Project

General

Profile

Actions

Bug #3067

closed

pedantic warning from -fsanitize=undefined

Added by axe34 about 3 years ago. Updated about 3 years ago.

Status:
Fixed
Priority:
Normal
Category:
core
Target version:
ASK QUESTIONS IN Forums:
No

Description

Here is my configuration file

server.port = 3000
server.document-root = "/var/www/" 
etag.use-inode = "disable" 
etag.use-mtime = "disable" 
etag.use-size = "disable" 
static-file.etags = "disable" 
mimetype.assign = (
  ".html" => "text/html", 
)
server.max-fds = 2048
server.max-keep-alive-requests = 0
server.max-keep-alive-idle = 1
server.http-parseopts = ("url-path-dotseg-remove" => "enable","url-normalize-required" => "enable","url-query-20-plus" => "enable","url-path-2f-decode" => "enable")

My initial request is
GET /index.html HTTP/1.1
Host: 127.0.0.1:3000
Connection: Upgrade, HTTP2-Settings
Upgrade: h2c
HTTP2-Settings: AAMAAABkAARAAAAAAAIAAAAA

However, when this following request is causes an illegal instruction and the server to exit.
GET /index.html HTTP/1.1
Host: 127.0.0.1:3000
Connection: Upgrade, HTTP2-Settings
Upgrade: h2c
HTTP2-Settings: AAMAAABkAAEAAAAAAA3AAAAA

Here is the full stack trace:
Thread 1 "lighttpd" received signal SIGILL, Illegal instruction.
h2_parse_frame_settings (con=<optimized out>, s=0xf550150c "", len=6) at h2.c:603
603         h2con * const h2c = con->h2;
(gdb) bt
#0  h2_parse_frame_settings (con=<optimized out>, s=0xf550150c "", len=6) at h2.c:603
#1  0x005cba06 in h2_init_con (h2r=0xf3703880, con=0xf3703880, http2_settings=0xf59006f0) at h2.c:1656
#2  0x005dbf12 in h2_con_upgrade_h2c (h2r=<optimized out>, http2_settings=0xf59006f0) at h2.c:2538
#3  0x005db709 in h2_check_con_upgrade_h2c (r=0xf3703880) at h2.c:2657
#4  0x005a1261 in connection_handle_read_state (con=0xf3703880) at connections.c:808
#5  0x0059ae2f in connection_state_machine_loop (r=<optimized out>, con=0xf3703880) at connections.c:1079
#6  0x0059a05b in connection_state_machine_h1 (r=0xf3703880, con=0xf4303303) at connections.c:1418
#7  0x00597031 in connection_state_machine (con=0xf3703880) at connections.c:1436
#8  0x005f1819 in network_server_handle_fdevent (context=0xf4503030, revents=1) at network.c:66
#9  0x0076fe8a in fdevent_linux_sysepoll_poll (ev=0xf3703c80, timeout_ms=1000) at fdevent_linux_sysepoll.c:43
#10 0x006cf5a7 in fdevent_poll (ev=0xf3703c80, timeout_ms=1000) at fdevent.c:436
#11 0x0055d397 in server_main_loop (srv=0xf5703c40) at server.c:1902
#12 0x0054a02f in main (argc=6, argv=0xffffcd14) at server.c:2034

I have several payloads for this bug and I am guessing this bug is caused by the malformed data in the settings frame of the request.

In different payloads, the stack trace shows that there is a different value in h2_parse_init_settings

h2_parse_frame_settings (con=<optimized out>, s=0xf5501500 "\242y\300", len=18) at h2.c:603
603         h2con * const h2c = con->h2;
(gdb) bt
#0  h2_parse_frame_settings (con=<optimized out>, s=0xf5501500 "\242y\300", len=18) at h2.c:603
#1  0x005cba06 in h2_init_con (h2r=0xf3703880, con=0xf3703880, http2_settings=0xf59006f0) at h2.c:1656
#2  0x005dbf12 in h2_con_upgrade_h2c (h2r=<optimized out>, http2_settings=0xf59006f0) at h2.c:2538
#3  0x005db709 in h2_check_con_upgrade_h2c (r=0xf3703880) at h2.c:2657
#4  0x005a1261 in connection_handle_read_state (con=0xf3703880) at connections.c:808
#5  0x0059ae2f in connection_state_machine_loop (r=<optimized out>, con=0xf3703880) at connections.c:1079
#6  0x0059a05b in connection_state_machine_h1 (r=0xf3703880, con=0xf4303301) at connections.c:1418
#7  0x00597031 in connection_state_machine (con=0xf3703880) at connections.c:1436
#8  0x005f1819 in network_server_handle_fdevent (context=0xf4503030, revents=1) at network.c:66
#9  0x0076fe8a in fdevent_linux_sysepoll_poll (ev=0xf3703c80, timeout_ms=1000) at fdevent_linux_sysepoll.c:43
#10 0x006cf5a7 in fdevent_poll (ev=0xf3703c80, timeout_ms=1000) at fdevent.c:436
#11 0x0055d397 in server_main_loop (srv=0xf5703c40) at server.c:1902
#12 0x0054a02f in main (argc=6, argv=0xffffcd24) at server.c:2034

In this stack trace, the value passed to h2_parse_frame_settings is \242y\300 and the in the previous stack trace, the value is empty.

Actions #1

Updated by gstrauss about 3 years ago

How are you sending these requests? What tool are you using? Are you sending them on the same connection? Are they separate connections? Are they sent in parallel? How does lighttpd respond to the requests? Do you get /index.html? Is your tool switching to use HTTP/2 for subsequent requests on the connection after your initial Connection: Upgrade, HTTP2-Settings request?

Are you using lighttpd 1.4.59? (Likely, yes, but please always include such detailed information.) What platforms are you on? x86_64? ARM64? What is your OS and version?

Actions #2

Updated by axe34 about 3 years ago

This is my fault. I completely forgot about this. They are being sent through a socket connection through a small program I made. They are sent in separate connections. The first one is just an example of the base requests. The second request is the one that causes the issue. When you send the second request, lighttpd does not send a response. I am using lighttpd 1.4.59 and I am on x86_64 GNU/Linux Ubuntu 20.04

Actions #3

Updated by gstrauss about 3 years ago

If you built lighttpd yourself, what commands did you use to build lighttpd and did you change any settings from the defaults?

In gdb when you cause the crash, please

up 1
print con->h2

An illegal instruction for a basic access is curious. con->h2 was allocated and assigned in h2_init_con() a few lines before calling h2_parse_frame_settings()
603 h2con * const h2c = con->h2;

This occurs before any parsing of the HTTP2-Settings that you sent (in the second request). lighttpd would subsequently ignore the unknown settings in the data that you have passed in your example above.

Please describe what happens in the first request, as it is possible that something is getting corrupted and that corruption is exposed on the subsequent request.

Actions #4

Updated by axe34 about 3 years ago

This is the full command I used to compile. CFLAGS='-m32 -g -O1 -fsanitize=address,undefined' CXXFLAGS='-m32 -g -O1 -fsanitize=address,undefined' ./configure. I did not change anything.
I am not sending these requests one after another. This crash happens with one request which is the second request.
Here is the gdb output

[New Thread 0xf30ffb40 (LWP 48)]
Request:
GET /alias/index.html HTTP/1.1
Host: 127.0.0.1:3000
Connection: Upgrade, HTTP2-Settings
Upgrade: h2c
HTTP2-Settings: AAMAAABkAAEAAAAAAA3AAAAA

Thread 1 "lighttpd" received signal SIGILL, Illegal instruction.
h2_parse_frame_settings (con=<optimized out>, s=0xf550150c "", len=6) at h2.c:603
603         h2con * const h2c = con->h2;
(gdb) up 1
#1  0x005cba06 in h2_init_con (h2r=0xf3703880, con=0xf3703880, http2_settings=0xf59006f0) at h2.c:1656
1656            h2_parse_frame_settings(con, (uint8_t *)CONST_BUF_LEN(http2_settings));
(gdb) print con->h2
$2 = (h2con *) 0xf4303300

Actions #5

Updated by axe34 about 3 years ago

First request is just normal request to demonstrate my initial payload before mutations. The output is
HTTP/1.1 101 Switching Protocols
Connection: Upgrade
Upgrade: h2c

Actions #6

Updated by gstrauss about 3 years ago

Is this reproducible when you do not build with -m32?

Actions #7

Updated by axe34 about 3 years ago

This is reproducible when I do build a 64bit binary too

Actions #8

Updated by gstrauss about 3 years ago

I was not able to reproduce the issue with a basic curl test (using the HTTP2-Settings values sent by curl)
curl --http2 http://127.0.0.1/index.txt http://127.0.0.1/index.txt

I do not have a ready tool at my disposal to manipulate the HTTP2-Settings that are sent, but plan to mock one up.

In your constructed HTTP2-Settings, you set HTTP2 HPACK header table size to 0. If you send a subsequent HTTP/2 frame setting it back to a reasonable value, e.g. 4096, do things continue to work? I am trying to narrow things down to lighttpd code or ls-hpack code.

Actions #9

Updated by axe34 about 3 years ago

Yes. If I send another request with another frame with a valid value things continue to work. I have been doing some analysis with valgrind and found some information.

==16005== valgrind: Unrecognised instruction at address 0x5badae.
==16005==    at 0x5BADAE: h2_parse_frame_settings (h2.c:603)
==16005==    by 0x5C3553: h2_init_con (h2.c:1656)
==16005==    by 0x5D3AAE: h2_con_upgrade_h2c (h2.c:2538)
==16005==    by 0x5D3295: h2_check_con_upgrade_h2c (h2.c:2657)
==16005==    by 0x598B30: connection_handle_read_state (connections.c:808)
==16005==    by 0x59266F: connection_state_machine_loop (connections.c:1079)
==16005==    by 0x591851: connection_state_machine_h1 (connections.c:1418)
==16005==    by 0x58E78C: connection_state_machine (connections.c:1436)
==16005==    by 0x5E9418: network_server_handle_fdevent (network.c:66)
==16005==    by 0x76894C: fdevent_linux_sysepoll_poll (fdevent_linux_sysepoll.c:43)
==16005==    by 0x6C7C06: fdevent_poll (fdevent.c:436)
==16005==    by 0x55AE85: server_main_loop (server.c:1902)
==16005== Your program just tried to execute an instruction that Valgrind
==16005== did not recognise.  There are two possible reasons for this.
==16005== 1. Your program has a bug and erroneously jumped to a non-code
==16005==    location.  If you are running Memcheck and you just saw a
==16005==    warning about a bad jump, it's probably your program's fault.
==16005== 2. The instruction is legitimate but Valgrind doesn't handle it,
==16005==    i.e. it's Valgrind's fault.  If you think this is the case or
==16005==    you are not sure, please let us know and we'll try to fix it.
==16005== Either way, Valgrind will now raise a SIGILL signal which will
==16005== probably kill your program.
==16005==
==16005== Process terminating with default action of signal 4 (SIGILL): dumping core
==16005==  Illegal opcode at address 0x5BADAE
==16005==    at 0x5BADAE: h2_parse_frame_settings (h2.c:603)
==16005==    by 0x5C3553: h2_init_con (h2.c:1656)
==16005==    by 0x5D3AAE: h2_con_upgrade_h2c (h2.c:2538)
==16005==    by 0x5D3295: h2_check_con_upgrade_h2c (h2.c:2657)
==16005==    by 0x598B30: connection_handle_read_state (connections.c:808)
==16005==    by 0x59266F: connection_state_machine_loop (connections.c:1079)
==16005==    by 0x591851: connection_state_machine_h1 (connections.c:1418)
==16005==    by 0x58E78C: connection_state_machine (connections.c:1436)
==16005==    by 0x5E9418: network_server_handle_fdevent (network.c:66)
==16005==    by 0x76894C: fdevent_linux_sysepoll_poll (fdevent_linux_sysepoll.c:43)
==16005==    by 0x6C7C06: fdevent_poll (fdevent.c:436)
==16005==    by 0x55AE85: server_main_loop (server.c:1902)

Actions #10

Updated by axe34 about 3 years ago

I added a longer stack trace here.

Thread 1 "lighttpd" received signal SIGILL, Illegal instruction.
h2_parse_frame_settings (con=<optimized out>, s=0x62100000150c "", len=6) at h2.c:603
603         h2con * const h2c = con->h2;
(gdb) bt full
#0  h2_parse_frame_settings (con=<optimized out>, s=0x62100000150c "", len=6) at h2.c:603
        h2c = 0x611000001580
#1  0x00000000003a15ed in h2_init_con (h2r=0x619000001980, con=0x619000001980, http2_settings=0x602000000030) at h2.c:1656
        h2settings = "\000\000\f\004\000\000\000\000\000\000\003\000\000\000\b\000\006\000\000\377\377" 
        h2c = <optimized out>
#2  0x00000000003afd19 in h2_con_upgrade_h2c (h2r=0x619000001980, http2_settings=0x602000000030) at h2.c:2538
        switch_proto = "HTTP/1.1 101 Switching Protocols\r\nConnection: Upgrade\r\nUpgrade: h2c\r\n\r\n" 
        con = 0x619000001980
        r = <optimized out>
#3  0x00000000003af6a8 in h2_check_con_upgrade_h2c (r=0x619000001980) at h2.c:2657
        upgrade = <optimized out>
        http_connection = 0x6040000024b0
        http2_settings = <optimized out>
#4  0x000000000037bb05 in connection_handle_read_state (con=0x619000001980) at connections.c:808
        hoff = {6, 0, 32, 54, 91, 105, 147, 149, 0, 0, 0, 0, 0, 0, 0, 0, 2, 17152, 0, 0, 1712, 0, 24688, 0, 32982, 32767, 3086, 0, 24790, 49, 0, 0, 0, 0, 0, 0, 1712, 0, 24688,
          0, 1696, 0, 24688, 0, 7465, 41, 0, 0, 64, 0, 0, 0, 42538, 48, 0, 256, 80, 0, 0, 0, 63120, 88, 0, 0, 38840, 65535, 32767, 0, 12288, 63236, 0, 0, 112, 0, 0, 0, 12288,
          63236, 32767, 0, 7, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 5, 0, 0, 0, 42115, 48, 0, 0, 1, 0, 0, 0, 38840, 65535, 32767, 0, 80, 0, 0, 0, 40944, 65535, 32767, 0, 7964, 41,
          0, 0, 53505, 65535, 32767, 0, 16, 0, 0, 0, 5, 0, 0, 0, 42212, 48, 0, 0, 1, 0, 0, 0, 38856, 65535, 32767, 0, 5, 0, 0, 0, 42115, 48, 0, 0, 60088, 81, 0, 0, 61012,
          62487, 32767, 0, 32835, 78, 0, 0, 19824, 99, 0, 0, 53761, 65535, 32767, 0, 43540, 50, 0, 0, 2, 0, 0, 0, 19824, 99, 0, 0, 33252, 32767, 3895, 61570, 4, 0, 0, 0, 4, 0,
          0, 0, 19824, 99, 0, 0...}
        cq = <optimized out>
        discard_blank = 0 '\000'
        pipelined_request_start = <optimized out>
        keepalive_request_start = <optimized out>
        r = 0x619000001980
        header_len = 149
        clen = 149
        c = 0x608000000aa0
        hdrs = 0x625000000100 "HTTP/1.1 101 Switching Protocols\r\nConnection: Upgrade\r\nUpgrade: h2c\r\n\r\n" 
#5  0x00000000003764d3 in connection_state_machine_loop (r=0x619000001980, con=0x619000001980) at connections.c:1079
        ostate = CON_STATE_REQUEST_START
#6  0x000000000037583c in connection_state_machine_h1 (r=0x619000001980, con=0x619000001980) at connections.c:1418
        log_state_handling = <optimized out>
#7  0x00000000003729d8 in connection_state_machine (con=0x62100000150e) at connections.c:1436
        r = 0x62100000150e
#8  0x00000000003c396c in network_server_handle_fdevent (context=0x60d000000380, revents=<optimized out>) at network.c:66
        srv_socket = 0x60d000000380
        srv = 0x615000000300
        loops = <optimized out>
        con = 0x6300000f0400
#9  0x0000000000518c21 in fdevent_linux_sysepoll_poll (ev=<optimized out>, timeout_ms=<optimized out>) at fdevent_linux_sysepoll.c:43
        n = 1
#10 0x0000000000488eeb in fdevent_poll (ev=0x619000000a80, timeout_ms=-150720288) at fdevent.c:436
        n = <optimized out>
#11 0x0000000000346e7c in server_main_loop (srv=0x615000000300) at server.c:1902

Actions #11

Updated by gstrauss about 3 years ago

I still have not reproduced this. However, if the crash does not occur with the following patch, this would suggest that the issue is likely somewhere in the ls-hpack code for encoder history table.

--- a/src/h2.c
+++ b/src/h2.c
@@ -1650,7 +1650,7 @@ h2_init_con (request_st * const restrict h2r, connection * const restrict con, c

     lshpack_dec_init(&h2c->decoder);
     lshpack_enc_init(&h2c->encoder);
-    lshpack_enc_use_hist(&h2c->encoder, 1);
+//    lshpack_enc_use_hist(&h2c->encoder, 1);

     if (http2_settings) /*(if Upgrade: h2c)*/
         h2_parse_frame_settings(con, (uint8_t *)CONST_BUF_LEN(http2_settings));

Does the crash still occur with a simplified, two-line lighttpd.conf? (I expect that it will (without the patch above), but this should be an easy assumption to verify)

server.port = 3000
server.document-root = "/var/www/" 

Actions #12

Updated by stbuehler about 3 years ago

axe34, might I suggest you get a pcap (tcpdump) or a detailed strace (-v -s 4000) of the two connections so others can try to reproduce it?

Other things often useful in such situations:
- try without compiler optimizations; if it still happens the gdb (or valgrind?) backtrace will be much more useful
- call "disassemble" and "info registers" in gdb (in optimized builds gdb high-level info is often not accurate enough), so you can see exactly where it got stuck

Actions #13

Updated by gstrauss about 3 years ago

  • Status changed from New to Need Feedback
Actions #14

Updated by axe34 about 3 years ago

With the patch it still crashes.
Here is the full backtrace without compiler optimizations.

 h2_parse_frame_settings (con=<optimized out>, s=0xf550150c "", len=6) at h2.c:603
        h2c = 0xf3b034c0
#1  0x005c1a5a in h2_init_con (h2r=0xf4103880, con=0xf4103880, http2_settings=0xf59006f0) at h2.c:1656
        h2settings = "\000\000\f\004\000\000\000\000\000\000\003\000\000\000\b\000\006\000\000\377\377" 
        h2c = <optimized out>
#2  0x005d383d in h2_check_con_upgrade_h2c (r=<optimized out>) at h2.c:2538
        upgrade = <optimized out>
        http_connection = <optimized out>
        http2_settings = <optimized out>
#3  0x00599e36 in connection_handle_read_state (con=0xf4103880) at connections.c:808
        hoff = <optimized out>
        cq = <optimized out>
        discard_blank = <optimized out>
        pipelined_request_start = <optimized out>
        keepalive_request_start = <optimized out>
        r = 0xf4103880
        header_len = 149
        clen = <optimized out>
        c = 0xf4103914
        hdrs = <optimized out>
#4  0x00590dfb in connection_state_machine_loop (r=<optimized out>, con=0xf4103880) at connections.c:1079
        ostate = CON_STATE_REQUEST_START
#5  0x0058dea3 in connection_state_machine_h1 (r=0xf4103880, con=0xf5501503) at connections.c:1418
        log_state_handling = <optimized out>
#6  0x005eada2 in network_server_handle_fdevent (context=0xf45031d0, revents=1) at connections.c:1436
        srv_socket = 0xf45031d0
        srv = 0xf5703c40
        loops = <optimized out>
        con = 0xf5b3c800
#7  0x00792764 in fdevent_linux_sysepoll_poll (ev=0xf4103c80, timeout_ms=1000) at fdevent_linux_sysepoll.c:43
        n = 1
#8  0x006e4133 in fdevent_poll (ev=0xf4103c80, timeout_ms=1000) at fdevent.c:436
        n = <optimized out>
#9  0x00555964 in server_main_loop (srv=<optimized out>) at server.c:1902
        min_ts = <optimized out>
        joblist = <optimized out>
        last_active_ts = 1612719657
#10 0x00547964 in main (argc=<optimized out>, argv=<optimized out>) at server.c:2034
        srv = 0xf5703c40
        rc = 1

Here is the assembler dump.
Dump of assembler code for function h2_parse_frame_settings:
   0x005bde20 <+0>:     push   %ebp
   0x005bde21 <+1>:     push   %ebx
   0x005bde22 <+2>:     push   %edi
   0x005bde23 <+3>:     push   %esi
   0x005bde24 <+4>:     sub    $0x7c,%esp
   0x005bde27 <+7>:     mov    %edx,0x28(%esp)
   0x005bde2b <+11>:    test   $0x3,%cl
   0x005bde2e <+14>:    jne    0x5bf411 <h2_parse_frame_settings+5617>
   0x005bde34 <+20>:    test   %ecx,%ecx
   0x005bde36 <+22>:    je     0x5bf411 <h2_parse_frame_settings+5617>
   0x005bde3c <+28>:    mov    0x7fac4c,%eax
   0x005bde41 <+33>:    mov    %ecx,%esi
   0x005bde43 <+35>:    mov    0x325a(%eax),%cl
   0x005bde49 <+41>:    add    $0x1,%cl
   0x005bde4c <+44>:    adc    $0x0,%cl
   0x005bde4f <+47>:    mov    %cl,0x325a(%eax)
   0x005bde55 <+53>:    mov    %esi,0x2c(%esp)
   0x005bde59 <+57>:    lea    0x240(%esi),%eax
   0x005bde5f <+63>:    test   $0x3,%al
   0x005bde61 <+65>:    jne    0x5bf64f <h2_parse_frame_settings+6191>
   0x005bde67 <+71>:    mov    0x7fac4c,%ecx
   0x005bde6d <+77>:    mov    0x3258(%ecx),%bl
   0x005bde73 <+83>:    add    $0x1,%bl
   0x005bde76 <+86>:    adc    $0x0,%bl
   0x005bde79 <+89>:    mov    %bl,0x3258(%ecx)
   0x005bde7f <+95>:    mov    %eax,%ecx
   0x005bde81 <+97>:    shr    $0x3,%ecx
   0x005bde84 <+100>:   mov    0x20000000(%ecx),%cl
   0x005bde8a <+106>:   test   %cl,%cl
   0x005bde8c <+108>:   jne    0x5bf173 <h2_parse_frame_settings+4947>
   0x005bde92 <+114>:   mov    0x7fac4c,%ecx
   0x005bde98 <+120>:   mov    0x3256(%ecx),%bl
   0x005bde9e <+126>:   add    $0x1,%bl
   0x005bdea1 <+129>:   adc    $0x0,%bl
   0x005bdea4 <+132>:   mov    %bl,0x3256(%ecx)
   0x005bdeaa <+138>:   mov    0x90(%esp),%ecx
   0x005bdeb1 <+145>:   mov    %ecx,0x44(%esp)
   0x005bdeb5 <+149>:   cmp    $0x5,%ecx
   0x005bdeb8 <+152>:   jbe    0x5bf1c7 <h2_parse_frame_settings+5031>
   0x005bdebe <+158>:   mov    (%eax),%edx
   0x005bdec0 <+160>:   mov    0x7fac4c,%eax
   0x005bdec5 <+165>:   mov    0x3252(%eax),%cl
   0x005bdecb <+171>:   add    $0x1,%cl
   0x005bdece <+174>:   adc    $0x0,%cl
--Type <RET> for more, q to quit, c to continue without paging--c
   0x005bded1 <+177>:   mov    %cl,0x3252(%eax)
   0x005bded7 <+183>:   mov    %edx,%ecx
   0x005bded9 <+185>:   test   %edx,%edx
   0x005bdedb <+187>:   sete   0x10(%esp)
   0x005bdee0 <+192>:   test   $0x3,%cl
   0x005bdee3 <+195>:   setne  %al
   0x005bdee6 <+198>:   add    $0x48,%edx
   0x005bdee9 <+201>:   test   $0x3,%dl
   0x005bdeec <+204>:   mov    %edx,%esi
   0x005bdeee <+206>:   setne  0xb(%esp)
   0x005bdef3 <+211>:   lea    0x44(%ecx),%edx
   0x005bdef6 <+214>:   test   $0x3,%dl
   0x005bdef9 <+217>:   mov    %edx,%edi
   0x005bdefb <+219>:   setne  %ah
   0x005bdefe <+222>:   lea    0x20(%ecx),%edx
   0x005bdf01 <+225>:   mov    %edx,0x38(%esp)
   0x005bdf05 <+229>:   test   $0x3,%dl
   0x005bdf08 <+232>:   setne  %bh
   0x005bdf0b <+235>:   lea    0x3c(%ecx),%edx
   0x005bdf0e <+238>:   mov    %edx,0x34(%esp)
   0x005bdf12 <+242>:   test   $0x3,%dl
   0x005bdf15 <+245>:   setne  %bl
   0x005bdf18 <+248>:   lea    0x38(%ecx),%edx
   0x005bdf1b <+251>:   mov    %edx,0x30(%esp)
   0x005bdf1f <+255>:   mov    %ecx,%ebp
   0x005bdf21 <+257>:   test   $0x3,%dl
   0x005bdf24 <+260>:   setne  %dh
   0x005bdf27 <+263>:   add    $0x34,%ecx
   0x005bdf2a <+266>:   mov    %ecx,0x24(%esp)
   0x005bdf2e <+270>:   test   $0x3,%cl
   0x005bdf31 <+273>:   setne  %cl
   0x005bdf34 <+276>:   or     0x10(%esp),%al
   0x005bdf38 <+280>:   or     %al,0xb(%esp)
   0x005bdf3c <+284>:   or     %al,%ah
   0x005bdf3e <+286>:   mov    %ah,0x1c(%esp)
   0x005bdf42 <+290>:   or     %al,%bh
   0x005bdf44 <+292>:   mov    %bh,0x1e(%esp)
   0x005bdf48 <+296>:   or     %al,%bl
   0x005bdf4a <+298>:   mov    %bl,0x1d(%esp)
   0x005bdf4e <+302>:   or     %al,%dh
   0x005bdf50 <+304>:   mov    %dh,0x1b(%esp)
   0x005bdf54 <+308>:   or     %cl,%al
   0x005bdf56 <+310>:   mov    %al,0x1f(%esp)
   0x005bdf5a <+314>:   mov    %ebp,%eax
   0x005bdf5c <+316>:   not    %eax
   0x005bdf5e <+318>:   mov    %eax,0x5c(%esp)
   0x005bdf62 <+322>:   mov    %esi,%ecx
   0x005bdf64 <+324>:   mov    %esi,%eax
   0x005bdf66 <+326>:   shr    $0x3,%eax
   0x005bdf69 <+329>:   or     $0x20000000,%eax
   0x005bdf6e <+334>:   mov    %eax,0x70(%esp)
   0x005bdf72 <+338>:   mov    %esi,0x4c(%esp)
   0x005bdf76 <+342>:   mov    %ecx,%eax
   0x005bdf78 <+344>:   and    $0x7,%al
   0x005bdf7a <+346>:   add    $0x3,%al
   0x005bdf7c <+348>:   mov    %al,0x1a(%esp)
   0x005bdf80 <+352>:   mov    %edi,%ecx
   0x005bdf82 <+354>:   mov    %edi,%eax
   0x005bdf84 <+356>:   shr    $0x3,%eax
   0x005bdf87 <+359>:   or     $0x20000000,%eax
   0x005bdf8c <+364>:   mov    %eax,0x6c(%esp)
   0x005bdf90 <+368>:   mov    %edi,0x48(%esp)
   0x005bdf94 <+372>:   mov    %ecx,%eax
   0x005bdf96 <+374>:   and    $0x7,%al
   0x005bdf98 <+376>:   add    $0x3,%al
   0x005bdf9a <+378>:   mov    %al,0x17(%esp)
   0x005bdf9e <+382>:   mov    0x38(%esp),%ecx
   0x005bdfa2 <+386>:   mov    %ecx,%eax
   0x005bdfa4 <+388>:   shr    $0x3,%eax
   0x005bdfa7 <+391>:   or     $0x20000000,%eax
   0x005bdfac <+396>:   mov    %eax,0x78(%esp)
   0x005bdfb0 <+400>:   mov    %ecx,%eax
   0x005bdfb2 <+402>:   and    $0x7,%al
   0x005bdfb4 <+404>:   add    $0x3,%al
   0x005bdfb6 <+406>:   mov    %al,0x19(%esp)
   0x005bdfba <+410>:   lea    0x40(%ebp),%eax
   0x005bdfbd <+413>:   mov    %eax,%ecx
   0x005bdfbf <+415>:   shr    $0x3,%ecx
   0x005bdfc2 <+418>:   or     $0x20000000,%ecx
   0x005bdfc8 <+424>:   mov    %ecx,0x54(%esp)
   0x005bdfcc <+428>:   mov    %eax,0x20(%esp)
   0x005bdfd0 <+432>:   and    $0x7,%al
   0x005bdfd2 <+434>:   add    $0x3,%al
   0x005bdfd4 <+436>:   mov    %al,0xa(%esp)
   0x005bdfd8 <+440>:   mov    0x34(%esp),%ecx
   0x005bdfdc <+444>:   mov    %ecx,%eax
   0x005bdfde <+446>:   shr    $0x3,%eax
   0x005bdfe1 <+449>:   or     $0x20000000,%eax
   0x005bdfe6 <+454>:   mov    %eax,0x74(%esp)
   0x005bdfea <+458>:   mov    %ecx,%eax
   0x005bdfec <+460>:   and    $0x7,%al
   0x005bdfee <+462>:   add    $0x3,%al
   0x005bdff0 <+464>:   mov    %al,0x18(%esp)
   0x005bdff4 <+468>:   mov    0x30(%esp),%ecx
   0x005bdff8 <+472>:   mov    %ecx,%eax
   0x005bdffa <+474>:   shr    $0x3,%eax
   0x005bdffd <+477>:   or     $0x20000000,%eax
   0x005be002 <+482>:   mov    %eax,0x68(%esp)
   0x005be006 <+486>:   mov    %ecx,%eax
   0x005be008 <+488>:   and    $0x7,%al
   0x005be00a <+490>:   add    $0x3,%al
   0x005be00c <+492>:   mov    %al,0x16(%esp)
   0x005be010 <+496>:   mov    0x24(%esp),%ecx
   0x005be014 <+500>:   mov    %ecx,%eax
   0x005be016 <+502>:   shr    $0x3,%eax
   0x005be019 <+505>:   or     $0x20000000,%eax
   0x005be01e <+510>:   mov    %eax,0x50(%esp)
   0x005be022 <+514>:   mov    %ecx,%eax
   0x005be024 <+516>:   and    $0x7,%al
   0x005be026 <+518>:   add    $0x3,%al
   0x005be028 <+520>:   mov    %al,0x9(%esp)
   0x005be02c <+524>:   mov    %ebp,0x60(%esp)
   0x005be030 <+528>:   lea    0x6c(%ebp),%eax
   0x005be033 <+531>:   mov    %eax,0x64(%esp)
   0x005be037 <+535>:   mov    0x28(%esp),%edx
   0x005be03b <+539>:   cmp    $0xfffffffe,%edx
   0x005be03e <+542>:   je     0x5bf3c6 <h2_parse_frame_settings+5542>
   0x005be044 <+548>:   nop
   0x005be045 <+549>:   nop
   0x005be046 <+550>:   nop
   0x005be047 <+551>:   nop
   0x005be048 <+552>:   nop
   0x005be049 <+553>:   nop
   0x005be04a <+554>:   nop
   0x005be04b <+555>:   nop
   0x005be04c <+556>:   nop
   0x005be04d <+557>:   nop
   0x005be04e <+558>:   nop
   0x005be04f <+559>:   nop
   0x005be050 <+560>:   cmp    $0xffffffff,%edx
   0x005be053 <+563>:   je     0x5bf362 <h2_parse_frame_settings+5442>
   0x005be059 <+569>:   test   %edx,%edx
   0x005be05b <+571>:   je     0x5bf37b <h2_parse_frame_settings+5467>
   0x005be061 <+577>:   mov    0x7fac4c,%eax
   0x005be066 <+582>:   mov    0x324e(%eax),%cl
   0x005be06c <+588>:   add    $0x1,%cl
   0x005be06f <+591>:   adc    $0x0,%cl
   0x005be072 <+594>:   mov    %cl,0x324e(%eax)
   0x005be078 <+600>:   mov    %edx,0x28(%esp)
   0x005be07c <+604>:   lea    0x2(%edx),%eax
   0x005be07f <+607>:   mov    %eax,%ecx
   0x005be081 <+609>:   shr    $0x3,%ecx
   0x005be084 <+612>:   mov    0x20000000(%ecx),%cl
   0x005be08a <+618>:   test   %cl,%cl
   0x005be08c <+620>:   jne    0x5bef67 <h2_parse_frame_settings+4423>
   0x005be092 <+626>:   mov    0x7fac4c,%ecx
   0x005be098 <+632>:   mov    0x324c(%ecx),%dl
   0x005be09e <+638>:   add    $0x1,%dl
   0x005be0a1 <+641>:   adc    $0x0,%dl
   0x005be0a4 <+644>:   mov    %dl,0x324c(%ecx)
   0x005be0aa <+650>:   movzbl (%eax),%eax
   0x005be0ad <+653>:   test   %al,%al
   0x005be0af <+655>:   js     0x5bf349 <h2_parse_frame_settings+5417>
   0x005be0b5 <+661>:   mov    %eax,%edi
   0x005be0b7 <+663>:   mov    0x7fac4c,%ecx
   0x005be0bd <+669>:   mov    0x3248(%ecx),%dl
   0x005be0c3 <+675>:   add    $0x1,%dl
   0x005be0c6 <+678>:   adc    $0x0,%dl
   0x005be0c9 <+681>:   mov    %dl,0x3248(%ecx)
   0x005be0cf <+687>:   mov    0x28(%esp),%eax
   0x005be0d3 <+691>:   cmp    $0xfffffffb,%eax
   0x005be0d6 <+694>:   jae    0x5bf394 <h2_parse_frame_settings+5492>
   0x005be0dc <+700>:   lea    0x3(%eax),%ecx
   0x005be0df <+703>:   mov    0x7fac4c,%edx
   0x005be0e5 <+709>:   mov    0x3247(%edx),%bl
   0x005be0eb <+715>:   add    $0x1,%bl
   0x005be0ee <+718>:   adc    $0x0,%bl
   0x005be0f1 <+721>:   mov    %bl,0x3247(%edx)
   0x005be0f7 <+727>:   mov    %ecx,%edx
   0x005be0f9 <+729>:   shr    $0x3,%edx
   0x005be0fc <+732>:   mov    0x20000000(%edx),%dl
   0x005be102 <+738>:   test   %dl,%dl
   0x005be104 <+740>:   jne    0x5befb4 <h2_parse_frame_settings+4500>
   0x005be10a <+746>:   mov    0x7fac4c,%edx
   0x005be110 <+752>:   mov    0x3244(%edx),%bl
   0x005be116 <+758>:   add    $0x1,%bl
   0x005be119 <+761>:   adc    $0x0,%bl
   0x005be11c <+764>:   mov    %bl,0x3244(%edx)
   0x005be122 <+770>:   lea    0x4(%eax),%edx
   0x005be125 <+773>:   movzbl (%ecx),%ecx
   0x005be128 <+776>:   mov    %edx,%esi
   0x005be12a <+778>:   shr    $0x3,%esi
   0x005be12d <+781>:   mov    0x20000000(%esi),%bl
   0x005be133 <+787>:   test   %bl,%bl
   0x005be135 <+789>:   jne    0x5beff6 <h2_parse_frame_settings+4566>
   0x005be13b <+795>:   mov    0x7fac4c,%esi
   0x005be141 <+801>:   mov    0x3240(%esi),%bl
   0x005be147 <+807>:   add    $0x1,%bl
   0x005be14a <+810>:   adc    $0x0,%bl
   0x005be14d <+813>:   mov    %bl,0x3240(%esi)
   0x005be153 <+819>:   lea    0x5(%eax),%ebx
   0x005be156 <+822>:   movzbl (%edx),%ebp
   0x005be159 <+825>:   mov    %ebx,%edx
   0x005be15b <+827>:   shr    $0x3,%edx
   0x005be15e <+830>:   mov    0x20000000(%edx),%dl
   0x005be164 <+836>:   test   %dl,%dl
   0x005be166 <+838>:   jne    0x5bf038 <h2_parse_frame_settings+4632>
   0x005be16c <+844>:   mov    0x7fac4c,%edx
   0x005be172 <+850>:   mov    0x323c(%edx),%bl
   0x005be178 <+856>:   add    $0x1,%bl
   0x005be17b <+859>:   adc    $0x0,%bl
   0x005be17e <+862>:   mov    %bl,0x323c(%edx)
   0x005be184 <+868>:   movzbl 0x5(%eax),%esi
   0x005be188 <+872>:   mov    %eax,%edx
   0x005be18a <+874>:   shr    $0x3,%edx
   0x005be18d <+877>:   mov    0x20000000(%edx),%bl
   0x005be193 <+883>:   test   %bl,%bl
   0x005be195 <+885>:   mov    %esi,0x10(%esp)
   0x005be199 <+889>:   jne    0x5bf07a <h2_parse_frame_settings+4698>
   0x005be19f <+895>:   mov    0x7fac4c,%edx
   0x005be1a5 <+901>:   mov    0x3238(%edx),%bl
   0x005be1ab <+907>:   add    $0x1,%bl
   0x005be1ae <+910>:   adc    $0x0,%bl
   0x005be1b1 <+913>:   mov    %bl,0x3238(%edx)
   0x005be1b7 <+919>:   lea    0x1(%eax),%ebx
   0x005be1ba <+922>:   movzbl (%eax),%esi
   0x005be1bd <+925>:   mov    %ebx,%edx
   0x005be1bf <+927>:   shr    $0x3,%edx
   0x005be1c2 <+930>:   mov    0x20000000(%edx),%dl
   0x005be1c8 <+936>:   test   %dl,%dl
   0x005be1ca <+938>:   jne    0x5bf0bc <h2_parse_frame_settings+4764>
   0x005be1d0 <+944>:   mov    0x7fac4c,%edx
   0x005be1d6 <+950>:   mov    0x3234(%edx),%al
   0x005be1dc <+956>:   add    $0x1,%al
   0x005be1de <+958>:   adc    $0x0,%al
   0x005be1e0 <+960>:   mov    %al,0x3234(%edx)
   0x005be1e6 <+966>:   shl    $0x8,%esi
   0x005be1e9 <+969>:   movzbl (%ebx),%eax
   0x005be1ec <+972>:   or     %eax,%esi
   0x005be1ee <+974>:   dec    %esi
   0x005be1ef <+975>:   cmp    $0x5,%si
   0x005be1f3 <+979>:   ja     0x5be9d8 <h2_parse_frame_settings+3000>
   0x005be1f9 <+985>:   shl    $0x18,%edi
   0x005be1fc <+988>:   shl    $0x10,%ecx
   0x005be1ff <+991>:   or     %edi,%ecx
   0x005be201 <+993>:   shl    $0x8,%ebp
   0x005be204 <+996>:   or     %ecx,%ebp
   0x005be206 <+998>:   or     0x10(%esp),%ebp
   0x005be20a <+1002>:  movzwl %si,%eax
   0x005be20d <+1005>:  jmp    *0x433c90(,%eax,4)
   0x005be214 <+1012>:  mov    0x7fac4c,%eax
   0x005be219 <+1017>:  mov    0x322c(%eax),%cl
   0x005be21f <+1023>:  add    $0x1,%cl
   0x005be222 <+1026>:  adc    $0x0,%cl
   0x005be225 <+1029>:  mov    %cl,0x322c(%eax)
   0x005be22b <+1035>:  cmp    $0x1000,%ebp
   0x005be231 <+1041>:  mov    $0x1000,%eax
   0x005be236 <+1046>:  cmovae %eax,%ebp
   0x005be239 <+1049>:  cmpb   $0x0,0x1f(%esp)
   0x005be23e <+1054>:  jne    0x5bf55f <h2_parse_frame_settings+5951>
   0x005be244 <+1060>:  mov    %ebp,%edx
   0x005be246 <+1062>:  mov    0x7fac4c,%eax
   0x005be24b <+1067>:  mov    0x322a(%eax),%cl
   0x005be251 <+1073>:  add    $0x1,%cl
   0x005be254 <+1076>:  adc    $0x0,%cl
   0x005be257 <+1079>:  mov    %cl,0x322a(%eax)
   0x005be25d <+1085>:  mov    0x50(%esp),%eax
   0x005be261 <+1089>:  mov    (%eax),%al
   0x005be263 <+1091>:  test   %al,%al
   0x005be265 <+1093>:  je     0x5be271 <h2_parse_frame_settings+1105>
   0x005be267 <+1095>:  cmp    %al,0x9(%esp)
   0x005be26b <+1099>:  jge    0x5bf578 <h2_parse_frame_settings+5976>
   0x005be271 <+1105>:  mov    0x7fac4c,%eax
   0x005be276 <+1110>:  mov    0x3227(%eax),%cl
   0x005be27c <+1116>:  add    $0x1,%cl
   0x005be27f <+1119>:  adc    $0x0,%cl
   0x005be282 <+1122>:  mov    %cl,0x3227(%eax)
   0x005be288 <+1128>:  mov    0x24(%esp),%eax
   0x005be28c <+1132>:  cmp    (%eax),%edx
   0x005be28e <+1134>:  jne    0x5be9f4 <h2_parse_frame_settings+3028>
   0x005be294 <+1140>:  mov    0x7fac4c,%eax
   0x005be299 <+1145>:  mov    0x3225(%eax),%cl
   0x005be29f <+1151>:  add    $0x1,%cl
   0x005be2a2 <+1154>:  adc    $0x0,%cl
   0x005be2a5 <+1157>:  mov    %cl,0x3225(%eax)
   0x005be2ab <+1163>:  jmp    0x5bef00 <h2_parse_frame_settings+4320>
   0x005be2b0 <+1168>:  mov    0x7fac4c,%eax
   0x005be2b5 <+1173>:  mov    0x3230(%eax),%cl
   0x005be2bb <+1179>:  add    $0x1,%cl
   0x005be2be <+1182>:  adc    $0x0,%cl
   0x005be2c1 <+1185>:  mov    %cl,0x3230(%eax)
   0x005be2c7 <+1191>:  lea    -0x4000(%ebp),%eax
   0x005be2cd <+1197>:  cmp    $0xffc000,%eax
   0x005be2d2 <+1202>:  jae    0x5bf139 <h2_parse_frame_settings+4889>
   0x005be2d8 <+1208>:  mov    0x7fac4c,%eax
   0x005be2dd <+1213>:  mov    0x31be(%eax),%cl
   0x005be2e3 <+1219>:  add    $0x1,%cl
   0x005be2e6 <+1222>:  adc    $0x0,%cl
   0x005be2e9 <+1225>:  mov    %cl,0x31be(%eax)
   0x005be2ef <+1231>:  cmpb   $0x0,0x1c(%esp)
   0x005be2f4 <+1236>:  jne    0x5bf5d7 <h2_parse_frame_settings+6071>
   0x005be2fa <+1242>:  mov    0x7fac4c,%eax
   0x005be2ff <+1247>:  mov    0x31bc(%eax),%cl
   0x005be305 <+1253>:  add    $0x1,%cl
   0x005be308 <+1256>:  adc    $0x0,%cl
   0x005be30b <+1259>:  mov    %cl,0x31bc(%eax)
   0x005be311 <+1265>:  mov    0x6c(%esp),%eax
   0x005be315 <+1269>:  mov    (%eax),%al
   0x005be317 <+1271>:  test   %al,%al
   0x005be319 <+1273>:  je     0x5be325 <h2_parse_frame_settings+1285>
   0x005be31b <+1275>:  cmp    %al,0x17(%esp)
   0x005be31f <+1279>:  jge    0x5bf5f0 <h2_parse_frame_settings+6096>
   0x005be325 <+1285>:  mov    0x7fac4c,%eax
   0x005be32a <+1290>:  mov    0x31b9(%eax),%cl
   0x005be330 <+1296>:  add    $0x1,%cl
   0x005be333 <+1299>:  adc    $0x0,%cl
   0x005be336 <+1302>:  mov    %cl,0x31b9(%eax)
   0x005be33c <+1308>:  mov    0x48(%esp),%eax
   0x005be340 <+1312>:  jmp    0x5be9d1 <h2_parse_frame_settings+2993>
   0x005be345 <+1317>:  mov    0x7fac4c,%eax
   0x005be34a <+1322>:  mov    0x322e(%eax),%cl
   0x005be350 <+1328>:  add    $0x1,%cl
   0x005be353 <+1331>:  adc    $0x0,%cl
   0x005be356 <+1334>:  mov    %cl,0x322e(%eax)
   0x005be35c <+1340>:  cmpb   $0x0,0x1d(%esp)
   0x005be361 <+1345>:  jne    0x5bf46d <h2_parse_frame_settings+5709>
   0x005be367 <+1351>:  mov    0x7fac4c,%eax
   0x005be36c <+1356>:  mov    0x321c(%eax),%cl
   0x005be372 <+1362>:  add    $0x1,%cl
   0x005be375 <+1365>:  adc    $0x0,%cl
   0x005be378 <+1368>:  mov    %cl,0x321c(%eax)
   0x005be37e <+1374>:  mov    0x74(%esp),%eax
   0x005be382 <+1378>:  mov    (%eax),%al
   0x005be384 <+1380>:  test   %al,%al
   0x005be386 <+1382>:  je     0x5be392 <h2_parse_frame_settings+1394>
   0x005be388 <+1384>:  cmp    %al,0x18(%esp)
   0x005be38c <+1388>:  jge    0x5bf486 <h2_parse_frame_settings+5734>
   0x005be392 <+1394>:  mov    0x7fac4c,%eax
   0x005be397 <+1399>:  mov    0x3219(%eax),%cl
   0x005be39d <+1405>:  add    $0x1,%cl
   0x005be3a0 <+1408>:  adc    $0x0,%cl
   0x005be3a3 <+1411>:  mov    %cl,0x3219(%eax)
   0x005be3a9 <+1417>:  mov    0x34(%esp),%eax
   0x005be3ad <+1421>:  jmp    0x5be9d1 <h2_parse_frame_settings+2993>
   0x005be3b2 <+1426>:  mov    %ebp,0x3c(%esp)
   0x005be3b6 <+1430>:  mov    0x7fac4c,%eax
   0x005be3bb <+1435>:  mov    0x322f(%eax),%cl
   0x005be3c1 <+1441>:  add    $0x1,%cl
   0x005be3c4 <+1444>:  adc    $0x0,%cl
   0x005be3c7 <+1447>:  mov    %cl,0x322f(%eax)
   0x005be3cd <+1453>:  cmpb   $0x0,0x1e(%esp)
   0x005be3d2 <+1458>:  jne    0x5bf4a9 <h2_parse_frame_settings+5769>
   0x005be3d8 <+1464>:  mov    0x7fac4c,%eax
   0x005be3dd <+1469>:  mov    0x3218(%eax),%cl
   0x005be3e3 <+1475>:  add    $0x1,%cl
   0x005be3e6 <+1478>:  adc    $0x0,%cl
   0x005be3e9 <+1481>:  mov    %cl,0x3218(%eax)
   0x005be3ef <+1487>:  mov    0x78(%esp),%eax
   0x005be3f3 <+1491>:  mov    (%eax),%al
   0x005be3f5 <+1493>:  test   %al,%al
   0x005be3f7 <+1495>:  mov    0x3c(%esp),%edx
   0x005be3fb <+1499>:  je     0x5be407 <h2_parse_frame_settings+1511>
   0x005be3fd <+1501>:  cmp    %al,0x19(%esp)
   0x005be401 <+1505>:  jge    0x5bf42a <h2_parse_frame_settings+5642>
   0x005be407 <+1511>:  mov    0x7fac4c,%eax
   0x005be40c <+1516>:  mov    0x3215(%eax),%cl
   0x005be412 <+1522>:  add    $0x1,%cl
   0x005be415 <+1525>:  adc    $0x0,%cl
   0x005be418 <+1528>:  mov    %cl,0x3215(%eax)
   0x005be41e <+1534>:  mov    0x38(%esp),%eax
   0x005be422 <+1538>:  mov    (%eax),%ebp
   0x005be424 <+1540>:  test   %ebp,%ebp
   0x005be426 <+1542>:  je     0x5bea51 <h2_parse_frame_settings+3121>
   0x005be42c <+1548>:  mov    0x7fac4c,%eax
   0x005be431 <+1553>:  mov    0x3214(%eax),%cl
   0x005be437 <+1559>:  add    $0x1,%cl
   0x005be43a <+1562>:  adc    $0x0,%cl
   0x005be43d <+1565>:  testb  $0x3,0x20(%esp)
   0x005be442 <+1570>:  mov    %cl,0x3214(%eax)
   0x005be448 <+1576>:  jne    0x5bf725 <h2_parse_frame_settings+6405>
   0x005be44e <+1582>:  mov    0x7fac4c,%eax
   0x005be453 <+1587>:  mov    0x3211(%eax),%cl
   0x005be459 <+1593>:  add    $0x1,%cl
   0x005be45c <+1596>:  adc    $0x0,%cl
   0x005be45f <+1599>:  mov    %cl,0x3211(%eax)
   0x005be465 <+1605>:  mov    0x54(%esp),%eax
   0x005be469 <+1609>:  mov    (%eax),%al
   0x005be46b <+1611>:  test   %al,%al
   0x005be46d <+1613>:  je     0x5be479 <h2_parse_frame_settings+1625>
   0x005be46f <+1615>:  cmp    %al,0xa(%esp)
   0x005be473 <+1619>:  jge    0x5bf73e <h2_parse_frame_settings+6430>
   0x005be479 <+1625>:  mov    0x7fac4c,%eax
   0x005be47e <+1630>:  mov    0x320f(%eax),%cl
   0x005be484 <+1636>:  add    $0x1,%cl
   0x005be487 <+1639>:  adc    $0x0,%cl
   0x005be48a <+1642>:  mov    %cl,0x320f(%eax)
   0x005be490 <+1648>:  mov    0x20(%esp),%eax
   0x005be494 <+1652>:  sub    (%eax),%edx
   0x005be496 <+1654>:  mov    %edx,0x58(%esp)
   0x005be49a <+1658>:  js     0x5bea6d <h2_parse_frame_settings+3149>
   0x005be4a0 <+1664>:  mov    $0x7fffffff,%eax
   0x005be4a5 <+1669>:  sub    %edx,%eax
   0x005be4a7 <+1671>:  mov    %eax,0x40(%esp)
   0x005be4ab <+1675>:  mov    0x7fac4c,%eax
   0x005be4b0 <+1680>:  mov    0x320d(%eax),%cl
   0x005be4b6 <+1686>:  add    $0x1,%cl
   0x005be4b9 <+1689>:  adc    $0x0,%cl
   0x005be4bc <+1692>:  mov    %cl,0x320d(%eax)
   0x005be4c2 <+1698>:  dec    %ebp
   0x005be4c3 <+1699>:  xor    %esi,%esi
   0x005be4c5 <+1701>:  cmp    $0x20,%esi
   0x005be4c8 <+1704>:  je     0x5bf2b3 <h2_parse_frame_settings+5267>
   0x005be4ce <+1710>:  nop
   0x005be4cf <+1711>:  nop
   0x005be4d0 <+1712>:  mov    0x7fac4c,%eax
   0x005be4d5 <+1717>:  movzbl 0x320c(%eax),%ecx
   0x005be4dc <+1724>:  add    $0x1,%cl
   0x005be4df <+1727>:  adc    $0x0,%cl
   0x005be4e2 <+1730>:  mov    %cl,0x320c(%eax)
   0x005be4e8 <+1736>:  cmp    0x5c(%esp),%esi
   0x005be4ec <+1740>:  ja     0x5bf29a <h2_parse_frame_settings+5242>
   0x005be4f2 <+1746>:  mov    0x60(%esp),%eax
   0x005be4f6 <+1750>:  add    %esi,%eax
   0x005be4f8 <+1752>:  mov    0x7fac4c,%ecx
   0x005be4fe <+1758>:  movzbl 0x320a(%ecx),%edx
   0x005be505 <+1765>:  add    $0x1,%dl
   0x005be508 <+1768>:  adc    $0x0,%dl
   0x005be50b <+1771>:  mov    %dl,0x320a(%ecx)
   0x005be511 <+1777>:  test   $0x3,%al
   0x005be513 <+1779>:  jne    0x5bf24f <h2_parse_frame_settings+5167>
   0x005be519 <+1785>:  mov    0x7fac4c,%ecx
   0x005be51f <+1791>:  movzbl 0x3207(%ecx),%edx
   0x005be526 <+1798>:  add    $0x1,%dl
   0x005be529 <+1801>:  adc    $0x0,%dl
   0x005be52c <+1804>:  mov    %dl,0x3207(%ecx)
   0x005be532 <+1810>:  mov    %eax,%ecx
   0x005be534 <+1812>:  shr    $0x3,%ecx
   0x005be537 <+1815>:  movzbl 0x20000000(%ecx),%ecx
   0x005be53e <+1822>:  test   %cl,%cl
   0x005be540 <+1824>:  jne    0x5be739 <h2_parse_frame_settings+2329>
   0x005be546 <+1830>:  mov    0x7fac4c,%ecx
   0x005be54c <+1836>:  movzbl 0x3205(%ecx),%edx
   0x005be553 <+1843>:  add    $0x1,%dl
   0x005be556 <+1846>:  adc    $0x0,%dl
   0x005be559 <+1849>:  mov    %dl,0x3205(%ecx)
   0x005be55f <+1855>:  mov    (%eax),%ecx
   0x005be561 <+1857>:  test   $0x3,%cl
   0x005be564 <+1860>:  jne    0x5bf21d <h2_parse_frame_settings+5117>
   0x005be56a <+1866>:  test   %ecx,%ecx
   0x005be56c <+1868>:  je     0x5bf21d <h2_parse_frame_settings+5117>
   0x005be572 <+1874>:  mov    0x7fac4c,%eax
   0x005be577 <+1879>:  movzbl 0x3201(%eax),%edx
   0x005be57e <+1886>:  add    $0x1,%dl
   0x005be581 <+1889>:  adc    $0x0,%dl
   0x005be584 <+1892>:  mov    %dl,0x3201(%eax)
   0x005be58a <+1898>:  lea    0x14(%ecx),%ebx
   0x005be58d <+1901>:  test   $0x3,%bl
   0x005be590 <+1904>:  jne    0x5bf268 <h2_parse_frame_settings+5192>
   0x005be596 <+1910>:  mov    0x7fac4c,%eax
   0x005be59b <+1915>:  movzbl 0x31ff(%eax),%edx
   0x005be5a2 <+1922>:  add    $0x1,%dl
   0x005be5a5 <+1925>:  adc    $0x0,%dl
   0x005be5a8 <+1928>:  mov    %dl,0x31ff(%eax)
   0x005be5ae <+1934>:  mov    %ebx,0xc(%esp)
   0x005be5b2 <+1938>:  mov    %ebx,%edi
   0x005be5b4 <+1940>:  shr    $0x3,%edi
   0x005be5b7 <+1943>:  movzbl 0x20000000(%edi),%ebx
   0x005be5be <+1950>:  test   %bl,%bl
   0x005be5c0 <+1952>:  mov    %esi,0x10(%esp)
   0x005be5c4 <+1956>:  jne    0x5be78a <h2_parse_frame_settings+2410>
   0x005be5ca <+1962>:  mov    0x7fac4c,%eax
   0x005be5cf <+1967>:  movzbl 0x31fd(%eax),%ebx
   0x005be5d6 <+1974>:  add    $0x1,%bl
   0x005be5d9 <+1977>:  adc    $0x0,%bl
   0x005be5dc <+1980>:  mov    %bl,0x31fd(%eax)
   0x005be5e2 <+1986>:  lea    0x8(%ecx),%ebx
   0x005be5e5 <+1989>:  test   $0x3,%bl
   0x005be5e8 <+1992>:  jne    0x5bf281 <h2_parse_frame_settings+5217>
   0x005be5ee <+1998>:  mov    %ebp,%esi
   0x005be5f0 <+2000>:  mov    0x14(%ecx),%ebp
   0x005be5f3 <+2003>:  mov    0x7fac4c,%eax
   0x005be5f8 <+2008>:  movzbl 0x31f9(%eax),%edx
   0x005be5ff <+2015>:  add    $0x1,%dl
   0x005be602 <+2018>:  adc    $0x0,%dl
   0x005be605 <+2021>:  mov    %dl,0x31f9(%eax)
   0x005be60b <+2027>:  mov    %ebx,%eax
   0x005be60d <+2029>:  shr    $0x3,%eax
   0x005be610 <+2032>:  movzbl 0x20000000(%eax),%eax
   0x005be617 <+2039>:  test   %al,%al
   0x005be619 <+2041>:  jne    0x5be7da <h2_parse_frame_settings+2490>
   0x005be61f <+2047>:  mov    0x7fac4c,%eax
   0x005be624 <+2052>:  movzbl 0x31f7(%eax),%edx
   0x005be62b <+2059>:  add    $0x1,%dl
   0x005be62e <+2062>:  adc    $0x0,%dl
   0x005be631 <+2065>:  mov    %dl,0x31f7(%eax)
   0x005be637 <+2071>:  mov    (%ebx),%eax
   0x005be639 <+2073>:  cmp    $0x4,%eax
   0x005be63c <+2076>:  je     0x5be830 <h2_parse_frame_settings+2576>
   0x005be642 <+2082>:  cmp    $0x6,%eax
   0x005be645 <+2085>:  jne    0x5be670 <h2_parse_frame_settings+2128>
   0x005be647 <+2087>:  mov    0x7fac4c,%eax
   0x005be64c <+2092>:  movzbl 0x31f4(%eax),%ecx
   0x005be653 <+2099>:  add    $0x1,%cl
   0x005be656 <+2102>:  adc    $0x0,%cl
   0x005be659 <+2105>:  mov    %cl,0x31f4(%eax)
   0x005be65f <+2111>:  test   %esi,%esi
   0x005be661 <+2113>:  jne    0x5be84c <h2_parse_frame_settings+2604>
   0x005be667 <+2119>:  jmp    0x5be8c3 <h2_parse_frame_settings+2723>
   0x005be66c <+2124>:  nop
   0x005be66d <+2125>:  nop
   0x005be66e <+2126>:  nop
   0x005be66f <+2127>:  nop
   0x005be670 <+2128>:  mov    0x7fac4c,%eax
   0x005be675 <+2133>:  movzbl 0x31f2(%eax),%edx
   0x005be67c <+2140>:  add    $0x1,%dl
   0x005be67f <+2143>:  adc    $0x0,%dl
   0x005be682 <+2146>:  mov    %dl,0x31f2(%eax)
   0x005be688 <+2152>:  cmp    0x40(%esp),%ebp
   0x005be68c <+2156>:  jg     0x5be704 <h2_parse_frame_settings+2276>
   0x005be68e <+2158>:  mov    0x7fac4c,%eax
   0x005be693 <+2163>:  movzbl 0x31f1(%eax),%ecx
   0x005be69a <+2170>:  add    $0x1,%cl
   0x005be69d <+2173>:  adc    $0x0,%cl
   0x005be6a0 <+2176>:  mov    %cl,0x31f1(%eax)
   0x005be6a6 <+2182>:  add    0x58(%esp),%ebp
   0x005be6aa <+2186>:  jo     0x5bf3df <h2_parse_frame_settings+5567>
   0x005be6b0 <+2192>:  or     $0x20000000,%edi
   0x005be6b6 <+2198>:  mov    0x7fac4c,%eax
   0x005be6bb <+2203>:  movzbl 0x31ef(%eax),%ecx
   0x005be6c2 <+2210>:  add    $0x1,%cl
   0x005be6c5 <+2213>:  adc    $0x0,%cl
   0x005be6c8 <+2216>:  mov    %cl,0x31ef(%eax)
   0x005be6ce <+2222>:  movzbl (%edi),%eax
   0x005be6d1 <+2225>:  test   %al,%al
   0x005be6d3 <+2227>:  mov    0xc(%esp),%ebx
   0x005be6d7 <+2231>:  jne    0x5be87c <h2_parse_frame_settings+2652>
   0x005be6dd <+2237>:  mov    0x7fac4c,%eax
   0x005be6e2 <+2242>:  movzbl 0x31ec(%eax),%ecx
   0x005be6e9 <+2249>:  add    $0x1,%cl
   0x005be6ec <+2252>:  adc    $0x0,%cl
   0x005be6ef <+2255>:  mov    %cl,0x31ec(%eax)
   0x005be6f5 <+2261>:  mov    %ebp,(%ebx)
   0x005be6f7 <+2263>:  test   %esi,%esi
   0x005be6f9 <+2265>:  jne    0x5be84c <h2_parse_frame_settings+2604>
   0x005be6ff <+2271>:  jmp    0x5be8c3 <h2_parse_frame_settings+2723>
   0x005be704 <+2276>:  mov    0x7fac4c,%eax
   0x005be709 <+2281>:  movzbl 0x31f0(%eax),%edx
   0x005be710 <+2288>:  add    $0x1,%dl
   0x005be713 <+2291>:  adc    $0x0,%dl
   0x005be716 <+2294>:  mov    %dl,0x31f0(%eax)
   0x005be71c <+2300>:  movl   $0x3,(%esp)
   0x005be723 <+2307>:  mov    0x2c(%esp),%edx
   0x005be727 <+2311>:  call   0x5a5a7e <h2_send_rst_stream>
   0x005be72c <+2316>:  test   %esi,%esi
   0x005be72e <+2318>:  jne    0x5be84c <h2_parse_frame_settings+2604>
   0x005be734 <+2324>:  jmp    0x5be8c3 <h2_parse_frame_settings+2723>
   0x005be739 <+2329>:  mov    0x7fac4c,%edx
   0x005be73f <+2335>:  mov    0x3206(%edx),%ch
   0x005be745 <+2341>:  add    $0x1,%ch
   0x005be748 <+2344>:  adc    $0x0,%ch
   0x005be74b <+2347>:  mov    %ch,0x3206(%edx)
   0x005be751 <+2353>:  mov    %eax,%edx
   0x005be753 <+2355>:  and    $0x7,%dl
   0x005be756 <+2358>:  add    $0x3,%dl
   0x005be759 <+2361>:  cmp    %cl,%dl
   0x005be75b <+2363>:  jge    0x5bf44d <h2_parse_frame_settings+5677>
   0x005be761 <+2369>:  mov    0x7fac4c,%ecx
   0x005be767 <+2375>:  movzbl 0x3203(%ecx),%edx
   0x005be76e <+2382>:  add    $0x1,%dl
   0x005be771 <+2385>:  adc    $0x0,%dl
   0x005be774 <+2388>:  mov    %dl,0x3203(%ecx)
   0x005be77a <+2394>:  mov    (%eax),%ecx
   0x005be77c <+2396>:  test   $0x3,%cl
   0x005be77f <+2399>:  je     0x5be56a <h2_parse_frame_settings+1866>
   0x005be785 <+2405>:  jmp    0x5bf21d <h2_parse_frame_settings+5117>
   0x005be78a <+2410>:  mov    0x7fac4c,%eax
   0x005be78f <+2415>:  mov    0x31fe(%eax),%bh
   0x005be795 <+2421>:  add    $0x1,%bh
   0x005be798 <+2424>:  adc    $0x0,%bh
   0x005be79b <+2427>:  mov    %bh,0x31fe(%eax)
   0x005be7a1 <+2433>:  mov    0xc(%esp),%eax
   0x005be7a5 <+2437>:  and    $0x7,%al
   0x005be7a7 <+2439>:  add    $0x3,%al
   0x005be7a9 <+2441>:  cmp    %bl,%al
   0x005be7ab <+2443>:  jge    0x5bf4c2 <h2_parse_frame_settings+5794>
   0x005be7b1 <+2449>:  mov    0x7fac4c,%eax
   0x005be7b6 <+2454>:  movzbl 0x31fb(%eax),%ebx
   0x005be7bd <+2461>:  add    $0x1,%bl
   0x005be7c0 <+2464>:  adc    $0x0,%bl
   0x005be7c3 <+2467>:  mov    %bl,0x31fb(%eax)
   0x005be7c9 <+2473>:  lea    0x8(%ecx),%ebx
   0x005be7cc <+2476>:  test   $0x3,%bl
   0x005be7cf <+2479>:  je     0x5be5ee <h2_parse_frame_settings+1998>
   0x005be7d5 <+2485>:  jmp    0x5bf281 <h2_parse_frame_settings+5217>
   0x005be7da <+2490>:  mov    0x7fac4c,%edx
   0x005be7e0 <+2496>:  mov    0x31f8(%edx),%ah
   0x005be7e6 <+2502>:  add    $0x1,%ah
   0x005be7e9 <+2505>:  adc    $0x0,%ah
   0x005be7ec <+2508>:  mov    %ah,0x31f8(%edx)
   0x005be7f2 <+2514>:  mov    %ebx,%edx
   0x005be7f4 <+2516>:  and    $0x7,%dl
   0x005be7f7 <+2519>:  add    $0x3,%dl
   0x005be7fa <+2522>:  cmp    %al,%dl
   0x005be7fc <+2524>:  jge    0x5bf4e5 <h2_parse_frame_settings+5829>
   0x005be802 <+2530>:  mov    0x7fac4c,%eax
   0x005be807 <+2535>:  movzbl 0x31f5(%eax),%edx
   0x005be80e <+2542>:  add    $0x1,%dl
   0x005be811 <+2545>:  adc    $0x0,%dl
   0x005be814 <+2548>:  mov    %dl,0x31f5(%eax)
   0x005be81a <+2554>:  mov    (%ebx),%eax
   0x005be81c <+2556>:  cmp    $0x4,%eax
   0x005be81f <+2559>:  jne    0x5be642 <h2_parse_frame_settings+2082>
   0x005be825 <+2565>:  nop
   0x005be826 <+2566>:  nop
   0x005be827 <+2567>:  nop
   0x005be828 <+2568>:  nop
   0x005be829 <+2569>:  nop
   0x005be82a <+2570>:  nop
   0x005be82b <+2571>:  nop
   0x005be82c <+2572>:  nop
   0x005be82d <+2573>:  nop
   0x005be82e <+2574>:  nop
   0x005be82f <+2575>:  nop
   0x005be830 <+2576>:  mov    0x7fac4c,%eax
   0x005be835 <+2581>:  movzbl 0x31f3(%eax),%ecx
   0x005be83c <+2588>:  add    $0x1,%cl
   0x005be83f <+2591>:  adc    $0x0,%cl
   0x005be842 <+2594>:  mov    %cl,0x31f3(%eax)
   0x005be848 <+2600>:  test   %esi,%esi
   0x005be84a <+2602>:  je     0x5be8c3 <h2_parse_frame_settings+2723>
   0x005be84c <+2604>:  mov    %esi,%ebp
   0x005be84e <+2606>:  mov    0x7fac4c,%eax
   0x005be853 <+2611>:  movzbl 0x31e9(%eax),%ecx
   0x005be85a <+2618>:  add    $0x1,%cl
   0x005be85d <+2621>:  adc    $0x0,%cl
   0x005be860 <+2624>:  mov    %cl,0x31e9(%eax)
   0x005be866 <+2630>:  mov    0x10(%esp),%esi
   0x005be86a <+2634>:  add    $0x4,%esi
   0x005be86d <+2637>:  dec    %ebp
   0x005be86e <+2638>:  cmp    $0x20,%esi
   0x005be871 <+2641>:  jne    0x5be4d0 <h2_parse_frame_settings+1712>
   0x005be877 <+2647>:  jmp    0x5bf2b3 <h2_parse_frame_settings+5267>
   0x005be87c <+2652>:  mov    0x7fac4c,%ecx
   0x005be882 <+2658>:  movzbl 0x31ed(%ecx),%edx
   0x005be889 <+2665>:  add    $0x1,%dl
   0x005be88c <+2668>:  adc    $0x0,%dl
   0x005be88f <+2671>:  mov    %dl,0x31ed(%ecx)
   0x005be895 <+2677>:  mov    %ebx,%ecx
   0x005be897 <+2679>:  and    $0x7,%cl
   0x005be89a <+2682>:  add    $0x3,%cl
   0x005be89d <+2685>:  cmp    %al,%cl
   0x005be89f <+2687>:  jge    0x5bf504 <h2_parse_frame_settings+5860>
   0x005be8a5 <+2693>:  mov    0x7fac4c,%eax
   0x005be8aa <+2698>:  movzbl 0x31ea(%eax),%ecx
   0x005be8b1 <+2705>:  add    $0x1,%cl
   0x005be8b4 <+2708>:  adc    $0x0,%cl
   0x005be8b7 <+2711>:  mov    %cl,0x31ea(%eax)
   0x005be8bd <+2717>:  mov    %ebp,(%ebx)
   0x005be8bf <+2719>:  test   %esi,%esi
   0x005be8c1 <+2721>:  jne    0x5be84c <h2_parse_frame_settings+2604>
   0x005be8c3 <+2723>:  mov    0x7fac4c,%eax
   0x005be8c8 <+2728>:  mov    0x31e8(%eax),%cl
   0x005be8ce <+2734>:  add    $0x1,%cl
   0x005be8d1 <+2737>:  adc    $0x0,%cl
   0x005be8d4 <+2740>:  mov    %cl,0x31e8(%eax)
   0x005be8da <+2746>:  jmp    0x5bee9d <h2_parse_frame_settings+4221>
   0x005be8df <+2751>:  mov    0x7fac4c,%eax
   0x005be8e4 <+2756>:  mov    0x322d(%eax),%cl
   0x005be8ea <+2762>:  add    $0x1,%cl
   0x005be8ed <+2765>:  adc    $0x0,%cl
   0x005be8f0 <+2768>:  mov    %cl,0x322d(%eax)
   0x005be8f6 <+2774>:  cmp    $0x2,%ebp
   0x005be8f9 <+2777>:  jae    0x5bf152 <h2_parse_frame_settings+4914>
   0x005be8ff <+2783>:  mov    0x7fac4c,%eax
   0x005be904 <+2788>:  mov    0x3221(%eax),%cl
   0x005be90a <+2794>:  add    $0x1,%cl
   0x005be90d <+2797>:  adc    $0x0,%cl
   0x005be910 <+2800>:  mov    %cl,0x3221(%eax)
   0x005be916 <+2806>:  cmpb   $0x0,0x1b(%esp)
   0x005be91b <+2811>:  jne    0x5bf59b <h2_parse_frame_settings+6011>
   0x005be921 <+2817>:  mov    0x7fac4c,%eax
   0x005be926 <+2822>:  mov    0x3220(%eax),%cl
   0x005be92c <+2828>:  add    $0x1,%cl
   0x005be92f <+2831>:  adc    $0x0,%cl
   0x005be932 <+2834>:  mov    %cl,0x3220(%eax)
   0x005be938 <+2840>:  mov    0x68(%esp),%eax
   0x005be93c <+2844>:  mov    (%eax),%al
   0x005be93e <+2846>:  test   %al,%al
   0x005be940 <+2848>:  je     0x5be94c <h2_parse_frame_settings+2860>
   0x005be942 <+2850>:  cmp    %al,0x16(%esp)
   0x005be946 <+2854>:  jge    0x5bf5b4 <h2_parse_frame_settings+6036>
   0x005be94c <+2860>:  mov    0x7fac4c,%eax
   0x005be951 <+2865>:  mov    0x321d(%eax),%cl
   0x005be957 <+2871>:  add    $0x1,%cl
   0x005be95a <+2874>:  adc    $0x0,%cl
   0x005be95d <+2877>:  mov    %cl,0x321d(%eax)
   0x005be963 <+2883>:  mov    0x30(%esp),%eax
   0x005be967 <+2887>:  jmp    0x5be9d1 <h2_parse_frame_settings+2993>
   0x005be969 <+2889>:  mov    0x7fac4c,%eax
   0x005be96e <+2894>:  mov    0x3231(%eax),%cl
   0x005be974 <+2900>:  add    $0x1,%cl
   0x005be977 <+2903>:  adc    $0x0,%cl
   0x005be97a <+2906>:  mov    %cl,0x3231(%eax)
   0x005be980 <+2912>:  cmpb   $0x0,0xb(%esp)
   0x005be985 <+2917>:  jne    0x5bf613 <h2_parse_frame_settings+6131>
   0x005be98b <+2923>:  mov    0x7fac4c,%eax
   0x005be990 <+2928>:  mov    0x31b8(%eax),%cl
   0x005be996 <+2934>:  add    $0x1,%cl
   0x005be999 <+2937>:  adc    $0x0,%cl
   0x005be99c <+2940>:  mov    %cl,0x31b8(%eax)
   0x005be9a2 <+2946>:  mov    0x70(%esp),%eax
   0x005be9a6 <+2950>:  mov    (%eax),%al
   0x005be9a8 <+2952>:  test   %al,%al
   0x005be9aa <+2954>:  je     0x5be9b6 <h2_parse_frame_settings+2966>
   0x005be9ac <+2956>:  cmp    %al,0x1a(%esp)
   0x005be9b0 <+2960>:  jge    0x5bf62c <h2_parse_frame_settings+6156>
   0x005be9b6 <+2966>:  mov    0x7fac4c,%eax
   0x005be9bb <+2971>:  mov    0x31b5(%eax),%cl
   0x005be9c1 <+2977>:  add    $0x1,%cl
   0x005be9c4 <+2980>:  adc    $0x0,%cl
   0x005be9c7 <+2983>:  mov    %cl,0x31b5(%eax)
   0x005be9cd <+2989>:  mov    0x4c(%esp),%eax
   0x005be9d1 <+2993>:  mov    %ebp,(%eax)
   0x005be9d3 <+2995>:  jmp    0x5bef00 <h2_parse_frame_settings+4320>
   0x005be9d8 <+3000>:  mov    0x7fac4c,%eax
   0x005be9dd <+3005>:  mov    0x322b(%eax),%cl
   0x005be9e3 <+3011>:  add    $0x1,%cl
   0x005be9e6 <+3014>:  adc    $0x0,%cl
   0x005be9e9 <+3017>:  mov    %cl,0x322b(%eax)
   0x005be9ef <+3023>:  jmp    0x5bef00 <h2_parse_frame_settings+4320>
   0x005be9f4 <+3028>:  mov    0x7fac4c,%eax
   0x005be9f9 <+3033>:  mov    0x3226(%eax),%cl
   0x005be9ff <+3039>:  add    $0x1,%cl
   0x005bea02 <+3042>:  adc    $0x0,%cl
   0x005bea05 <+3045>:  mov    %cl,0x3226(%eax)
   0x005bea0b <+3051>:  mov    0x50(%esp),%eax
   0x005bea0f <+3055>:  mov    (%eax),%al
   0x005bea11 <+3057>:  test   %al,%al
   0x005bea13 <+3059>:  je     0x5bea1f <h2_parse_frame_settings+3071>
   0x005bea15 <+3061>:  cmp    %al,0x9(%esp)
   0x005bea19 <+3065>:  jge    0x5bf7e6 <h2_parse_frame_settings+6598>
   0x005bea1f <+3071>:  mov    0x7fac4c,%eax
   0x005bea24 <+3076>:  mov    0x3223(%eax),%cl
   0x005bea2a <+3082>:  add    $0x1,%cl
   0x005bea2d <+3085>:  adc    $0x0,%cl
   0x005bea30 <+3088>:  mov    %cl,0x3223(%eax)
   0x005bea36 <+3094>:  mov    0x24(%esp),%eax
   0x005bea3a <+3098>:  mov    %edx,(%eax)
   0x005bea3c <+3100>:  mov    %edx,0x4(%esp)
   0x005bea40 <+3104>:  mov    0x64(%esp),%eax
   0x005bea44 <+3108>:  mov    %eax,(%esp)
   0x005bea47 <+3111>:  call   0x6034b0 <lshpack_enc_set_max_capacity>
   0x005bea4c <+3116>:  jmp    0x5bef00 <h2_parse_frame_settings+4320>
   0x005bea51 <+3121>:  mov    0x7fac4c,%eax
   0x005bea56 <+3126>:  mov    0x3213(%eax),%cl
   0x005bea5c <+3132>:  add    $0x1,%cl
   0x005bea5f <+3135>:  adc    $0x0,%cl
   0x005bea62 <+3138>:  mov    %cl,0x3213(%eax)
   0x005bea68 <+3144>:  jmp    0x5beea1 <h2_parse_frame_settings+4225>
   0x005bea6d <+3149>:  mov    $0x80000000,%eax
   0x005bea72 <+3154>:  sub    %edx,%eax
   0x005bea74 <+3156>:  mov    %eax,0x40(%esp)
   0x005bea78 <+3160>:  mov    0x7fac4c,%eax
   0x005bea7d <+3165>:  mov    0x320e(%eax),%cl
   0x005bea83 <+3171>:  add    $0x1,%cl
   0x005bea86 <+3174>:  adc    $0x0,%cl
   0x005bea89 <+3177>:  mov    %cl,0x320e(%eax)
   0x005bea8f <+3183>:  dec    %ebp
   0x005bea90 <+3184>:  xor    %esi,%esi
   0x005bea92 <+3186>:  cmp    $0x20,%esi
   0x005bea95 <+3189>:  je     0x5bf330 <h2_parse_frame_settings+5392>
   0x005bea9b <+3195>:  nop
   0x005bea9c <+3196>:  nop
   0x005bea9d <+3197>:  nop
   0x005bea9e <+3198>:  nop
   0x005bea9f <+3199>:  nop
   0x005beaa0 <+3200>:  mov    0x7fac4c,%eax
   0x005beaa5 <+3205>:  movzbl 0x31e7(%eax),%ecx
   0x005beaac <+3212>:  add    $0x1,%cl
   0x005beaaf <+3215>:  adc    $0x0,%cl
   0x005beab2 <+3218>:  mov    %cl,0x31e7(%eax)
   0x005beab8 <+3224>:  cmp    0x5c(%esp),%esi
   0x005beabc <+3228>:  ja     0x5bf317 <h2_parse_frame_settings+5367>
   0x005beac2 <+3234>:  mov    0x60(%esp),%eax
   0x005beac6 <+3238>:  add    %esi,%eax
   0x005beac8 <+3240>:  mov    0x7fac4c,%ecx
   0x005beace <+3246>:  movzbl 0x31e5(%ecx),%edx
   0x005bead5 <+3253>:  add    $0x1,%dl
   0x005bead8 <+3256>:  adc    $0x0,%dl
   0x005beadb <+3259>:  mov    %dl,0x31e5(%ecx)
   0x005beae1 <+3265>:  test   $0x3,%al
   0x005beae3 <+3267>:  jne    0x5bf2cc <h2_parse_frame_settings+5292>
   0x005beae9 <+3273>:  mov    0x7fac4c,%ecx
   0x005beaef <+3279>:  movzbl 0x31e2(%ecx),%edx
   0x005beaf6 <+3286>:  add    $0x1,%dl
   0x005beaf9 <+3289>:  adc    $0x0,%dl
   0x005beafc <+3292>:  mov    %dl,0x31e2(%ecx)
   0x005beb02 <+3298>:  mov    %eax,%ecx
   0x005beb04 <+3300>:  shr    $0x3,%ecx
   0x005beb07 <+3303>:  movzbl 0x20000000(%ecx),%ecx
   0x005beb0e <+3310>:  test   %cl,%cl
   0x005beb10 <+3312>:  jne    0x5becf9 <h2_parse_frame_settings+3801>
   0x005beb16 <+3318>:  mov    0x7fac4c,%ecx
   0x005beb1c <+3324>:  movzbl 0x31e0(%ecx),%edx
   0x005beb23 <+3331>:  add    $0x1,%dl
   0x005beb26 <+3334>:  adc    $0x0,%dl
   0x005beb29 <+3337>:  mov    %dl,0x31e0(%ecx)
   0x005beb2f <+3343>:  mov    (%eax),%ecx
   0x005beb31 <+3345>:  test   $0x3,%cl
   0x005beb34 <+3348>:  jne    0x5bf236 <h2_parse_frame_settings+5142>
   0x005beb3a <+3354>:  test   %ecx,%ecx
   0x005beb3c <+3356>:  je     0x5bf236 <h2_parse_frame_settings+5142>
   0x005beb42 <+3362>:  mov    0x7fac4c,%eax
   0x005beb47 <+3367>:  movzbl 0x31dc(%eax),%edx
   0x005beb4e <+3374>:  add    $0x1,%dl
   0x005beb51 <+3377>:  adc    $0x0,%dl
   0x005beb54 <+3380>:  mov    %dl,0x31dc(%eax)
   0x005beb5a <+3386>:  lea    0x14(%ecx),%ebx
   0x005beb5d <+3389>:  test   $0x3,%bl
   0x005beb60 <+3392>:  jne    0x5bf2e5 <h2_parse_frame_settings+5317>
   0x005beb66 <+3398>:  mov    0x7fac4c,%eax
   0x005beb6b <+3403>:  movzbl 0x31da(%eax),%edx
   0x005beb72 <+3410>:  add    $0x1,%dl
   0x005beb75 <+3413>:  adc    $0x0,%dl
   0x005beb78 <+3416>:  mov    %dl,0x31da(%eax)
   0x005beb7e <+3422>:  mov    %ebx,0xc(%esp)
   0x005beb82 <+3426>:  mov    %ebx,%edi
   0x005beb84 <+3428>:  shr    $0x3,%edi
   0x005beb87 <+3431>:  movzbl 0x20000000(%edi),%ebx
   0x005beb8e <+3438>:  test   %bl,%bl
   0x005beb90 <+3440>:  mov    %esi,0x10(%esp)
   0x005beb94 <+3444>:  jne    0x5bed4a <h2_parse_frame_settings+3882>
   0x005beb9a <+3450>:  mov    0x7fac4c,%eax
   0x005beb9f <+3455>:  movzbl 0x31d8(%eax),%ebx
   0x005beba6 <+3462>:  add    $0x1,%bl
   0x005beba9 <+3465>:  adc    $0x0,%bl
   0x005bebac <+3468>:  mov    %bl,0x31d8(%eax)
   0x005bebb2 <+3474>:  lea    0x8(%ecx),%ebx
   0x005bebb5 <+3477>:  test   $0x3,%bl
   0x005bebb8 <+3480>:  jne    0x5bf2fe <h2_parse_frame_settings+5342>
   0x005bebbe <+3486>:  mov    %ebp,%esi
   0x005bebc0 <+3488>:  mov    0x14(%ecx),%ebp
   0x005bebc3 <+3491>:  mov    0x7fac4c,%eax
   0x005bebc8 <+3496>:  movzbl 0x31d4(%eax),%edx
   0x005bebcf <+3503>:  add    $0x1,%dl
   0x005bebd2 <+3506>:  adc    $0x0,%dl
   0x005bebd5 <+3509>:  mov    %dl,0x31d4(%eax)
   0x005bebdb <+3515>:  mov    %ebx,%eax
   0x005bebdd <+3517>:  shr    $0x3,%eax
   0x005bebe0 <+3520>:  movzbl 0x20000000(%eax),%eax
   0x005bebe7 <+3527>:  test   %al,%al
   0x005bebe9 <+3529>:  jne    0x5bed9a <h2_parse_frame_settings+3962>
   0x005bebef <+3535>:  mov    0x7fac4c,%eax
   0x005bebf4 <+3540>:  movzbl 0x31d2(%eax),%edx
   0x005bebfb <+3547>:  add    $0x1,%dl
   0x005bebfe <+3550>:  adc    $0x0,%dl
   0x005bec01 <+3553>:  mov    %dl,0x31d2(%eax)
   0x005bec07 <+3559>:  mov    (%ebx),%eax
   0x005bec09 <+3561>:  cmp    $0x4,%eax
   0x005bec0c <+3564>:  je     0x5bedf0 <h2_parse_frame_settings+4048>
   0x005bec12 <+3570>:  cmp    $0x6,%eax
   0x005bec15 <+3573>:  jne    0x5bec40 <h2_parse_frame_settings+3616>
   0x005bec17 <+3575>:  mov    0x7fac4c,%eax
   0x005bec1c <+3580>:  movzbl 0x31cf(%eax),%ecx
   0x005bec23 <+3587>:  add    $0x1,%cl
   0x005bec26 <+3590>:  adc    $0x0,%cl
   0x005bec29 <+3593>:  mov    %cl,0x31cf(%eax)
   0x005bec2f <+3599>:  jmp    0x5bee08 <h2_parse_frame_settings+4072>
   0x005bec34 <+3604>:  nop
   0x005bec35 <+3605>:  nop
   0x005bec36 <+3606>:  nop
   0x005bec37 <+3607>:  nop
   0x005bec38 <+3608>:  nop
   0x005bec39 <+3609>:  nop
   0x005bec3a <+3610>:  nop
   0x005bec3b <+3611>:  nop
   0x005bec3c <+3612>:  nop
   0x005bec3d <+3613>:  nop
   0x005bec3e <+3614>:  nop
   0x005bec3f <+3615>:  nop
   0x005bec40 <+3616>:  mov    0x7fac4c,%eax
   0x005bec45 <+3621>:  movzbl 0x31cd(%eax),%edx
   0x005bec4c <+3628>:  add    $0x1,%dl
   0x005bec4f <+3631>:  adc    $0x0,%dl
   0x005bec52 <+3634>:  mov    %dl,0x31cd(%eax)
   0x005bec58 <+3640>:  cmp    0x40(%esp),%ebp
   0x005bec5c <+3644>:  jl     0x5beccc <h2_parse_frame_settings+3756>
   0x005bec5e <+3646>:  mov    0x7fac4c,%eax
   0x005bec63 <+3651>:  movzbl 0x31cc(%eax),%ecx
   0x005bec6a <+3658>:  add    $0x1,%cl
   0x005bec6d <+3661>:  adc    $0x0,%cl
   0x005bec70 <+3664>:  mov    %cl,0x31cc(%eax)
   0x005bec76 <+3670>:  add    0x58(%esp),%ebp
   0x005bec7a <+3674>:  jo     0x5bf3f8 <h2_parse_frame_settings+5592>
   0x005bec80 <+3680>:  or     $0x20000000,%edi
   0x005bec86 <+3686>:  mov    0x7fac4c,%eax
   0x005bec8b <+3691>:  movzbl 0x31ca(%eax),%ecx
   0x005bec92 <+3698>:  add    $0x1,%cl
   0x005bec95 <+3701>:  adc    $0x0,%cl
   0x005bec98 <+3704>:  mov    %cl,0x31ca(%eax)
   0x005bec9e <+3710>:  movzbl (%edi),%eax
   0x005beca1 <+3713>:  test   %al,%al
   0x005beca3 <+3715>:  mov    0xc(%esp),%ebx
   0x005beca7 <+3719>:  jne    0x5bee3c <h2_parse_frame_settings+4124>
   0x005becad <+3725>:  mov    0x7fac4c,%eax
   0x005becb2 <+3730>:  movzbl 0x31c7(%eax),%ecx
   0x005becb9 <+3737>:  add    $0x1,%cl
   0x005becbc <+3740>:  adc    $0x0,%cl
   0x005becbf <+3743>:  mov    %cl,0x31c7(%eax)
   0x005becc5 <+3749>:  mov    %ebp,(%ebx)
   0x005becc7 <+3751>:  jmp    0x5bee08 <h2_parse_frame_settings+4072>
   0x005beccc <+3756>:  mov    0x7fac4c,%eax
   0x005becd1 <+3761>:  movzbl 0x31cb(%eax),%edx
   0x005becd8 <+3768>:  add    $0x1,%dl
   0x005becdb <+3771>:  adc    $0x0,%dl
   0x005becde <+3774>:  mov    %dl,0x31cb(%eax)
   0x005bece4 <+3780>:  movl   $0x3,(%esp)
   0x005beceb <+3787>:  mov    0x2c(%esp),%edx
   0x005becef <+3791>:  call   0x5a5a7e <h2_send_rst_stream>
   0x005becf4 <+3796>:  jmp    0x5bee08 <h2_parse_frame_settings+4072>
   0x005becf9 <+3801>:  mov    0x7fac4c,%edx
   0x005becff <+3807>:  mov    0x31e1(%edx),%ch
   0x005bed05 <+3813>:  add    $0x1,%ch
   0x005bed08 <+3816>:  adc    $0x0,%ch
   0x005bed0b <+3819>:  mov    %ch,0x31e1(%edx)
   0x005bed11 <+3825>:  mov    %eax,%edx
   0x005bed13 <+3827>:  and    $0x7,%dl
   0x005bed16 <+3830>:  add    $0x3,%dl
   0x005bed19 <+3833>:  cmp    %cl,%dl
   0x005bed1b <+3835>:  jge    0x5bf761 <h2_parse_frame_settings+6465>
   0x005bed21 <+3841>:  mov    0x7fac4c,%ecx
   0x005bed27 <+3847>:  movzbl 0x31de(%ecx),%edx
   0x005bed2e <+3854>:  add    $0x1,%dl
   0x005bed31 <+3857>:  adc    $0x0,%dl
   0x005bed34 <+3860>:  mov    %dl,0x31de(%ecx)
   0x005bed3a <+3866>:  mov    (%eax),%ecx
   0x005bed3c <+3868>:  test   $0x3,%cl
   0x005bed3f <+3871>:  je     0x5beb3a <h2_parse_frame_settings+3354>
   0x005bed45 <+3877>:  jmp    0x5bf236 <h2_parse_frame_settings+5142>
   0x005bed4a <+3882>:  mov    0x7fac4c,%eax
   0x005bed4f <+3887>:  mov    0x31d9(%eax),%bh
   0x005bed55 <+3893>:  add    $0x1,%bh
   0x005bed58 <+3896>:  adc    $0x0,%bh
   0x005bed5b <+3899>:  mov    %bh,0x31d9(%eax)
   0x005bed61 <+3905>:  mov    0xc(%esp),%eax
   0x005bed65 <+3909>:  and    $0x7,%al
   0x005bed67 <+3911>:  add    $0x3,%al
   0x005bed69 <+3913>:  cmp    %bl,%al
   0x005bed6b <+3915>:  jge    0x5bf781 <h2_parse_frame_settings+6497>
   0x005bed71 <+3921>:  mov    0x7fac4c,%eax
   0x005bed76 <+3926>:  movzbl 0x31d6(%eax),%ebx
   0x005bed7d <+3933>:  add    $0x1,%bl
   0x005bed80 <+3936>:  adc    $0x0,%bl
   0x005bed83 <+3939>:  mov    %bl,0x31d6(%eax)
   0x005bed89 <+3945>:  lea    0x8(%ecx),%ebx
   0x005bed8c <+3948>:  test   $0x3,%bl
   0x005bed8f <+3951>:  je     0x5bebbe <h2_parse_frame_settings+3486>
   0x005bed95 <+3957>:  jmp    0x5bf2fe <h2_parse_frame_settings+5342>
   0x005bed9a <+3962>:  mov    0x7fac4c,%edx
   0x005beda0 <+3968>:  mov    0x31d3(%edx),%ah
   0x005beda6 <+3974>:  add    $0x1,%ah
   0x005beda9 <+3977>:  adc    $0x0,%ah
   0x005bedac <+3980>:  mov    %ah,0x31d3(%edx)
   0x005bedb2 <+3986>:  mov    %ebx,%edx
   0x005bedb4 <+3988>:  and    $0x7,%dl
   0x005bedb7 <+3991>:  add    $0x3,%dl
   0x005bedba <+3994>:  cmp    %al,%dl
   0x005bedbc <+3996>:  jge    0x5bf7a4 <h2_parse_frame_settings+6532>
   0x005bedc2 <+4002>:  mov    0x7fac4c,%eax
   0x005bedc7 <+4007>:  movzbl 0x31d0(%eax),%edx
   0x005bedce <+4014>:  add    $0x1,%dl
   0x005bedd1 <+4017>:  adc    $0x0,%dl
   0x005bedd4 <+4020>:  mov    %dl,0x31d0(%eax)
   0x005bedda <+4026>:  mov    (%ebx),%eax
   0x005beddc <+4028>:  cmp    $0x4,%eax
   0x005beddf <+4031>:  jne    0x5bec12 <h2_parse_frame_settings+3570>
   0x005bede5 <+4037>:  nop
   0x005bede6 <+4038>:  nop
   0x005bede7 <+4039>:  nop
   0x005bede8 <+4040>:  nop
   0x005bede9 <+4041>:  nop
   0x005bedea <+4042>:  nop
   0x005bedeb <+4043>:  nop
   0x005bedec <+4044>:  nop
   0x005beded <+4045>:  nop
   0x005bedee <+4046>:  nop
   0x005bedef <+4047>:  nop
   0x005bedf0 <+4048>:  mov    0x7fac4c,%eax
   0x005bedf5 <+4053>:  movzbl 0x31ce(%eax),%ecx
   0x005bedfc <+4060>:  add    $0x1,%cl
   0x005bedff <+4063>:  adc    $0x0,%cl
   0x005bee02 <+4066>:  mov    %cl,0x31ce(%eax)
   0x005bee08 <+4072>:  test   %esi,%esi
   0x005bee0a <+4074>:  je     0x5bee86 <h2_parse_frame_settings+4198>
   0x005bee0c <+4076>:  mov    %esi,%ebp
   0x005bee0e <+4078>:  mov    0x7fac4c,%eax
   0x005bee13 <+4083>:  movzbl 0x31c4(%eax),%ecx
   0x005bee1a <+4090>:  add    $0x1,%cl
   0x005bee1d <+4093>:  adc    $0x0,%cl
   0x005bee20 <+4096>:  mov    %cl,0x31c4(%eax)
   0x005bee26 <+4102>:  mov    0x10(%esp),%esi
   0x005bee2a <+4106>:  add    $0x4,%esi
   0x005bee2d <+4109>:  dec    %ebp
   0x005bee2e <+4110>:  cmp    $0x20,%esi
   0x005bee31 <+4113>:  jne    0x5beaa0 <h2_parse_frame_settings+3200>
   0x005bee37 <+4119>:  jmp    0x5bf330 <h2_parse_frame_settings+5392>
   0x005bee3c <+4124>:  mov    0x7fac4c,%ecx
   0x005bee42 <+4130>:  movzbl 0x31c8(%ecx),%edx
   0x005bee49 <+4137>:  add    $0x1,%dl
   0x005bee4c <+4140>:  adc    $0x0,%dl
   0x005bee4f <+4143>:  mov    %dl,0x31c8(%ecx)
   0x005bee55 <+4149>:  mov    %ebx,%ecx
   0x005bee57 <+4151>:  and    $0x7,%cl
   0x005bee5a <+4154>:  add    $0x3,%cl
   0x005bee5d <+4157>:  cmp    %al,%cl
   0x005bee5f <+4159>:  jge    0x5bf7c3 <h2_parse_frame_settings+6563>
   0x005bee65 <+4165>:  mov    0x7fac4c,%eax
   0x005bee6a <+4170>:  movzbl 0x31c5(%eax),%ecx
   0x005bee71 <+4177>:  add    $0x1,%cl
   0x005bee74 <+4180>:  adc    $0x0,%cl
   0x005bee77 <+4183>:  mov    %cl,0x31c5(%eax)
   0x005bee7d <+4189>:  mov    0xc(%esp),%ebx
   0x005bee81 <+4193>:  jmp    0x5becc5 <h2_parse_frame_settings+3749>
   0x005bee86 <+4198>:  mov    0x7fac4c,%eax
   0x005bee8b <+4203>:  mov    0x31c3(%eax),%cl
   0x005bee91 <+4209>:  add    $0x1,%cl
   0x005bee94 <+4212>:  adc    $0x0,%cl
   0x005bee97 <+4215>:  mov    %cl,0x31c3(%eax)
   0x005bee9d <+4221>:  mov    0x3c(%esp),%edx
   0x005beea1 <+4225>:  testb  $0x3,0x20(%esp)
   0x005beea6 <+4230>:  jne    0x5bf523 <h2_parse_frame_settings+5891>
   0x005beeac <+4236>:  mov    0x7fac4c,%eax
   0x005beeb1 <+4241>:  mov    0x31c1(%eax),%cl
   0x005beeb7 <+4247>:  add    $0x1,%cl
   0x005beeba <+4250>:  adc    $0x0,%cl
   0x005beebd <+4253>:  mov    %cl,0x31c1(%eax)
   0x005beec3 <+4259>:  mov    0x54(%esp),%eax
   0x005beec7 <+4263>:  mov    (%eax),%al
   0x005beec9 <+4265>:  test   %al,%al
   0x005beecb <+4267>:  je     0x5beed7 <h2_parse_frame_settings+4279>
   0x005beecd <+4269>:  cmp    %al,0xa(%esp)
   0x005beed1 <+4273>:  jge    0x5bf53c <h2_parse_frame_settings+5916>
   0x005beed7 <+4279>:  mov    0x7fac4c,%eax
   0x005beedc <+4284>:  mov    0x31bf(%eax),%cl
   0x005beee2 <+4290>:  add    $0x1,%cl
   0x005beee5 <+4293>:  adc    $0x0,%cl
   0x005beee8 <+4296>:  mov    %cl,0x31bf(%eax)
   0x005beeee <+4302>:  mov    0x20(%esp),%eax
   0x005beef2 <+4306>:  mov    %edx,(%eax)
   0x005beef4 <+4308>:  nop
   0x005beef5 <+4309>:  nop
   0x005beef6 <+4310>:  nop
   0x005beef7 <+4311>:  nop
   0x005beef8 <+4312>:  nop
   0x005beef9 <+4313>:  nop
   0x005beefa <+4314>:  nop
   0x005beefb <+4315>:  nop
   0x005beefc <+4316>:  nop
   0x005beefd <+4317>:  nop
   0x005beefe <+4318>:  nop
   0x005beeff <+4319>:  nop
   0x005bef00 <+4320>:  mov    0x28(%esp),%eax
   0x005bef04 <+4324>:  xor    $0xfffffffe,%eax
   0x005bef07 <+4327>:  cmp    $0x5,%eax
   0x005bef0a <+4330>:  jbe    0x5bf3ad <h2_parse_frame_settings+5517>
   0x005bef10 <+4336>:  mov    0x7fac4c,%eax
   0x005bef15 <+4341>:  mov    0x31b4(%eax),%cl
   0x005bef1b <+4347>:  add    $0x1,%cl
   0x005bef1e <+4350>:  adc    $0x0,%cl
   0x005bef21 <+4353>:  mov    %cl,0x31b4(%eax)
   0x005bef27 <+4359>:  mov    0x44(%esp),%eax
   0x005bef2b <+4363>:  add    $0xfffffffa,%eax
   0x005bef2e <+4366>:  mov    %eax,0x44(%esp)
   0x005bef32 <+4370>:  cmp    $0x5,%eax
   0x005bef35 <+4373>:  jbe    0x5bf0fb <h2_parse_frame_settings+4827>
   0x005bef3b <+4379>:  mov    0x28(%esp),%edx
   0x005bef3f <+4383>:  add    $0x6,%edx
   0x005bef42 <+4386>:  mov    0x7fac4c,%eax
   0x005bef47 <+4391>:  mov    0x31b1(%eax),%cl
   0x005bef4d <+4397>:  add    $0x1,%cl
   0x005bef50 <+4400>:  adc    $0x0,%cl
   0x005bef53 <+4403>:  mov    %cl,0x31b1(%eax)
   0x005bef59 <+4409>:  cmp    $0xfffffffe,%edx
   0x005bef5c <+4412>:  jne    0x5be050 <h2_parse_frame_settings+560>
   0x005bef62 <+4418>:  jmp    0x5bf3c6 <h2_parse_frame_settings+5542>
   0x005bef67 <+4423>:  mov    0x7fac4c,%edx
   0x005bef6d <+4429>:  mov    0x324d(%edx),%ch
   0x005bef73 <+4435>:  add    $0x1,%ch
   0x005bef76 <+4438>:  adc    $0x0,%ch
   0x005bef79 <+4441>:  mov    %ch,0x324d(%edx)
   0x005bef7f <+4447>:  mov    %eax,%edx
   0x005bef81 <+4449>:  and    $0x7,%dl
   0x005bef84 <+4452>:  cmp    %cl,%dl
   0x005bef86 <+4454>:  jge    0x5bf668 <h2_parse_frame_settings+6216>
   0x005bef8c <+4460>:  mov    0x7fac4c,%ecx
   0x005bef92 <+4466>:  mov    0x324a(%ecx),%dl
   0x005bef98 <+4472>:  add    $0x1,%dl
   0x005bef9b <+4475>:  adc    $0x0,%dl
   0x005bef9e <+4478>:  mov    %dl,0x324a(%ecx)
   0x005befa4 <+4484>:  movzbl (%eax),%eax
   0x005befa7 <+4487>:  test   %al,%al
   0x005befa9 <+4489>:  jns    0x5be0b5 <h2_parse_frame_settings+661>
   0x005befaf <+4495>:  jmp    0x5bf349 <h2_parse_frame_settings+5417>
   0x005befb4 <+4500>:  mov    0x7fac4c,%esi
   0x005befba <+4506>:  mov    0x3245(%esi),%dh
   0x005befc0 <+4512>:  add    $0x1,%dh
   0x005befc3 <+4515>:  adc    $0x0,%dh
   0x005befc6 <+4518>:  mov    %dh,0x3245(%esi)
   0x005befcc <+4524>:  mov    %cl,%dh
   0x005befce <+4526>:  and    $0x7,%dh
   0x005befd1 <+4529>:  cmp    %dl,%dh
   0x005befd3 <+4531>:  jge    0x5bf688 <h2_parse_frame_settings+6248>
   0x005befd9 <+4537>:  mov    0x7fac4c,%edx
   0x005befdf <+4543>:  mov    0x3242(%edx),%bl
   0x005befe5 <+4549>:  add    $0x1,%bl
   0x005befe8 <+4552>:  adc    $0x0,%bl
   0x005befeb <+4555>:  mov    %bl,0x3242(%edx)
   0x005beff1 <+4561>:  jmp    0x5be122 <h2_parse_frame_settings+770>
   0x005beff6 <+4566>:  mov    0x7fac4c,%esi
   0x005beffc <+4572>:  mov    0x3241(%esi),%bh
   0x005bf002 <+4578>:  add    $0x1,%bh
   0x005bf005 <+4581>:  adc    $0x0,%bh
   0x005bf008 <+4584>:  mov    %bh,0x3241(%esi)
   0x005bf00e <+4590>:  mov    %dl,%bh
   0x005bf010 <+4592>:  and    $0x7,%bh
   0x005bf013 <+4595>:  cmp    %bl,%bh
   0x005bf015 <+4597>:  jge    0x5bf6a7 <h2_parse_frame_settings+6279>
   0x005bf01b <+4603>:  mov    0x7fac4c,%esi
   0x005bf021 <+4609>:  mov    0x323e(%esi),%bl
   0x005bf027 <+4615>:  add    $0x1,%bl
   0x005bf02a <+4618>:  adc    $0x0,%bl
   0x005bf02d <+4621>:  mov    %bl,0x323e(%esi)
   0x005bf033 <+4627>:  jmp    0x5be153 <h2_parse_frame_settings+819>
   0x005bf038 <+4632>:  mov    0x7fac4c,%esi
   0x005bf03e <+4638>:  mov    0x323d(%esi),%dh
   0x005bf044 <+4644>:  add    $0x1,%dh
   0x005bf047 <+4647>:  adc    $0x0,%dh
   0x005bf04a <+4650>:  mov    %dh,0x323d(%esi)
   0x005bf050 <+4656>:  mov    %bl,%dh
   0x005bf052 <+4658>:  and    $0x7,%dh
   0x005bf055 <+4661>:  cmp    %dl,%dh
   0x005bf057 <+4663>:  jge    0x5bf6c6 <h2_parse_frame_settings+6310>
   0x005bf05d <+4669>:  mov    0x7fac4c,%edx
   0x005bf063 <+4675>:  mov    0x323a(%edx),%bl
   0x005bf069 <+4681>:  add    $0x1,%bl
   0x005bf06c <+4684>:  adc    $0x0,%bl
   0x005bf06f <+4687>:  mov    %bl,0x323a(%edx)
   0x005bf075 <+4693>:  jmp    0x5be184 <h2_parse_frame_settings+868>
   0x005bf07a <+4698>:  mov    0x7fac4c,%edx
   0x005bf080 <+4704>:  mov    0x3239(%edx),%bh
   0x005bf086 <+4710>:  add    $0x1,%bh
   0x005bf089 <+4713>:  adc    $0x0,%bh
   0x005bf08c <+4716>:  mov    %bh,0x3239(%edx)
   0x005bf092 <+4722>:  mov    %eax,%edx
   0x005bf094 <+4724>:  and    $0x7,%dl
   0x005bf097 <+4727>:  cmp    %bl,%dl
   0x005bf099 <+4729>:  jge    0x5bf6e5 <h2_parse_frame_settings+6341>
   0x005bf09f <+4735>:  mov    0x7fac4c,%edx
   0x005bf0a5 <+4741>:  mov    0x3236(%edx),%bl
   0x005bf0ab <+4747>:  add    $0x1,%bl
   0x005bf0ae <+4750>:  adc    $0x0,%bl
   0x005bf0b1 <+4753>:  mov    %bl,0x3236(%edx)
   0x005bf0b7 <+4759>:  jmp    0x5be1b7 <h2_parse_frame_settings+919>
   0x005bf0bc <+4764>:  mov    0x7fac4c,%eax
   0x005bf0c1 <+4769>:  mov    0x3235(%eax),%dh
   0x005bf0c7 <+4775>:  add    $0x1,%dh
   0x005bf0ca <+4778>:  adc    $0x0,%dh
   0x005bf0cd <+4781>:  mov    %dh,0x3235(%eax)
   0x005bf0d3 <+4787>:  mov    %ebx,%eax
   0x005bf0d5 <+4789>:  and    $0x7,%al
   0x005bf0d7 <+4791>:  cmp    %dl,%al
   0x005bf0d9 <+4793>:  jge    0x5bf706 <h2_parse_frame_settings+6374>
   0x005bf0df <+4799>:  mov    0x7fac4c,%eax
   0x005bf0e4 <+4804>:  mov    0x3232(%eax),%dl
   0x005bf0ea <+4810>:  add    $0x1,%dl
   0x005bf0ed <+4813>:  adc    $0x0,%dl
   0x005bf0f0 <+4816>:  mov    %dl,0x3232(%eax)
   0x005bf0f6 <+4822>:  jmp    0x5be1e6 <h2_parse_frame_settings+966>
   0x005bf0fb <+4827>:  mov    0x7fac4c,%eax
   0x005bf100 <+4832>:  mov    0x31b2(%eax),%cl
   0x005bf106 <+4838>:  add    $0x1,%cl
   0x005bf109 <+4841>:  adc    $0x0,%cl
   0x005bf10c <+4844>:  mov    %cl,0x31b2(%eax)
   0x005bf112 <+4850>:  cmpl   $0x0,0x44(%esp)
   0x005bf117 <+4855>:  jne    0x5bf1e9 <h2_parse_frame_settings+5065>
   0x005bf11d <+4861>:  mov    0x7fac4c,%eax
   0x005bf122 <+4866>:  mov    0x31af(%eax),%cl
   0x005bf128 <+4872>:  add    $0x1,%cl
   0x005bf12b <+4875>:  adc    $0x0,%cl
   0x005bf12e <+4878>:  mov    %cl,0x31af(%eax)
   0x005bf134 <+4884>:  jmp    0x5bf215 <h2_parse_frame_settings+5109>
   0x005bf139 <+4889>:  mov    0x7fac4c,%eax
   0x005bf13e <+4894>:  mov    0x31bd(%eax),%cl
   0x005bf144 <+4900>:  add    $0x1,%cl
   0x005bf147 <+4903>:  adc    $0x0,%cl
   0x005bf14a <+4906>:  mov    %cl,0x31bd(%eax)
   0x005bf150 <+4912>:  jmp    0x5bf169 <h2_parse_frame_settings+4937>
   0x005bf152 <+4914>:  mov    0x7fac4c,%eax
   0x005bf157 <+4919>:  mov    0x3222(%eax),%cl
   0x005bf15d <+4925>:  add    $0x1,%cl
   0x005bf160 <+4928>:  adc    $0x0,%cl
   0x005bf163 <+4931>:  mov    %cl,0x3222(%eax)
   0x005bf169 <+4937>:  mov    $0x1,%eax
   0x005bf16e <+4942>:  jmp    0x5bf205 <h2_parse_frame_settings+5093>
   0x005bf173 <+4947>:  mov    0x7fac4c,%esi
   0x005bf179 <+4953>:  mov    0x3257(%esi),%ch
   0x005bf17f <+4959>:  add    $0x1,%ch
   0x005bf182 <+4962>:  adc    $0x0,%ch
   0x005bf185 <+4965>:  mov    %ch,0x3257(%esi)
   0x005bf18b <+4971>:  mov    %al,%ch
   0x005bf18d <+4973>:  and    $0x7,%ch
   0x005bf190 <+4976>:  add    $0x3,%ch
   0x005bf193 <+4979>:  cmp    %cl,%ch
   0x005bf195 <+4981>:  jge    0x5bf809 <h2_parse_frame_settings+6633>
   0x005bf19b <+4987>:  mov    0x7fac4c,%ecx
   0x005bf1a1 <+4993>:  mov    0x3254(%ecx),%bl
   0x005bf1a7 <+4999>:  add    $0x1,%bl
   0x005bf1aa <+5002>:  adc    $0x0,%bl
   0x005bf1ad <+5005>:  mov    %bl,0x3254(%ecx)
   0x005bf1b3 <+5011>:  mov    0x90(%esp),%ecx
   0x005bf1ba <+5018>:  mov    %ecx,0x44(%esp)
   0x005bf1be <+5022>:  cmp    $0x5,%ecx
   0x005bf1c1 <+5025>:  ja     0x5bdebe <h2_parse_frame_settings+158>
   0x005bf1c7 <+5031>:  mov    0x7fac4c,%eax
   0x005bf1cc <+5036>:  mov    0x3253(%eax),%cl
   0x005bf1d2 <+5042>:  add    $0x1,%cl
   0x005bf1d5 <+5045>:  adc    $0x0,%cl
   0x005bf1d8 <+5048>:  mov    %cl,0x3253(%eax)
   0x005bf1de <+5054>:  cmpl   $0x0,0x44(%esp)
   0x005bf1e3 <+5059>:  je     0x5bf11d <h2_parse_frame_settings+4861>
   0x005bf1e9 <+5065>:  mov    0x7fac4c,%eax
   0x005bf1ee <+5070>:  mov    0x31b0(%eax),%cl
   0x005bf1f4 <+5076>:  add    $0x1,%cl
   0x005bf1f7 <+5079>:  adc    $0x0,%cl
   0x005bf1fa <+5082>:  mov    %cl,0x31b0(%eax)
   0x005bf200 <+5088>:  mov    $0x6,%eax
   0x005bf205 <+5093>:  mov    %eax,0x4(%esp)
   0x005bf209 <+5097>:  mov    0x2c(%esp),%eax
   0x005bf20d <+5101>:  mov    %eax,(%esp)
   0x005bf210 <+5104>:  call   0x5a4ab0 <h2_send_goaway>
   0x005bf215 <+5109>:  add    $0x7c,%esp
   0x005bf218 <+5112>:  pop    %esi
   0x005bf219 <+5113>:  pop    %edi
   0x005bf21a <+5114>:  pop    %ebx
   0x005bf21b <+5115>:  pop    %ebp
   0x005bf21c <+5116>:  ret
   0x005bf21d <+5117>:  mov    0x7fac4c,%eax
   0x005bf222 <+5122>:  mov    0x3202(%eax),%cl
   0x005bf228 <+5128>:  add    $0x1,%cl
   0x005bf22b <+5131>:  adc    $0x0,%cl
   0x005bf22e <+5134>:  mov    %cl,0x3202(%eax)
   0x005bf234 <+5140>:  ud2
   0x005bf236 <+5142>:  mov    0x7fac4c,%eax
   0x005bf23b <+5147>:  mov    0x31dd(%eax),%cl
   0x005bf241 <+5153>:  add    $0x1,%cl
   0x005bf244 <+5156>:  adc    $0x0,%cl
   0x005bf247 <+5159>:  mov    %cl,0x31dd(%eax)
   0x005bf24d <+5165>:  ud2
   0x005bf24f <+5167>:  mov    0x7fac4c,%eax
   0x005bf254 <+5172>:  mov    0x3208(%eax),%cl
   0x005bf25a <+5178>:  add    $0x1,%cl
   0x005bf25d <+5181>:  adc    $0x0,%cl
   0x005bf260 <+5184>:  mov    %cl,0x3208(%eax)
   0x005bf266 <+5190>:  ud2
   0x005bf268 <+5192>:  mov    0x7fac4c,%eax
   0x005bf26d <+5197>:  mov    0x3200(%eax),%cl
   0x005bf273 <+5203>:  add    $0x1,%cl
   0x005bf276 <+5206>:  adc    $0x0,%cl
   0x005bf279 <+5209>:  mov    %cl,0x3200(%eax)
   0x005bf27f <+5215>:  ud2
   0x005bf281 <+5217>:  mov    0x7fac4c,%eax
   0x005bf286 <+5222>:  mov    0x31fa(%eax),%cl
   0x005bf28c <+5228>:  add    $0x1,%cl
   0x005bf28f <+5231>:  adc    $0x0,%cl
   0x005bf292 <+5234>:  mov    %cl,0x31fa(%eax)
   0x005bf298 <+5240>:  ud2
   0x005bf29a <+5242>:  mov    0x7fac4c,%eax
   0x005bf29f <+5247>:  mov    0x3209(%eax),%cl
   0x005bf2a5 <+5253>:  add    $0x1,%cl
   0x005bf2a8 <+5256>:  adc    $0x0,%cl
   0x005bf2ab <+5259>:  mov    %cl,0x3209(%eax)
   0x005bf2b1 <+5265>:  ud2
   0x005bf2b3 <+5267>:  mov    0x7fac4c,%eax
   0x005bf2b8 <+5272>:  mov    0x320b(%eax),%cl
   0x005bf2be <+5278>:  add    $0x1,%cl
   0x005bf2c1 <+5281>:  adc    $0x0,%cl
   0x005bf2c4 <+5284>:  mov    %cl,0x320b(%eax)
   0x005bf2ca <+5290>:  ud2
   0x005bf2cc <+5292>:  mov    0x7fac4c,%eax
   0x005bf2d1 <+5297>:  mov    0x31e3(%eax),%cl
   0x005bf2d7 <+5303>:  add    $0x1,%cl
   0x005bf2da <+5306>:  adc    $0x0,%cl
   0x005bf2dd <+5309>:  mov    %cl,0x31e3(%eax)
   0x005bf2e3 <+5315>:  ud2
   0x005bf2e5 <+5317>:  mov    0x7fac4c,%eax
   0x005bf2ea <+5322>:  mov    0x31db(%eax),%cl
   0x005bf2f0 <+5328>:  add    $0x1,%cl
   0x005bf2f3 <+5331>:  adc    $0x0,%cl
   0x005bf2f6 <+5334>:  mov    %cl,0x31db(%eax)
   0x005bf2fc <+5340>:  ud2
   0x005bf2fe <+5342>:  mov    0x7fac4c,%eax
   0x005bf303 <+5347>:  mov    0x31d5(%eax),%cl
   0x005bf309 <+5353>:  add    $0x1,%cl
   0x005bf30c <+5356>:  adc    $0x0,%cl
   0x005bf30f <+5359>:  mov    %cl,0x31d5(%eax)
   0x005bf315 <+5365>:  ud2
   0x005bf317 <+5367>:  mov    0x7fac4c,%eax
   0x005bf31c <+5372>:  mov    0x31e4(%eax),%cl
   0x005bf322 <+5378>:  add    $0x1,%cl
   0x005bf325 <+5381>:  adc    $0x0,%cl
   0x005bf328 <+5384>:  mov    %cl,0x31e4(%eax)
   0x005bf32e <+5390>:  ud2
   0x005bf330 <+5392>:  mov    0x7fac4c,%eax
   0x005bf335 <+5397>:  mov    0x31e6(%eax),%cl
   0x005bf33b <+5403>:  add    $0x1,%cl
   0x005bf33e <+5406>:  adc    $0x0,%cl
   0x005bf341 <+5409>:  mov    %cl,0x31e6(%eax)
   0x005bf347 <+5415>:  ud2
   0x005bf349 <+5417>:  mov    0x7fac4c,%eax
   0x005bf34e <+5422>:  mov    0x3249(%eax),%cl
   0x005bf354 <+5428>:  add    $0x1,%cl
   0x005bf357 <+5431>:  adc    $0x0,%cl
   0x005bf35a <+5434>:  mov    %cl,0x3249(%eax)
=> 0x005bf360 <+5440>:  ud2
   0x005bf362 <+5442>:  mov    0x7fac4c,%eax
   0x005bf367 <+5447>:  mov    0x324f(%eax),%cl
   0x005bf36d <+5453>:  add    $0x1,%cl
   0x005bf370 <+5456>:  adc    $0x0,%cl
   0x005bf373 <+5459>:  mov    %cl,0x324f(%eax)
   0x005bf379 <+5465>:  ud2
   0x005bf37b <+5467>:  mov    0x7fac4c,%eax
   0x005bf380 <+5472>:  mov    0x3251(%eax),%cl
   0x005bf386 <+5478>:  add    $0x1,%cl
   0x005bf389 <+5481>:  adc    $0x0,%cl
   0x005bf38c <+5484>:  mov    %cl,0x3251(%eax)
   0x005bf392 <+5490>:  ud2
   0x005bf394 <+5492>:  mov    0x7fac4c,%eax
   0x005bf399 <+5497>:  mov    0x3246(%eax),%cl
   0x005bf39f <+5503>:  add    $0x1,%cl
   0x005bf3a2 <+5506>:  adc    $0x0,%cl
   0x005bf3a5 <+5509>:  mov    %cl,0x3246(%eax)
   0x005bf3ab <+5515>:  ud2
   0x005bf3ad <+5517>:  mov    0x7fac4c,%eax
   0x005bf3b2 <+5522>:  mov    0x31b3(%eax),%cl
   0x005bf3b8 <+5528>:  add    $0x1,%cl
   0x005bf3bb <+5531>:  adc    $0x0,%cl
   0x005bf3be <+5534>:  mov    %cl,0x31b3(%eax)
   0x005bf3c4 <+5540>:  ud2
   0x005bf3c6 <+5542>:  mov    0x7fac4c,%eax
   0x005bf3cb <+5547>:  mov    0x3250(%eax),%cl
   0x005bf3d1 <+5553>:  add    $0x1,%cl
   0x005bf3d4 <+5556>:  adc    $0x0,%cl
   0x005bf3d7 <+5559>:  mov    %cl,0x3250(%eax)
   0x005bf3dd <+5565>:  ud2
   0x005bf3df <+5567>:  mov    0x7fac4c,%eax
   0x005bf3e4 <+5572>:  mov    0x31ee(%eax),%cl
   0x005bf3ea <+5578>:  add    $0x1,%cl
   0x005bf3ed <+5581>:  adc    $0x0,%cl
   0x005bf3f0 <+5584>:  mov    %cl,0x31ee(%eax)
   0x005bf3f6 <+5590>:  ud2
   0x005bf3f8 <+5592>:  mov    0x7fac4c,%eax
   0x005bf3fd <+5597>:  mov    0x31c9(%eax),%cl
   0x005bf403 <+5603>:  add    $0x1,%cl
   0x005bf406 <+5606>:  adc    $0x0,%cl
   0x005bf409 <+5609>:  mov    %cl,0x31c9(%eax)
   0x005bf40f <+5615>:  ud2
   0x005bf411 <+5617>:  mov    0x7fac4c,%eax
   0x005bf416 <+5622>:  mov    0x325b(%eax),%cl
   0x005bf41c <+5628>:  add    $0x1,%cl
   0x005bf41f <+5631>:  adc    $0x0,%cl
   0x005bf422 <+5634>:  mov    %cl,0x325b(%eax)
   0x005bf428 <+5640>:  ud2
   0x005bf42a <+5642>:  mov    0x7fac4c,%eax
   0x005bf42f <+5647>:  mov    0x3216(%eax),%cl
   0x005bf435 <+5653>:  add    $0x1,%cl
   0x005bf438 <+5656>:  adc    $0x0,%cl
   0x005bf43b <+5659>:  mov    %cl,0x3216(%eax)
   0x005bf441 <+5665>:  mov    0x38(%esp),%eax
   0x005bf445 <+5669>:  mov    %eax,(%esp)
   0x005bf448 <+5672>:  call   0x51b0b0 <__asan_report_load4>
   0x005bf44d <+5677>:  mov    0x7fac4c,%ecx
   0x005bf453 <+5683>:  mov    0x3204(%ecx),%dl
   0x005bf459 <+5689>:  add    $0x1,%dl
   0x005bf45c <+5692>:  adc    $0x0,%dl
   0x005bf45f <+5695>:  mov    %dl,0x3204(%ecx)
   0x005bf465 <+5701>:  mov    %eax,(%esp)
   0x005bf468 <+5704>:  call   0x51b0b0 <__asan_report_load4>
   0x005bf46d <+5709>:  mov    0x7fac4c,%eax
   0x005bf472 <+5714>:  mov    0x321b(%eax),%cl
   0x005bf478 <+5720>:  add    $0x1,%cl
   0x005bf47b <+5723>:  adc    $0x0,%cl
   0x005bf47e <+5726>:  mov    %cl,0x321b(%eax)
   0x005bf484 <+5732>:  ud2
   0x005bf486 <+5734>:  mov    0x7fac4c,%eax
   0x005bf48b <+5739>:  mov    0x321a(%eax),%cl
   0x005bf491 <+5745>:  add    $0x1,%cl
   0x005bf494 <+5748>:  adc    $0x0,%cl
   0x005bf497 <+5751>:  mov    %cl,0x321a(%eax)
   0x005bf49d <+5757>:  mov    0x34(%esp),%eax
   0x005bf4a1 <+5761>:  mov    %eax,(%esp)
   0x005bf4a4 <+5764>:  call   0x51b380 <__asan_report_store4>
   0x005bf4a9 <+5769>:  mov    0x7fac4c,%eax
   0x005bf4ae <+5774>:  mov    0x3217(%eax),%cl
   0x005bf4b4 <+5780>:  add    $0x1,%cl
   0x005bf4b7 <+5783>:  adc    $0x0,%cl
   0x005bf4ba <+5786>:  mov    %cl,0x3217(%eax)
   0x005bf4c0 <+5792>:  ud2
   0x005bf4c2 <+5794>:  mov    0x7fac4c,%eax
   0x005bf4c7 <+5799>:  mov    0x31fc(%eax),%cl
   0x005bf4cd <+5805>:  add    $0x1,%cl
   0x005bf4d0 <+5808>:  adc    $0x0,%cl
   0x005bf4d3 <+5811>:  mov    %cl,0x31fc(%eax)
   0x005bf4d9 <+5817>:  mov    0xc(%esp),%eax
   0x005bf4dd <+5821>:  mov    %eax,(%esp)
   0x005bf4e0 <+5824>:  call   0x51b0b0 <__asan_report_load4>
   0x005bf4e5 <+5829>:  mov    0x7fac4c,%eax
   0x005bf4ea <+5834>:  mov    0x31f6(%eax),%cl
   0x005bf4f0 <+5840>:  add    $0x1,%cl
   0x005bf4f3 <+5843>:  adc    $0x0,%cl
   0x005bf4f6 <+5846>:  mov    %cl,0x31f6(%eax)
   0x005bf4fc <+5852>:  mov    %ebx,(%esp)
   0x005bf4ff <+5855>:  call   0x51b0b0 <__asan_report_load4>
   0x005bf504 <+5860>:  mov    0x7fac4c,%eax
   0x005bf509 <+5865>:  mov    0x31eb(%eax),%cl
   0x005bf50f <+5871>:  add    $0x1,%cl
   0x005bf512 <+5874>:  adc    $0x0,%cl
   0x005bf515 <+5877>:  mov    %cl,0x31eb(%eax)
   0x005bf51b <+5883>:  mov    %ebx,(%esp)
   0x005bf51e <+5886>:  call   0x51b380 <__asan_report_store4>
   0x005bf523 <+5891>:  mov    0x7fac4c,%eax
   0x005bf528 <+5896>:  mov    0x31c2(%eax),%cl
   0x005bf52e <+5902>:  add    $0x1,%cl
   0x005bf531 <+5905>:  adc    $0x0,%cl
   0x005bf534 <+5908>:  mov    %cl,0x31c2(%eax)
   0x005bf53a <+5914>:  ud2
   0x005bf53c <+5916>:  mov    0x7fac4c,%eax
   0x005bf541 <+5921>:  mov    0x31c0(%eax),%cl
   0x005bf547 <+5927>:  add    $0x1,%cl
   0x005bf54a <+5930>:  adc    $0x0,%cl
   0x005bf54d <+5933>:  mov    %cl,0x31c0(%eax)
   0x005bf553 <+5939>:  mov    0x20(%esp),%eax
   0x005bf557 <+5943>:  mov    %eax,(%esp)
   0x005bf55a <+5946>:  call   0x51b380 <__asan_report_store4>
   0x005bf55f <+5951>:  mov    0x7fac4c,%eax
   0x005bf564 <+5956>:  mov    0x3229(%eax),%cl
   0x005bf56a <+5962>:  add    $0x1,%cl
   0x005bf56d <+5965>:  adc    $0x0,%cl
   0x005bf570 <+5968>:  mov    %cl,0x3229(%eax)
   0x005bf576 <+5974>:  ud2
   0x005bf578 <+5976>:  mov    0x7fac4c,%eax
   0x005bf57d <+5981>:  mov    0x3228(%eax),%cl
   0x005bf583 <+5987>:  add    $0x1,%cl
   0x005bf586 <+5990>:  adc    $0x0,%cl
   0x005bf589 <+5993>:  mov    %cl,0x3228(%eax)
   0x005bf58f <+5999>:  mov    0x24(%esp),%eax
   0x005bf593 <+6003>:  mov    %eax,(%esp)
   0x005bf596 <+6006>:  call   0x51b0b0 <__asan_report_load4>
   0x005bf59b <+6011>:  mov    0x7fac4c,%eax
   0x005bf5a0 <+6016>:  mov    0x321f(%eax),%cl
   0x005bf5a6 <+6022>:  add    $0x1,%cl
   0x005bf5a9 <+6025>:  adc    $0x0,%cl
   0x005bf5ac <+6028>:  mov    %cl,0x321f(%eax)
   0x005bf5b2 <+6034>:  ud2
   0x005bf5b4 <+6036>:  mov    0x7fac4c,%eax
   0x005bf5b9 <+6041>:  mov    0x321e(%eax),%cl
   0x005bf5bf <+6047>:  add    $0x1,%cl
   0x005bf5c2 <+6050>:  adc    $0x0,%cl
   0x005bf5c5 <+6053>:  mov    %cl,0x321e(%eax)
   0x005bf5cb <+6059>:  mov    0x30(%esp),%eax
   0x005bf5cf <+6063>:  mov    %eax,(%esp)
   0x005bf5d2 <+6066>:  call   0x51b380 <__asan_report_store4>
   0x005bf5d7 <+6071>:  mov    0x7fac4c,%eax
   0x005bf5dc <+6076>:  mov    0x31bb(%eax),%cl
   0x005bf5e2 <+6082>:  add    $0x1,%cl
   0x005bf5e5 <+6085>:  adc    $0x0,%cl
   0x005bf5e8 <+6088>:  mov    %cl,0x31bb(%eax)
   0x005bf5ee <+6094>:  ud2
   0x005bf5f0 <+6096>:  mov    0x7fac4c,%eax
   0x005bf5f5 <+6101>:  mov    0x31ba(%eax),%cl
   0x005bf5fb <+6107>:  add    $0x1,%cl
   0x005bf5fe <+6110>:  adc    $0x0,%cl
   0x005bf601 <+6113>:  mov    %cl,0x31ba(%eax)
   0x005bf607 <+6119>:  mov    0x48(%esp),%eax
   0x005bf60b <+6123>:  mov    %eax,(%esp)
   0x005bf60e <+6126>:  call   0x51b380 <__asan_report_store4>
   0x005bf613 <+6131>:  mov    0x7fac4c,%eax
   0x005bf618 <+6136>:  mov    0x31b7(%eax),%cl
   0x005bf61e <+6142>:  add    $0x1,%cl
   0x005bf621 <+6145>:  adc    $0x0,%cl
   0x005bf624 <+6148>:  mov    %cl,0x31b7(%eax)
   0x005bf62a <+6154>:  ud2
   0x005bf62c <+6156>:  mov    0x7fac4c,%eax
   0x005bf631 <+6161>:  mov    0x31b6(%eax),%cl
   0x005bf637 <+6167>:  add    $0x1,%cl
   0x005bf63a <+6170>:  adc    $0x0,%cl
   0x005bf63d <+6173>:  mov    %cl,0x31b6(%eax)
   0x005bf643 <+6179>:  mov    0x4c(%esp),%eax
   0x005bf647 <+6183>:  mov    %eax,(%esp)
   0x005bf64a <+6186>:  call   0x51b380 <__asan_report_store4>
   0x005bf64f <+6191>:  mov    0x7fac4c,%eax
   0x005bf654 <+6196>:  mov    0x3259(%eax),%cl
   0x005bf65a <+6202>:  add    $0x1,%cl
   0x005bf65d <+6205>:  adc    $0x0,%cl
   0x005bf660 <+6208>:  mov    %cl,0x3259(%eax)
   0x005bf666 <+6214>:  ud2
   0x005bf668 <+6216>:  mov    0x7fac4c,%ecx
   0x005bf66e <+6222>:  mov    0x324b(%ecx),%dl
   0x005bf674 <+6228>:  add    $0x1,%dl
   0x005bf677 <+6231>:  adc    $0x0,%dl
   0x005bf67a <+6234>:  mov    %dl,0x324b(%ecx)
   0x005bf680 <+6240>:  mov    %eax,(%esp)
   0x005bf683 <+6243>:  call   0x51af90 <__asan_report_load1>
   0x005bf688 <+6248>:  mov    0x7fac4c,%eax
   0x005bf68d <+6253>:  mov    0x3243(%eax),%dl
   0x005bf693 <+6259>:  add    $0x1,%dl
   0x005bf696 <+6262>:  adc    $0x0,%dl
   0x005bf699 <+6265>:  mov    %dl,0x3243(%eax)
   0x005bf69f <+6271>:  mov    %ecx,(%esp)
   0x005bf6a2 <+6274>:  call   0x51af90 <__asan_report_load1>
   0x005bf6a7 <+6279>:  mov    0x7fac4c,%eax
   0x005bf6ac <+6284>:  mov    0x323f(%eax),%cl
   0x005bf6b2 <+6290>:  add    $0x1,%cl
   0x005bf6b5 <+6293>:  adc    $0x0,%cl
   0x005bf6b8 <+6296>:  mov    %cl,0x323f(%eax)
   0x005bf6be <+6302>:  mov    %edx,(%esp)
   0x005bf6c1 <+6305>:  call   0x51af90 <__asan_report_load1>
   0x005bf6c6 <+6310>:  mov    0x7fac4c,%eax
   0x005bf6cb <+6315>:  mov    0x323b(%eax),%cl
   0x005bf6d1 <+6321>:  add    $0x1,%cl
   0x005bf6d4 <+6324>:  adc    $0x0,%cl
   0x005bf6d7 <+6327>:  mov    %cl,0x323b(%eax)
   0x005bf6dd <+6333>:  mov    %ebx,(%esp)
   0x005bf6e0 <+6336>:  call   0x51af90 <__asan_report_load1>
   0x005bf6e5 <+6341>:  mov    %eax,%edx
   0x005bf6e7 <+6343>:  mov    0x7fac4c,%eax
   0x005bf6ec <+6348>:  mov    0x3237(%eax),%cl
   0x005bf6f2 <+6354>:  add    $0x1,%cl
   0x005bf6f5 <+6357>:  adc    $0x0,%cl
   0x005bf6f8 <+6360>:  mov    %cl,0x3237(%eax)
   0x005bf6fe <+6366>:  mov    %edx,(%esp)
   0x005bf701 <+6369>:  call   0x51af90 <__asan_report_load1>
   0x005bf706 <+6374>:  mov    0x7fac4c,%eax
   0x005bf70b <+6379>:  mov    0x3233(%eax),%cl
   0x005bf711 <+6385>:  add    $0x1,%cl
   0x005bf714 <+6388>:  adc    $0x0,%cl
   0x005bf717 <+6391>:  mov    %cl,0x3233(%eax)
   0x005bf71d <+6397>:  mov    %ebx,(%esp)
   0x005bf720 <+6400>:  call   0x51af90 <__asan_report_load1>
   0x005bf725 <+6405>:  mov    0x7fac4c,%eax
   0x005bf72a <+6410>:  mov    0x3212(%eax),%cl
   0x005bf730 <+6416>:  add    $0x1,%cl
   0x005bf733 <+6419>:  adc    $0x0,%cl
   0x005bf736 <+6422>:  mov    %cl,0x3212(%eax)
   0x005bf73c <+6428>:  ud2
   0x005bf73e <+6430>:  mov    0x7fac4c,%eax
   0x005bf743 <+6435>:  mov    0x3210(%eax),%cl
   0x005bf749 <+6441>:  add    $0x1,%cl
   0x005bf74c <+6444>:  adc    $0x0,%cl
   0x005bf74f <+6447>:  mov    %cl,0x3210(%eax)
   0x005bf755 <+6453>:  mov    0x20(%esp),%eax
   0x005bf759 <+6457>:  mov    %eax,(%esp)
   0x005bf75c <+6460>:  call   0x51b0b0 <__asan_report_load4>
   0x005bf761 <+6465>:  mov    0x7fac4c,%ecx
   0x005bf767 <+6471>:  mov    0x31df(%ecx),%dl
   0x005bf76d <+6477>:  add    $0x1,%dl
   0x005bf770 <+6480>:  adc    $0x0,%dl
   0x005bf773 <+6483>:  mov    %dl,0x31df(%ecx)
   0x005bf779 <+6489>:  mov    %eax,(%esp)
   0x005bf77c <+6492>:  call   0x51b0b0 <__asan_report_load4>
   0x005bf781 <+6497>:  mov    0x7fac4c,%eax
   0x005bf786 <+6502>:  mov    0x31d7(%eax),%cl
   0x005bf78c <+6508>:  add    $0x1,%cl
   0x005bf78f <+6511>:  adc    $0x0,%cl
   0x005bf792 <+6514>:  mov    %cl,0x31d7(%eax)
   0x005bf798 <+6520>:  mov    0xc(%esp),%eax
   0x005bf79c <+6524>:  mov    %eax,(%esp)
   0x005bf79f <+6527>:  call   0x51b0b0 <__asan_report_load4>
   0x005bf7a4 <+6532>:  mov    0x7fac4c,%eax
   0x005bf7a9 <+6537>:  mov    0x31d1(%eax),%cl
   0x005bf7af <+6543>:  add    $0x1,%cl
   0x005bf7b2 <+6546>:  adc    $0x0,%cl
   0x005bf7b5 <+6549>:  mov    %cl,0x31d1(%eax)
   0x005bf7bb <+6555>:  mov    %ebx,(%esp)
   0x005bf7be <+6558>:  call   0x51b0b0 <__asan_report_load4>
   0x005bf7c3 <+6563>:  mov    0x7fac4c,%eax
   0x005bf7c8 <+6568>:  mov    0x31c6(%eax),%cl
   0x005bf7ce <+6574>:  add    $0x1,%cl
   0x005bf7d1 <+6577>:  adc    $0x0,%cl
   0x005bf7d4 <+6580>:  mov    %cl,0x31c6(%eax)
   0x005bf7da <+6586>:  mov    0xc(%esp),%eax
   0x005bf7de <+6590>:  mov    %eax,(%esp)
   0x005bf7e1 <+6593>:  call   0x51b380 <__asan_report_store4>
   0x005bf7e6 <+6598>:  mov    0x7fac4c,%eax
   0x005bf7eb <+6603>:  mov    0x3224(%eax),%cl
   0x005bf7f1 <+6609>:  add    $0x1,%cl
   0x005bf7f4 <+6612>:  adc    $0x0,%cl
   0x005bf7f7 <+6615>:  mov    %cl,0x3224(%eax)
   0x005bf7fd <+6621>:  mov    0x24(%esp),%eax
   0x005bf801 <+6625>:  mov    %eax,(%esp)
   0x005bf804 <+6628>:  call   0x51b380 <__asan_report_store4>
   0x005bf809 <+6633>:  mov    0x7fac4c,%ecx
   0x005bf80f <+6639>:  mov    0x3255(%ecx),%dl
   0x005bf815 <+6645>:  add    $0x1,%dl
   0x005bf818 <+6648>:  adc    $0x0,%dl
   0x005bf81b <+6651>:  mov    %dl,0x3255(%ecx)
   0x005bf821 <+6657>:  mov    %eax,(%esp)
   0x005bf824 <+6660>:  call   0x51b0b0 <__asan_report_load4>
End of assembler dump.

Here are the info registers.
eax 0xf5b3c800 -172767232
ecx 0xf5b3c801 -172767231
edx 0xf5501503 -179301117
ebx 0xf5501507 -179301113
esp 0xffff43a0 0xffff43a0
ebp 0x0 0x0
esi 0x0 0
edi 0x0 0
eip 0x5bf360 0x5bf360 <h2_parse_frame_settings+5440>
eflags 0x10202 [ IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99

Actions #15

Updated by gstrauss about 3 years ago

It looks like you missed the #0 ... at the beginning of the full stack. That is critical information to match up to the disassembly.

[Edit] looking at the eip in info registers

   0x005bf349 <+5417>:  mov    0x7fac4c,%eax
   0x005bf34e <+5422>:  mov    0x3249(%eax),%cl
   0x005bf354 <+5428>:  add    $0x1,%cl
   0x005bf357 <+5431>:  adc    $0x0,%cl
   0x005bf35a <+5434>:  mov    %cl,0x3249(%eax)
=> 0x005bf360 <+5440>:  ud2

Actions #16

Updated by gstrauss about 3 years ago

As suggested by stbuehler, please provide a tcpdump of the traffic or an strace -o strace.log -s 4096 ... of your tests program. You words above have not described the requests sufficiently for someone to attempt to reproduce them.

Alternatively, please also consider sharing your test program (attach as a file by clicking the "Browse" button below).

Actions #17

Updated by axe34 about 3 years ago

Here is the fixed full stack.

#0  h2_parse_frame_settings (con=<optimized out>, s=0xf550150c "", len=6) at h2.c:603
        h2c = 0xf4303300
#1  0x005c1a5a in h2_init_con (h2r=0xf3703880, con=0xf3703880, http2_settings=0xf59006f0) at h2.c:1656
        h2settings = "\000\000\f\004\000\000\000\000\000\000\003\000\000\000\b\000\006\000\000\377\377" 
        h2c = <optimized out>
#2  0x005d383d in h2_check_con_upgrade_h2c (r=<optimized out>) at h2.c:2538
        upgrade = <optimized out>
        http_connection = <optimized out>
        http2_settings = <optimized out>
#3  0x00599e36 in connection_handle_read_state (con=0xf3703880) at connections.c:808
        hoff = <optimized out>
        cq = <optimized out>
        discard_blank = <optimized out>
        pipelined_request_start = <optimized out>
        keepalive_request_start = <optimized out>
        r = 0xf3703880
        header_len = 149
        clen = <optimized out>
        c = 0xf3703914
        hdrs = <optimized out>
#4  0x00590dfb in connection_state_machine_loop (r=<optimized out>, con=0xf3703880) at connections.c:1079
        ostate = CON_STATE_REQUEST_START
#5  0x0058dea3 in connection_state_machine_h1 (r=0xf3703880, con=0xf5501503) at connections.c:1418
        log_state_handling = <optimized out>
#6  0x005eada2 in network_server_handle_fdevent (context=0xf4503030, revents=1) at connections.c:1436
        srv_socket = 0xf4503030
        srv = 0xf5703c40
        loops = <optimized out>
        con = 0xf3b50800
--Type <RET> for more, q to quit, c to continue without paging--c
#7  0x00792764 in fdevent_linux_sysepoll_poll (ev=0xf3703c80, timeout_ms=1000) at fdevent_linux_sysepoll.c:43
        n = 1
#8  0x006e4133 in fdevent_poll (ev=0xf3703c80, timeout_ms=1000) at fdevent.c:436
        n = <optimized out>
#9  0x00555964 in server_main_loop (srv=<optimized out>) at server.c:1902
        min_ts = <optimized out>
        joblist = <optimized out>
        last_active_ts = 1612724530
#10 0x00547964 in main (argc=<optimized out>, argv=<optimized out>) at server.c:2034
        srv = 0xf5703c40
        rc = 1

I do not want to share my test program. It is super simple. It creates a new thread and opens a socket connection to the server and sends the input.

Actions #18

Updated by axe34 about 3 years ago

For the request, I will provide the tcpdump later.
To explain it more, there is only one http request needed.
This is the http request

GET /alias/index.html HTTP/1.1
Host: 127.0.0.1:3000
Connection: Upgrade, HTTP2-Settings
Upgrade: h2c
HTTP2-Settings: AAMAAABkAAEAAAAAAA3AAAAA

All my program does is that it takes this http request and sends it to the server.

Actions #19

Updated by gstrauss about 3 years ago

Does the crash occur if you build without -fsanitize=address,undefined and with -O0 ?
CFLAGS='-m32 -g -O0' CXXFLAGS='-m32 -g -O0' ./configure
The assembly will be much easier to read without the additional instrumentation.

Actions #20

Updated by axe34 about 3 years ago

The crash does not occur if I do not build with -fsanitize=address,undefined and -O0
The response is the standard one.

HTTP/1.1 101 Switching Protocols
Connection: Upgrade
Upgrade: h2c

Actions #21

Updated by gstrauss about 3 years ago

I have inspected the ls-hpack code around its HPACK encoder history table and the code is fairly simple and straightforward. Since the issue still occurs for you with the patch disabling the call to lshpack_enc_use_hist(&h2c->encoder, 1); in h2.c, I believe that there is a better chance that there is something amiss in the libubsan instrumentation that results in SIGILL, rather than an issue in the lighttpd code. Still, I will leave this issue open for another week so that you can dig into the other request you mentioned which trigger crashes with lighttpd instrumented with libasan/libubsan. You might see if there is a difference if you compile lighttpd with gcc and with clang.

I do not want to share my test program. It is super simple. It creates a new thread and opens a socket connection to the server and sends the input.

After the initial HTTP/1.1 request with Connection: Upgrade, HTTP2-Settings, does your program decode the HTTP/2 frames? Does your program send an HTTP/2 GOAWAY frame or other HTTP/2 frames? Or does your program close the connection?

Actions #22

Updated by axe34 about 3 years ago

My program just sends the request and then closes the connection.

Actions #23

Updated by gstrauss about 3 years ago

stbuehler pointed out to me on IRC that your "crash" might be a hard failure of the instrumentation, which should have issued trace instead.
In my tests, I was able to elicit the warning:
h2.c:605:28: runtime error: left shift of 192 by 24 places cannot be represented in type 'int'
That '192' comes from the 3rd setting of your fabricated HTTP2-Settings 000d c000 0000. The c0 is bit-shifted left 24 bits, and the high bit ends up shifting into the sign bit of the 32-bit quantity, which may technically be undefined behavior on a 32-bit int (to which a (uint8_t *) character was promoted).

See if this patch makes your SIGILL disappear. (I have a more comprehensive patch on my dev branch)

--- a/src/h2.c
+++ b/src/h2.c
@@ -602,7 +602,7 @@ h2_parse_frame_settings (connection * const con, const uint8_t *s, uint32_t len)
     /*(caller must validate frame len, frame type == 0x04, frame id == 0)*/
     h2con * const h2c = con->h2;
     for (; len >= 6; len -= 6, s += 6) {
-        uint32_t v = (s[2] << 24) | (s[3] << 16) | (s[4] << 8) | s[5];
+        uint32_t v = (((uint32_t)s[2]) << 24) | (s[3] << 16) | (s[4] << 8) | s[5];
         switch (((s[0] << 8) | s[1])) {
           case H2_SETTINGS_HEADER_TABLE_SIZE:
             /* encoder may use any table size <= value sent by peer */

Actions #24

Updated by axe34 about 3 years ago

Yup, this patch works.

Actions #25

Updated by axe34 about 3 years ago

The response is the standard response.

HTTP/1.1 101 Switching Protocols
Connection: Upgrade
Upgrade: h2c

Actions #26

Updated by gstrauss about 3 years ago

  • Subject changed from Illegal Instruction when sending Malicious Data through HTTP2 Frame to pedantic warning from -fsanitize=undefined
  • Status changed from Need Feedback to Patch Pending
  • Target version changed from 1.4.x to 1.4.60

Retitled this issue. The behavior is defined in C++. While technically undefined behavior in C according to the spec, in practice, the bit-shift is within the range of the register, whether 32-bit or 64-bit, and the result in the code is assigned to a uint32_t.

Actions #27

Updated by axe34 about 3 years ago

I see so it does not warrant a cve

Actions #28

Updated by axe34 about 3 years ago

But wouldn't this be an integer overflow because of the bitshift

Actions #29

Updated by gstrauss about 3 years ago

I see so it does not warrant a cve

It does not. It does not even qualify as a bug. It is a pedantic warning.

But wouldn't this be an integer overflow because of the bitshift

No, not for logical bit shift. Yes, if arithmetic shift on int. The result is assigned to a uint32_t, so it does not matter.
A uint8_t is bit-shifted left 24 bits. Please re-read what I already posted and count the bits yourself.

Actions #30

Updated by axe34 about 3 years ago

Ok thanks for all the help

Actions #31

Updated by gstrauss about 3 years ago

You seem to have a misunderstanding about what a CVE is and what qualifies as a CVE.

As I have posted before, not all bugs are vulnerabilities. Vulnerabilities are a subset of bugs.

Please do some reading on the official CVE site:
https://cve.mitre.org/about/terminology.html#vulnerability and see their definition of "vulnerability"
https://cve.mitre.org/cve/cna/rules.html#section_7-1_what_is_a_vulnerability

More specifically, a bug must violate security policy and have an impact. In other words, before you would even try to file a CVE, you need to do a much, much, much better job of understanding the impact of a bug, how the bug is a vulnerability, and be able to demonstrate or describe how the vulnerability might be exploited.

Actions #32

Updated by gstrauss about 3 years ago

  • Status changed from Patch Pending to Fixed
Actions

Also available in: Atom