entries our decoder silently drops and then reference them, breaking decoding. Fail at config load if either is set non-zero, rather than silently misbehaving on the wire.

6. Speed up the static-table lookup.
Replace the unconditional 99-entry linear scan in the static-table name lookup with a binary search over an auxiliary name-sorted index (the table itself can't be reordered, so the index is built once and sorted by name). Behavior is unchanged — it returns the sole exact match or the highest-indexed name match, exactly as the linear scan did.

Behavior changes worth calling out

• proxy.config.http3.header_table_size > 0 or proxy.config.http3.qpack_blocked_streams > 0 now fails at config load (both default to 0). These never worked correctly; failing loudly is preferable to advertising a capability we can't honor.
• A header block referencing the dynamic table is now rejected (decode error) rather than blocked indefinitely.
• The static table changes the wire representation back to RFC 9204 — i.e., it corrects the indices ATS emits/accepts for static references ≥ 42.

Testing

Built and tested against the BoringSSL H3 toolchain
(-DENABLE_QUICHE=ON -DOPENSSL_ROOT_DIR=.../boringssl -Dquiche_ROOT=.../quiche):

• test_qpack — 12 assertions / 4 cases pass. The conformance test confirms, through the real decode path, that index
  42 → content-encoding: br,
  52 → content-type: text/html; charset=utf-8,
  71 → :status 500,
  98 → x-frame-options: sameorigin.
• test_http3 — 125 assertions / 14 cases pass.

The new static-table lookup was additionally checked for bit-identical behavior
against the previous linear scan over an exhaustive set of inputs.

Out of scope / follow-ups

• QPACK decode-error propagation is incomplete independent of this PR: the QPACK_EVENT_DECODE_FAILED handler and the res < 0 path in Http3HeaderVIOAdaptor are currently // FIXME no-ops (failures log but don't reset the stream/connection). Worth a separate change.

🤖 Generated with Claude Code

[ezelkow1]

@phongn failure in qpack test:

 48/161 Test  #51: test_qpack .............................***Failed    0.28 sec
Randomness seeded to: 2101226799
couldn't open dir: ./qifs/qifs
couldn't open dir: ./qifs/encoded/ats
[Jun 11 20:40:36.968] test_qpack DIAG: <QPACK.cc:733 (_decode_indexed_header_field)> (qpack) [00000000-00000000] Decoded Indexed Header Field: base_index=0, abs_index=31, name=accept-encoding, value=gzip, deflate, br
[Jun 11 20:40:36.968] test_qpack DIAG: <QPACK.cc:733 (_decode_indexed_header_field)> (qpack) [00000000-00000000] Decoded Indexed Header Field: base_index=0, abs_index=42, name=content-encoding, value=br
[Jun 11 20:40:36.968] test_qpack DIAG: <QPACK.cc:733 (_decode_indexed_header_field)> (qpack) [00000000-00000000] Decoded Indexed Header Field: base_index=0, abs_index=52, name=content-type, value=text/html; charset=utf-8
[Jun 11 20:40:36.968] test_qpack DIAG: <QPACK.cc:733 (_decode_indexed_header_field)> (qpack) [00000000-00000000] Decoded Indexed Header Field: base_index=0, abs_index=71, name=:status, value=500
[Jun 11 20:40:36.969] test_qpack DIAG: <QPACK.cc:733 (_decode_indexed_header_field)> (qpack) [00000000-00000000] Decoded Indexed Header Field: base_index=0, abs_index=98, name=x-frame-options, value=sameorigin
===============================================================================
All tests passed (12 assertions in 4 test cases)


=================================================================
==5427==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 312 byte(s) in 1 object(s) allocated from:
    #0 0x7f219b15e307 in operator new(unsigned long) (/lib64/libasan.so.6+0xb6307)
    #1 0x452ad1 in CATCH2_INTERNAL_TEST_8 ../src/proxy/http3/test/test_QPACK.cc:536
    #2 0x7f219ad22080 in invoke ../lib/Catch2/src/catch2/internal/catch_test_registry.cpp:60
    #3 0x7f219acee741 in Catch::TestCaseHandle::invoke() const ../lib/Catch2/src/catch2/catch_test_case_info.hpp:124
    #4 0x7f219aceb27b in Catch::RunContext::invokeActiveTestCase() ../lib/Catch2/src/catch2/internal/catch_run_context.cpp:673
    #5 0x7f219acea9f0 in Catch::RunContext::runCurrentTest() ../lib/Catch2/src/catch2/internal/catch_run_context.cpp:631
    #6 0x7f219ace5948 in Catch::RunContext::runTest(Catch::TestCaseHandle const&) ../lib/Catch2/src/catch2/internal/catch_run_context.cpp:273
    #7 0x7f219ac2aa28 in execute ../lib/Catch2/src/catch2/catch_session.cpp:108
    #8 0x7f219ac2d72f in Catch::Session::runInternal() ../lib/Catch2/src/catch2/catch_session.cpp:328
    #9 0x7f219ac2cca4 in Catch::Session::run() ../lib/Catch2/src/catch2/catch_session.cpp:260
    #10 0x4343aa in main ../src/proxy/http3/test/main_qpack.cc:105
    #11 0x7f2198433864 in __libc_start_main (/lib64/libc.so.6+0x3a864)

Direct leak of 312 byte(s) in 1 object(s) allocated from:
    #0 0x7f219b15e307 in operator new(unsigned long) (/lib64/libasan.so.6+0xb6307)
    #1 0x4518e2 in CATCH2_INTERNAL_TEST_6 ../src/proxy/http3/test/test_QPACK.cc:502
    #2 0x7f219ad22080 in invoke ../lib/Catch2/src/catch2/internal/catch_test_registry.cpp:60
    #3 0x7f219acee741 in Catch::TestCaseHandle::invoke() const ../lib/Catch2/src/catch2/catch_test_case_info.hpp:124
    #4 0x7f219aceb27b in Catch::RunContext::invokeActiveTestCase() ../lib/Catch2/src/catch2/internal/catch_run_context.cpp:673
    #5 0x7f219acea9f0 in Catch::RunContext::runCurrentTest() ../lib/Catch2/src/catch2/internal/catch_run_context.cpp:631
    #6 0x7f219ace5948 in Catch::RunContext::runTest(Catch::TestCaseHandle const&) ../lib/Catch2/src/catch2/internal/catch_run_context.cpp:273
    #7 0x7f219ac2aa28 in execute ../lib/Catch2/src/catch2/catch_session.cpp:108
    #8 0x7f219ac2d72f in Catch::Session::runInternal() ../lib/Catch2/src/catch2/catch_session.cpp:328
    #9 0x7f219ac2cca4 in Catch::Session::run() ../lib/Catch2/src/catch2/catch_session.cpp:260
    #10 0x4343aa in main ../src/proxy/http3/test/main_qpack.cc:105
    #11 0x7f2198433864 in __libc_start_main (/lib64/libc.so.6+0x3a864)

Direct leak of 80 byte(s) in 1 object(s) allocated from:
    #0 0x7f219b15e307 in operator new(unsigned long) (/lib64/libasan.so.6+0xb6307)
    #1 0x452b00 in CATCH2_INTERNAL_TEST_8 ../src/proxy/http3/test/test_QPACK.cc:537
    #2 0x7f219ad22080 in invoke ../lib/Catch2/src/catch2/internal/catch_test_registry.cpp:60
    #3 0x7f219acee741 in Catch::TestCaseHandle::invoke() const ../lib/Catch2/src/catch2/catch_test_case_info.hpp:124
    #4 0x7f219aceb27b in Catch::RunContext::invokeActiveTestCase() ../lib/Catch2/src/catch2/internal/catch_run_context.cpp:673
    #5 0x7f219acea9f0 in Catch::RunContext::runCurrentTest() ../lib/Catch2/src/catch2/internal/catch_run_context.cpp:631
    #6 0x7f219ace5948 in Catch::RunContext::runTest(Catch::TestCaseHandle const&) ../lib/Catch2/src/catch2/internal/catch_run_context.cpp:273
    #7 0x7f219ac2aa28 in execute ../lib/Catch2/src/catch2/catch_session.cpp:108
    #8 0x7f219ac2d72f in Catch::Session::runInternal() ../lib/Catch2/src/catch2/catch_session.cpp:328
    #9 0x7f219ac2cca4 in Catch::Session::run() ../lib/Catch2/src/catch2/catch_session.cpp:260
    #10 0x4343aa in main ../src/proxy/http3/test/main_qpack.cc:105
    #11 0x7f2198433864 in __libc_start_main (/lib64/libc.so.6+0x3a864)

Direct leak of 80 byte(s) in 1 object(s) allocated from:
    #0 0x7f219b15e307 in operator new(unsigned long) (/lib64/libasan.so.6+0xb6307)
    #1 0x451911 in CATCH2_INTERNAL_TEST_6 ../src/proxy/http3/test/test_QPACK.cc:503
    #2 0x7f219ad22080 in invoke ../lib/Catch2/src/catch2/internal/catch_test_registry.cpp:60
    #3 0x7f219acee741 in Catch::TestCaseHandle::invoke() const ../lib/Catch2/src/catch2/catch_test_case_info.hpp:124
    #4 0x7f219aceb27b in Catch::RunContext::invokeActiveTestCase() ../lib/Catch2/src/catch2/internal/catch_run_context.cpp:673
    #5 0x7f219acea9f0 in Catch::RunContext::runCurrentTest() ../lib/Catch2/src/catch2/internal/catch_run_context.cpp:631
    #6 0x7f219ace5948 in Catch::RunContext::runTest(Catch::TestCaseHandle const&) ../lib/Catch2/src/catch2/internal/catch_run_context.cpp:273
    #7 0x7f219ac2aa28 in execute ../lib/Catch2/src/catch2/catch_session.cpp:108
    #8 0x7f219ac2d72f in Catch::Session::runInternal() ../lib/Catch2/src/catch2/catch_session.cpp:328
    #9 0x7f219ac2cca4 in Catch::Session::run() ../lib/Catch2/src/catch2/catch_session.cpp:260
    #10 0x4343aa in main ../src/proxy/http3/test/main_qpack.cc:105
    #11 0x7f2198433864 in __libc_start_main (/lib64/libc.so.6+0x3a864)

SUMMARY: AddressSanitizer: 784 byte(s) leaked in 4 allocation(s).

        Start  52: test_proxy
 49/161 Test  #52: test_proxy .............................   Passed    0.14 sec
        Start  53: test_jsonrpc