From 81e13e52fda29d69208a5cf3ca6d8891553e44b1 Mon Sep 17 00:00:00 2001
From: Marten Seemann <martenseemann@gmail.com>
Date: Sun, 10 Dec 2017 23:01:25 +0700
Subject: [PATCH] reject STREAM frames that would close the crypto stream

---
 session.go      |  3 +++
 session_test.go | 11 ++++++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/session.go b/session.go
index 16e89e4b0..3a632909e 100644
--- a/session.go
+++ b/session.go
@@ -563,6 +563,9 @@ func (s *session) handlePacket(p *receivedPacket) {
 
 func (s *session) handleStreamFrame(frame *wire.StreamFrame) error {
 	if frame.StreamID == s.version.CryptoStreamID() {
+		if frame.FinBit {
+			return errors.New("Received STREAM frame with FIN bit for the crypto stream")
+		}
 		return s.cryptoStream.AddStreamFrame(frame)
 	}
 	str, err := s.streamsMap.GetOrOpenStream(frame.StreamID)
diff --git a/session_test.go b/session_test.go
index c588b4f7a..9c9d4e305 100644
--- a/session_test.go
+++ b/session_test.go
@@ -269,7 +269,7 @@ var _ = Describe("Session", func() {
 			}
 		})
 
-		Context("when handling STREAM frames", func() {
+		Context("handling STREAM frames", func() {
 			BeforeEach(func() {
 				sess.streamsMap.UpdateMaxStreamLimit(100)
 			})
@@ -330,6 +330,15 @@ var _ = Describe("Session", func() {
 				})
 				Expect(err).ToNot(HaveOccurred())
 			})
+
+			It("errors on a STREAM frame that would close the crypto stream", func() {
+				err := sess.handleStreamFrame(&wire.StreamFrame{
+					StreamID: sess.version.CryptoStreamID(),
+					Offset:   0x1337,
+					FinBit:   true,
+				})
+				Expect(err).To(MatchError("Received STREAM frame with FIN bit for the crypto stream"))
+			})
 		})
 
 		Context("handling RST_STREAM frames", func() {