From b8772353e89f83eae5c91724aba7facd0ba1f0dc Mon Sep 17 00:00:00 2001
From: sahvx655-wq <sahvx655@gmail.com>
Date: Tue, 2 Jun 2026 11:53:03 +0530
Subject: [PATCH] reject zero-length padded DATA frame in H2Context::OnData

---
 src/brpc/policy/http2_rpc_protocol.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/brpc/policy/http2_rpc_protocol.cpp b/src/brpc/policy/http2_rpc_protocol.cpp
index e202d32bc2..043f53ebea 100644
--- a/src/brpc/policy/http2_rpc_protocol.cpp
+++ b/src/brpc/policy/http2_rpc_protocol.cpp
@@ -701,6 +701,10 @@ H2ParseResult H2Context::OnData(
     uint32_t frag_size = frame_head.payload_size;
     uint8_t pad_length = 0;
     if (frame_head.flags & H2_FLAGS_PADDED) {
+        if (frag_size == 0) {
+            LOG(ERROR) << "Invalid payload_size=" << frame_head.payload_size;
+            return MakeH2Error(H2_FRAME_SIZE_ERROR);
+        }
         --frag_size;
         pad_length = LoadUint8(it);
     }