From 285979efca999e4d1a856ae352a32e4ab1623a0c Mon Sep 17 00:00:00 2001
From: highpon <s.shiraki.business@gmail.com>
Date: Sun, 4 Dec 2022 05:05:14 +0900
Subject: [PATCH] Properly check validity of a session ID

---
 neqo-http3/src/connection.rs | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/neqo-http3/src/connection.rs b/neqo-http3/src/connection.rs
index 854fe3aca0..cc15a59b16 100644
--- a/neqo-http3/src/connection.rs
+++ b/neqo-http3/src/connection.rs
@@ -721,6 +721,14 @@ impl Http3Connection {
                     conn.stream_stop_sending(stream_id, Error::HttpStreamCreation.code())?;
                     return Ok(ReceiveOutput::NoOutput);
                 }
+
+                if !StreamId::from(session_id).is_client_initiated()
+                    || !StreamId::from(session_id).is_bidi()
+                    || !conn.is_stream_id_allowed(StreamId::from(session_id))
+                {
+                    conn.stream_stop_sending(stream_id, Error::HttpId.code())?;
+                    return Ok(ReceiveOutput::NoOutput);
+                }
             }
             NewStreamType::Unknown => {
                 conn.stream_stop_sending(stream_id, Error::HttpStreamCreation.code())?;