Bug #3067
closedpedantic warning from -fsanitize=undefined
Description
Here is my configuration file
server.port = 3000
server.document-root = "/var/www/"
etag.use-inode = "disable"
etag.use-mtime = "disable"
etag.use-size = "disable"
static-file.etags = "disable"
mimetype.assign = (
".html" => "text/html",
)
server.max-fds = 2048
server.max-keep-alive-requests = 0
server.max-keep-alive-idle = 1
server.http-parseopts = ("url-path-dotseg-remove" => "enable","url-normalize-required" => "enable","url-query-20-plus" => "enable","url-path-2f-decode" => "enable")
My initial request is
GET /index.html HTTP/1.1
Host: 127.0.0.1:3000
Connection: Upgrade, HTTP2-Settings
Upgrade: h2c
HTTP2-Settings: AAMAAABkAARAAAAAAAIAAAAA
However, when this following request is causes an illegal instruction and the server to exit.
GET /index.html HTTP/1.1
Host: 127.0.0.1:3000
Connection: Upgrade, HTTP2-Settings
Upgrade: h2c
HTTP2-Settings: AAMAAABkAAEAAAAAAA3AAAAA
Here is the full stack trace:
Thread 1 "lighttpd" received signal SIGILL, Illegal instruction.
h2_parse_frame_settings (con=<optimized out>, s=0xf550150c "", len=6) at h2.c:603
603 h2con * const h2c = con->h2;
(gdb) bt
#0 h2_parse_frame_settings (con=<optimized out>, s=0xf550150c "", len=6) at h2.c:603
#1 0x005cba06 in h2_init_con (h2r=0xf3703880, con=0xf3703880, http2_settings=0xf59006f0) at h2.c:1656
#2 0x005dbf12 in h2_con_upgrade_h2c (h2r=<optimized out>, http2_settings=0xf59006f0) at h2.c:2538
#3 0x005db709 in h2_check_con_upgrade_h2c (r=0xf3703880) at h2.c:2657
#4 0x005a1261 in connection_handle_read_state (con=0xf3703880) at connections.c:808
#5 0x0059ae2f in connection_state_machine_loop (r=<optimized out>, con=0xf3703880) at connections.c:1079
#6 0x0059a05b in connection_state_machine_h1 (r=0xf3703880, con=0xf4303303) at connections.c:1418
#7 0x00597031 in connection_state_machine (con=0xf3703880) at connections.c:1436
#8 0x005f1819 in network_server_handle_fdevent (context=0xf4503030, revents=1) at network.c:66
#9 0x0076fe8a in fdevent_linux_sysepoll_poll (ev=0xf3703c80, timeout_ms=1000) at fdevent_linux_sysepoll.c:43
#10 0x006cf5a7 in fdevent_poll (ev=0xf3703c80, timeout_ms=1000) at fdevent.c:436
#11 0x0055d397 in server_main_loop (srv=0xf5703c40) at server.c:1902
#12 0x0054a02f in main (argc=6, argv=0xffffcd14) at server.c:2034
I have several payloads for this bug and I am guessing this bug is caused by the malformed data in the settings frame of the request.
In different payloads, the stack trace shows that there is a different value in h2_parse_init_settings
h2_parse_frame_settings (con=<optimized out>, s=0xf5501500 "\242y\300", len=18) at h2.c:603
603 h2con * const h2c = con->h2;
(gdb) bt
#0 h2_parse_frame_settings (con=<optimized out>, s=0xf5501500 "\242y\300", len=18) at h2.c:603
#1 0x005cba06 in h2_init_con (h2r=0xf3703880, con=0xf3703880, http2_settings=0xf59006f0) at h2.c:1656
#2 0x005dbf12 in h2_con_upgrade_h2c (h2r=<optimized out>, http2_settings=0xf59006f0) at h2.c:2538
#3 0x005db709 in h2_check_con_upgrade_h2c (r=0xf3703880) at h2.c:2657
#4 0x005a1261 in connection_handle_read_state (con=0xf3703880) at connections.c:808
#5 0x0059ae2f in connection_state_machine_loop (r=<optimized out>, con=0xf3703880) at connections.c:1079
#6 0x0059a05b in connection_state_machine_h1 (r=0xf3703880, con=0xf4303301) at connections.c:1418
#7 0x00597031 in connection_state_machine (con=0xf3703880) at connections.c:1436
#8 0x005f1819 in network_server_handle_fdevent (context=0xf4503030, revents=1) at network.c:66
#9 0x0076fe8a in fdevent_linux_sysepoll_poll (ev=0xf3703c80, timeout_ms=1000) at fdevent_linux_sysepoll.c:43
#10 0x006cf5a7 in fdevent_poll (ev=0xf3703c80, timeout_ms=1000) at fdevent.c:436
#11 0x0055d397 in server_main_loop (srv=0xf5703c40) at server.c:1902
#12 0x0054a02f in main (argc=6, argv=0xffffcd24) at server.c:2034
In this stack trace, the value passed to h2_parse_frame_settings is \242y\300 and the in the previous stack trace, the value is empty.
Updated by gstrauss almost 4 years ago
How are you sending these requests? What tool are you using? Are you sending them on the same connection? Are they separate connections? Are they sent in parallel? How does lighttpd respond to the requests? Do you get /index.html? Is your tool switching to use HTTP/2 for subsequent requests on the connection after your initial Connection: Upgrade, HTTP2-Settings
request?
Are you using lighttpd 1.4.59? (Likely, yes, but please always include such detailed information.) What platforms are you on? x86_64? ARM64? What is your OS and version?
Updated by axe34 almost 4 years ago
This is my fault. I completely forgot about this. They are being sent through a socket connection through a small program I made. They are sent in separate connections. The first one is just an example of the base requests. The second request is the one that causes the issue. When you send the second request, lighttpd does not send a response. I am using lighttpd 1.4.59 and I am on x86_64 GNU/Linux Ubuntu 20.04
Updated by gstrauss almost 4 years ago
If you built lighttpd yourself, what commands did you use to build lighttpd and did you change any settings from the defaults?
In gdb when you cause the crash, please
up 1 print con->h2
An illegal instruction for a basic access is curious. con->h2
was allocated and assigned in h2_init_con()
a few lines before calling h2_parse_frame_settings()
603 h2con * const h2c = con->h2;
This occurs before any parsing of the HTTP2-Settings that you sent (in the second request). lighttpd would subsequently ignore the unknown settings in the data that you have passed in your example above.
Please describe what happens in the first request, as it is possible that something is getting corrupted and that corruption is exposed on the subsequent request.
Updated by axe34 almost 4 years ago
This is the full command I used to compile. CFLAGS='-m32 -g -O1 -fsanitize=address,undefined' CXXFLAGS='-m32 -g -O1 -fsanitize=address,undefined' ./configure. I did not change anything.
I am not sending these requests one after another. This crash happens with one request which is the second request.
Here is the gdb output
[New Thread 0xf30ffb40 (LWP 48)]
Request:
GET /alias/index.html HTTP/1.1
Host: 127.0.0.1:3000
Connection: Upgrade, HTTP2-Settings
Upgrade: h2c
HTTP2-Settings: AAMAAABkAAEAAAAAAA3AAAAA
Thread 1 "lighttpd" received signal SIGILL, Illegal instruction.
h2_parse_frame_settings (con=<optimized out>, s=0xf550150c "", len=6) at h2.c:603
603 h2con * const h2c = con->h2;
(gdb) up 1
#1 0x005cba06 in h2_init_con (h2r=0xf3703880, con=0xf3703880, http2_settings=0xf59006f0) at h2.c:1656
1656 h2_parse_frame_settings(con, (uint8_t *)CONST_BUF_LEN(http2_settings));
(gdb) print con->h2
$2 = (h2con *) 0xf4303300
Updated by axe34 almost 4 years ago
First request is just normal request to demonstrate my initial payload before mutations. The output is
HTTP/1.1 101 Switching Protocols
Connection: Upgrade
Upgrade: h2c
Updated by gstrauss almost 4 years ago
Is this reproducible when you do not build with -m32?
Updated by axe34 almost 4 years ago
This is reproducible when I do build a 64bit binary too
Updated by gstrauss almost 4 years ago
I was not able to reproduce the issue with a basic curl
test (using the HTTP2-Settings values sent by curl
)curl --http2 http://127.0.0.1/index.txt http://127.0.0.1/index.txt
I do not have a ready tool at my disposal to manipulate the HTTP2-Settings that are sent, but plan to mock one up.
In your constructed HTTP2-Settings, you set HTTP2 HPACK header table size to 0. If you send a subsequent HTTP/2 frame setting it back to a reasonable value, e.g. 4096, do things continue to work? I am trying to narrow things down to lighttpd code or ls-hpack code.
Updated by axe34 almost 4 years ago
Yes. If I send another request with another frame with a valid value things continue to work. I have been doing some analysis with valgrind and found some information.
==16005== valgrind: Unrecognised instruction at address 0x5badae.
==16005== at 0x5BADAE: h2_parse_frame_settings (h2.c:603)
==16005== by 0x5C3553: h2_init_con (h2.c:1656)
==16005== by 0x5D3AAE: h2_con_upgrade_h2c (h2.c:2538)
==16005== by 0x5D3295: h2_check_con_upgrade_h2c (h2.c:2657)
==16005== by 0x598B30: connection_handle_read_state (connections.c:808)
==16005== by 0x59266F: connection_state_machine_loop (connections.c:1079)
==16005== by 0x591851: connection_state_machine_h1 (connections.c:1418)
==16005== by 0x58E78C: connection_state_machine (connections.c:1436)
==16005== by 0x5E9418: network_server_handle_fdevent (network.c:66)
==16005== by 0x76894C: fdevent_linux_sysepoll_poll (fdevent_linux_sysepoll.c:43)
==16005== by 0x6C7C06: fdevent_poll (fdevent.c:436)
==16005== by 0x55AE85: server_main_loop (server.c:1902)
==16005== Your program just tried to execute an instruction that Valgrind
==16005== did not recognise. There are two possible reasons for this.
==16005== 1. Your program has a bug and erroneously jumped to a non-code
==16005== location. If you are running Memcheck and you just saw a
==16005== warning about a bad jump, it's probably your program's fault.
==16005== 2. The instruction is legitimate but Valgrind doesn't handle it,
==16005== i.e. it's Valgrind's fault. If you think this is the case or
==16005== you are not sure, please let us know and we'll try to fix it.
==16005== Either way, Valgrind will now raise a SIGILL signal which will
==16005== probably kill your program.
==16005==
==16005== Process terminating with default action of signal 4 (SIGILL): dumping core
==16005== Illegal opcode at address 0x5BADAE
==16005== at 0x5BADAE: h2_parse_frame_settings (h2.c:603)
==16005== by 0x5C3553: h2_init_con (h2.c:1656)
==16005== by 0x5D3AAE: h2_con_upgrade_h2c (h2.c:2538)
==16005== by 0x5D3295: h2_check_con_upgrade_h2c (h2.c:2657)
==16005== by 0x598B30: connection_handle_read_state (connections.c:808)
==16005== by 0x59266F: connection_state_machine_loop (connections.c:1079)
==16005== by 0x591851: connection_state_machine_h1 (connections.c:1418)
==16005== by 0x58E78C: connection_state_machine (connections.c:1436)
==16005== by 0x5E9418: network_server_handle_fdevent (network.c:66)
==16005== by 0x76894C: fdevent_linux_sysepoll_poll (fdevent_linux_sysepoll.c:43)
==16005== by 0x6C7C06: fdevent_poll (fdevent.c:436)
==16005== by 0x55AE85: server_main_loop (server.c:1902)
Updated by axe34 almost 4 years ago
I added a longer stack trace here.
Thread 1 "lighttpd" received signal SIGILL, Illegal instruction.
h2_parse_frame_settings (con=<optimized out>, s=0x62100000150c "", len=6) at h2.c:603
603 h2con * const h2c = con->h2;
(gdb) bt full
#0 h2_parse_frame_settings (con=<optimized out>, s=0x62100000150c "", len=6) at h2.c:603
h2c = 0x611000001580
#1 0x00000000003a15ed in h2_init_con (h2r=0x619000001980, con=0x619000001980, http2_settings=0x602000000030) at h2.c:1656
h2settings = "\000\000\f\004\000\000\000\000\000\000\003\000\000\000\b\000\006\000\000\377\377"
h2c = <optimized out>
#2 0x00000000003afd19 in h2_con_upgrade_h2c (h2r=0x619000001980, http2_settings=0x602000000030) at h2.c:2538
switch_proto = "HTTP/1.1 101 Switching Protocols\r\nConnection: Upgrade\r\nUpgrade: h2c\r\n\r\n"
con = 0x619000001980
r = <optimized out>
#3 0x00000000003af6a8 in h2_check_con_upgrade_h2c (r=0x619000001980) at h2.c:2657
upgrade = <optimized out>
http_connection = 0x6040000024b0
http2_settings = <optimized out>
#4 0x000000000037bb05 in connection_handle_read_state (con=0x619000001980) at connections.c:808
hoff = {6, 0, 32, 54, 91, 105, 147, 149, 0, 0, 0, 0, 0, 0, 0, 0, 2, 17152, 0, 0, 1712, 0, 24688, 0, 32982, 32767, 3086, 0, 24790, 49, 0, 0, 0, 0, 0, 0, 1712, 0, 24688,
0, 1696, 0, 24688, 0, 7465, 41, 0, 0, 64, 0, 0, 0, 42538, 48, 0, 256, 80, 0, 0, 0, 63120, 88, 0, 0, 38840, 65535, 32767, 0, 12288, 63236, 0, 0, 112, 0, 0, 0, 12288,
63236, 32767, 0, 7, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 5, 0, 0, 0, 42115, 48, 0, 0, 1, 0, 0, 0, 38840, 65535, 32767, 0, 80, 0, 0, 0, 40944, 65535, 32767, 0, 7964, 41,
0, 0, 53505, 65535, 32767, 0, 16, 0, 0, 0, 5, 0, 0, 0, 42212, 48, 0, 0, 1, 0, 0, 0, 38856, 65535, 32767, 0, 5, 0, 0, 0, 42115, 48, 0, 0, 60088, 81, 0, 0, 61012,
62487, 32767, 0, 32835, 78, 0, 0, 19824, 99, 0, 0, 53761, 65535, 32767, 0, 43540, 50, 0, 0, 2, 0, 0, 0, 19824, 99, 0, 0, 33252, 32767, 3895, 61570, 4, 0, 0, 0, 4, 0,
0, 0, 19824, 99, 0, 0...}
cq = <optimized out>
discard_blank = 0 '\000'
pipelined_request_start = <optimized out>
keepalive_request_start = <optimized out>
r = 0x619000001980
header_len = 149
clen = 149
c = 0x608000000aa0
hdrs = 0x625000000100 "HTTP/1.1 101 Switching Protocols\r\nConnection: Upgrade\r\nUpgrade: h2c\r\n\r\n"
#5 0x00000000003764d3 in connection_state_machine_loop (r=0x619000001980, con=0x619000001980) at connections.c:1079
ostate = CON_STATE_REQUEST_START
#6 0x000000000037583c in connection_state_machine_h1 (r=0x619000001980, con=0x619000001980) at connections.c:1418
log_state_handling = <optimized out>
#7 0x00000000003729d8 in connection_state_machine (con=0x62100000150e) at connections.c:1436
r = 0x62100000150e
#8 0x00000000003c396c in network_server_handle_fdevent (context=0x60d000000380, revents=<optimized out>) at network.c:66
srv_socket = 0x60d000000380
srv = 0x615000000300
loops = <optimized out>
con = 0x6300000f0400
#9 0x0000000000518c21 in fdevent_linux_sysepoll_poll (ev=<optimized out>, timeout_ms=<optimized out>) at fdevent_linux_sysepoll.c:43
n = 1
#10 0x0000000000488eeb in fdevent_poll (ev=0x619000000a80, timeout_ms=-150720288) at fdevent.c:436
n = <optimized out>
#11 0x0000000000346e7c in server_main_loop (srv=0x615000000300) at server.c:1902
Updated by gstrauss almost 4 years ago
I still have not reproduced this. However, if the crash does not occur with the following patch, this would suggest that the issue is likely somewhere in the ls-hpack code for encoder history table.
--- a/src/h2.c +++ b/src/h2.c @@ -1650,7 +1650,7 @@ h2_init_con (request_st * const restrict h2r, connection * const restrict con, c lshpack_dec_init(&h2c->decoder); lshpack_enc_init(&h2c->encoder); - lshpack_enc_use_hist(&h2c->encoder, 1); +// lshpack_enc_use_hist(&h2c->encoder, 1); if (http2_settings) /*(if Upgrade: h2c)*/ h2_parse_frame_settings(con, (uint8_t *)CONST_BUF_LEN(http2_settings));
Does the crash still occur with a simplified, two-line lighttpd.conf? (I expect that it will (without the patch above), but this should be an easy assumption to verify)
server.port = 3000 server.document-root = "/var/www/"
Updated by stbuehler almost 4 years ago
axe34, might I suggest you get a pcap (tcpdump) or a detailed strace (-v -s 4000
) of the two connections so others can try to reproduce it?
Other things often useful in such situations:
- try without compiler optimizations; if it still happens the gdb (or valgrind?) backtrace will be much more useful
- call "disassemble" and "info registers" in gdb (in optimized builds gdb high-level info is often not accurate enough), so you can see exactly where it got stuck
Updated by gstrauss almost 4 years ago
- Status changed from New to Need Feedback
Updated by axe34 almost 4 years ago
With the patch it still crashes.
Here is the full backtrace without compiler optimizations.
h2_parse_frame_settings (con=<optimized out>, s=0xf550150c "", len=6) at h2.c:603
h2c = 0xf3b034c0
#1 0x005c1a5a in h2_init_con (h2r=0xf4103880, con=0xf4103880, http2_settings=0xf59006f0) at h2.c:1656
h2settings = "\000\000\f\004\000\000\000\000\000\000\003\000\000\000\b\000\006\000\000\377\377"
h2c = <optimized out>
#2 0x005d383d in h2_check_con_upgrade_h2c (r=<optimized out>) at h2.c:2538
upgrade = <optimized out>
http_connection = <optimized out>
http2_settings = <optimized out>
#3 0x00599e36 in connection_handle_read_state (con=0xf4103880) at connections.c:808
hoff = <optimized out>
cq = <optimized out>
discard_blank = <optimized out>
pipelined_request_start = <optimized out>
keepalive_request_start = <optimized out>
r = 0xf4103880
header_len = 149
clen = <optimized out>
c = 0xf4103914
hdrs = <optimized out>
#4 0x00590dfb in connection_state_machine_loop (r=<optimized out>, con=0xf4103880) at connections.c:1079
ostate = CON_STATE_REQUEST_START
#5 0x0058dea3 in connection_state_machine_h1 (r=0xf4103880, con=0xf5501503) at connections.c:1418
log_state_handling = <optimized out>
#6 0x005eada2 in network_server_handle_fdevent (context=0xf45031d0, revents=1) at connections.c:1436
srv_socket = 0xf45031d0
srv = 0xf5703c40
loops = <optimized out>
con = 0xf5b3c800
#7 0x00792764 in fdevent_linux_sysepoll_poll (ev=0xf4103c80, timeout_ms=1000) at fdevent_linux_sysepoll.c:43
n = 1
#8 0x006e4133 in fdevent_poll (ev=0xf4103c80, timeout_ms=1000) at fdevent.c:436
n = <optimized out>
#9 0x00555964 in server_main_loop (srv=<optimized out>) at server.c:1902
min_ts = <optimized out>
joblist = <optimized out>
last_active_ts = 1612719657
#10 0x00547964 in main (argc=<optimized out>, argv=<optimized out>) at server.c:2034
srv = 0xf5703c40
rc = 1
Here is the assembler dump.
Dump of assembler code for function h2_parse_frame_settings:
0x005bde20 <+0>: push %ebp
0x005bde21 <+1>: push %ebx
0x005bde22 <+2>: push %edi
0x005bde23 <+3>: push %esi
0x005bde24 <+4>: sub $0x7c,%esp
0x005bde27 <+7>: mov %edx,0x28(%esp)
0x005bde2b <+11>: test $0x3,%cl
0x005bde2e <+14>: jne 0x5bf411 <h2_parse_frame_settings+5617>
0x005bde34 <+20>: test %ecx,%ecx
0x005bde36 <+22>: je 0x5bf411 <h2_parse_frame_settings+5617>
0x005bde3c <+28>: mov 0x7fac4c,%eax
0x005bde41 <+33>: mov %ecx,%esi
0x005bde43 <+35>: mov 0x325a(%eax),%cl
0x005bde49 <+41>: add $0x1,%cl
0x005bde4c <+44>: adc $0x0,%cl
0x005bde4f <+47>: mov %cl,0x325a(%eax)
0x005bde55 <+53>: mov %esi,0x2c(%esp)
0x005bde59 <+57>: lea 0x240(%esi),%eax
0x005bde5f <+63>: test $0x3,%al
0x005bde61 <+65>: jne 0x5bf64f <h2_parse_frame_settings+6191>
0x005bde67 <+71>: mov 0x7fac4c,%ecx
0x005bde6d <+77>: mov 0x3258(%ecx),%bl
0x005bde73 <+83>: add $0x1,%bl
0x005bde76 <+86>: adc $0x0,%bl
0x005bde79 <+89>: mov %bl,0x3258(%ecx)
0x005bde7f <+95>: mov %eax,%ecx
0x005bde81 <+97>: shr $0x3,%ecx
0x005bde84 <+100>: mov 0x20000000(%ecx),%cl
0x005bde8a <+106>: test %cl,%cl
0x005bde8c <+108>: jne 0x5bf173 <h2_parse_frame_settings+4947>
0x005bde92 <+114>: mov 0x7fac4c,%ecx
0x005bde98 <+120>: mov 0x3256(%ecx),%bl
0x005bde9e <+126>: add $0x1,%bl
0x005bdea1 <+129>: adc $0x0,%bl
0x005bdea4 <+132>: mov %bl,0x3256(%ecx)
0x005bdeaa <+138>: mov 0x90(%esp),%ecx
0x005bdeb1 <+145>: mov %ecx,0x44(%esp)
0x005bdeb5 <+149>: cmp $0x5,%ecx
0x005bdeb8 <+152>: jbe 0x5bf1c7 <h2_parse_frame_settings+5031>
0x005bdebe <+158>: mov (%eax),%edx
0x005bdec0 <+160>: mov 0x7fac4c,%eax
0x005bdec5 <+165>: mov 0x3252(%eax),%cl
0x005bdecb <+171>: add $0x1,%cl
0x005bdece <+174>: adc $0x0,%cl
--Type <RET> for more, q to quit, c to continue without paging--c
0x005bded1 <+177>: mov %cl,0x3252(%eax)
0x005bded7 <+183>: mov %edx,%ecx
0x005bded9 <+185>: test %edx,%edx
0x005bdedb <+187>: sete 0x10(%esp)
0x005bdee0 <+192>: test $0x3,%cl
0x005bdee3 <+195>: setne %al
0x005bdee6 <+198>: add $0x48,%edx
0x005bdee9 <+201>: test $0x3,%dl
0x005bdeec <+204>: mov %edx,%esi
0x005bdeee <+206>: setne 0xb(%esp)
0x005bdef3 <+211>: lea 0x44(%ecx),%edx
0x005bdef6 <+214>: test $0x3,%dl
0x005bdef9 <+217>: mov %edx,%edi
0x005bdefb <+219>: setne %ah
0x005bdefe <+222>: lea 0x20(%ecx),%edx
0x005bdf01 <+225>: mov %edx,0x38(%esp)
0x005bdf05 <+229>: test $0x3,%dl
0x005bdf08 <+232>: setne %bh
0x005bdf0b <+235>: lea 0x3c(%ecx),%edx
0x005bdf0e <+238>: mov %edx,0x34(%esp)
0x005bdf12 <+242>: test $0x3,%dl
0x005bdf15 <+245>: setne %bl
0x005bdf18 <+248>: lea 0x38(%ecx),%edx
0x005bdf1b <+251>: mov %edx,0x30(%esp)
0x005bdf1f <+255>: mov %ecx,%ebp
0x005bdf21 <+257>: test $0x3,%dl
0x005bdf24 <+260>: setne %dh
0x005bdf27 <+263>: add $0x34,%ecx
0x005bdf2a <+266>: mov %ecx,0x24(%esp)
0x005bdf2e <+270>: test $0x3,%cl
0x005bdf31 <+273>: setne %cl
0x005bdf34 <+276>: or 0x10(%esp),%al
0x005bdf38 <+280>: or %al,0xb(%esp)
0x005bdf3c <+284>: or %al,%ah
0x005bdf3e <+286>: mov %ah,0x1c(%esp)
0x005bdf42 <+290>: or %al,%bh
0x005bdf44 <+292>: mov %bh,0x1e(%esp)
0x005bdf48 <+296>: or %al,%bl
0x005bdf4a <+298>: mov %bl,0x1d(%esp)
0x005bdf4e <+302>: or %al,%dh
0x005bdf50 <+304>: mov %dh,0x1b(%esp)
0x005bdf54 <+308>: or %cl,%al
0x005bdf56 <+310>: mov %al,0x1f(%esp)
0x005bdf5a <+314>: mov %ebp,%eax
0x005bdf5c <+316>: not %eax
0x005bdf5e <+318>: mov %eax,0x5c(%esp)
0x005bdf62 <+322>: mov %esi,%ecx
0x005bdf64 <+324>: mov %esi,%eax
0x005bdf66 <+326>: shr $0x3,%eax
0x005bdf69 <+329>: or $0x20000000,%eax
0x005bdf6e <+334>: mov %eax,0x70(%esp)
0x005bdf72 <+338>: mov %esi,0x4c(%esp)
0x005bdf76 <+342>: mov %ecx,%eax
0x005bdf78 <+344>: and $0x7,%al
0x005bdf7a <+346>: add $0x3,%al
0x005bdf7c <+348>: mov %al,0x1a(%esp)
0x005bdf80 <+352>: mov %edi,%ecx
0x005bdf82 <+354>: mov %edi,%eax
0x005bdf84 <+356>: shr $0x3,%eax
0x005bdf87 <+359>: or $0x20000000,%eax
0x005bdf8c <+364>: mov %eax,0x6c(%esp)
0x005bdf90 <+368>: mov %edi,0x48(%esp)
0x005bdf94 <+372>: mov %ecx,%eax
0x005bdf96 <+374>: and $0x7,%al
0x005bdf98 <+376>: add $0x3,%al
0x005bdf9a <+378>: mov %al,0x17(%esp)
0x005bdf9e <+382>: mov 0x38(%esp),%ecx
0x005bdfa2 <+386>: mov %ecx,%eax
0x005bdfa4 <+388>: shr $0x3,%eax
0x005bdfa7 <+391>: or $0x20000000,%eax
0x005bdfac <+396>: mov %eax,0x78(%esp)
0x005bdfb0 <+400>: mov %ecx,%eax
0x005bdfb2 <+402>: and $0x7,%al
0x005bdfb4 <+404>: add $0x3,%al
0x005bdfb6 <+406>: mov %al,0x19(%esp)
0x005bdfba <+410>: lea 0x40(%ebp),%eax
0x005bdfbd <+413>: mov %eax,%ecx
0x005bdfbf <+415>: shr $0x3,%ecx
0x005bdfc2 <+418>: or $0x20000000,%ecx
0x005bdfc8 <+424>: mov %ecx,0x54(%esp)
0x005bdfcc <+428>: mov %eax,0x20(%esp)
0x005bdfd0 <+432>: and $0x7,%al
0x005bdfd2 <+434>: add $0x3,%al
0x005bdfd4 <+436>: mov %al,0xa(%esp)
0x005bdfd8 <+440>: mov 0x34(%esp),%ecx
0x005bdfdc <+444>: mov %ecx,%eax
0x005bdfde <+446>: shr $0x3,%eax
0x005bdfe1 <+449>: or $0x20000000,%eax
0x005bdfe6 <+454>: mov %eax,0x74(%esp)
0x005bdfea <+458>: mov %ecx,%eax
0x005bdfec <+460>: and $0x7,%al
0x005bdfee <+462>: add $0x3,%al
0x005bdff0 <+464>: mov %al,0x18(%esp)
0x005bdff4 <+468>: mov 0x30(%esp),%ecx
0x005bdff8 <+472>: mov %ecx,%eax
0x005bdffa <+474>: shr $0x3,%eax
0x005bdffd <+477>: or $0x20000000,%eax
0x005be002 <+482>: mov %eax,0x68(%esp)
0x005be006 <+486>: mov %ecx,%eax
0x005be008 <+488>: and $0x7,%al
0x005be00a <+490>: add $0x3,%al
0x005be00c <+492>: mov %al,0x16(%esp)
0x005be010 <+496>: mov 0x24(%esp),%ecx
0x005be014 <+500>: mov %ecx,%eax
0x005be016 <+502>: shr $0x3,%eax
0x005be019 <+505>: or $0x20000000,%eax
0x005be01e <+510>: mov %eax,0x50(%esp)
0x005be022 <+514>: mov %ecx,%eax
0x005be024 <+516>: and $0x7,%al
0x005be026 <+518>: add $0x3,%al
0x005be028 <+520>: mov %al,0x9(%esp)
0x005be02c <+524>: mov %ebp,0x60(%esp)
0x005be030 <+528>: lea 0x6c(%ebp),%eax
0x005be033 <+531>: mov %eax,0x64(%esp)
0x005be037 <+535>: mov 0x28(%esp),%edx
0x005be03b <+539>: cmp $0xfffffffe,%edx
0x005be03e <+542>: je 0x5bf3c6 <h2_parse_frame_settings+5542>
0x005be044 <+548>: nop
0x005be045 <+549>: nop
0x005be046 <+550>: nop
0x005be047 <+551>: nop
0x005be048 <+552>: nop
0x005be049 <+553>: nop
0x005be04a <+554>: nop
0x005be04b <+555>: nop
0x005be04c <+556>: nop
0x005be04d <+557>: nop
0x005be04e <+558>: nop
0x005be04f <+559>: nop
0x005be050 <+560>: cmp $0xffffffff,%edx
0x005be053 <+563>: je 0x5bf362 <h2_parse_frame_settings+5442>
0x005be059 <+569>: test %edx,%edx
0x005be05b <+571>: je 0x5bf37b <h2_parse_frame_settings+5467>
0x005be061 <+577>: mov 0x7fac4c,%eax
0x005be066 <+582>: mov 0x324e(%eax),%cl
0x005be06c <+588>: add $0x1,%cl
0x005be06f <+591>: adc $0x0,%cl
0x005be072 <+594>: mov %cl,0x324e(%eax)
0x005be078 <+600>: mov %edx,0x28(%esp)
0x005be07c <+604>: lea 0x2(%edx),%eax
0x005be07f <+607>: mov %eax,%ecx
0x005be081 <+609>: shr $0x3,%ecx
0x005be084 <+612>: mov 0x20000000(%ecx),%cl
0x005be08a <+618>: test %cl,%cl
0x005be08c <+620>: jne 0x5bef67 <h2_parse_frame_settings+4423>
0x005be092 <+626>: mov 0x7fac4c,%ecx
0x005be098 <+632>: mov 0x324c(%ecx),%dl
0x005be09e <+638>: add $0x1,%dl
0x005be0a1 <+641>: adc $0x0,%dl
0x005be0a4 <+644>: mov %dl,0x324c(%ecx)
0x005be0aa <+650>: movzbl (%eax),%eax
0x005be0ad <+653>: test %al,%al
0x005be0af <+655>: js 0x5bf349 <h2_parse_frame_settings+5417>
0x005be0b5 <+661>: mov %eax,%edi
0x005be0b7 <+663>: mov 0x7fac4c,%ecx
0x005be0bd <+669>: mov 0x3248(%ecx),%dl
0x005be0c3 <+675>: add $0x1,%dl
0x005be0c6 <+678>: adc $0x0,%dl
0x005be0c9 <+681>: mov %dl,0x3248(%ecx)
0x005be0cf <+687>: mov 0x28(%esp),%eax
0x005be0d3 <+691>: cmp $0xfffffffb,%eax
0x005be0d6 <+694>: jae 0x5bf394 <h2_parse_frame_settings+5492>
0x005be0dc <+700>: lea 0x3(%eax),%ecx
0x005be0df <+703>: mov 0x7fac4c,%edx
0x005be0e5 <+709>: mov 0x3247(%edx),%bl
0x005be0eb <+715>: add $0x1,%bl
0x005be0ee <+718>: adc $0x0,%bl
0x005be0f1 <+721>: mov %bl,0x3247(%edx)
0x005be0f7 <+727>: mov %ecx,%edx
0x005be0f9 <+729>: shr $0x3,%edx
0x005be0fc <+732>: mov 0x20000000(%edx),%dl
0x005be102 <+738>: test %dl,%dl
0x005be104 <+740>: jne 0x5befb4 <h2_parse_frame_settings+4500>
0x005be10a <+746>: mov 0x7fac4c,%edx
0x005be110 <+752>: mov 0x3244(%edx),%bl
0x005be116 <+758>: add $0x1,%bl
0x005be119 <+761>: adc $0x0,%bl
0x005be11c <+764>: mov %bl,0x3244(%edx)
0x005be122 <+770>: lea 0x4(%eax),%edx
0x005be125 <+773>: movzbl (%ecx),%ecx
0x005be128 <+776>: mov %edx,%esi
0x005be12a <+778>: shr $0x3,%esi
0x005be12d <+781>: mov 0x20000000(%esi),%bl
0x005be133 <+787>: test %bl,%bl
0x005be135 <+789>: jne 0x5beff6 <h2_parse_frame_settings+4566>
0x005be13b <+795>: mov 0x7fac4c,%esi
0x005be141 <+801>: mov 0x3240(%esi),%bl
0x005be147 <+807>: add $0x1,%bl
0x005be14a <+810>: adc $0x0,%bl
0x005be14d <+813>: mov %bl,0x3240(%esi)
0x005be153 <+819>: lea 0x5(%eax),%ebx
0x005be156 <+822>: movzbl (%edx),%ebp
0x005be159 <+825>: mov %ebx,%edx
0x005be15b <+827>: shr $0x3,%edx
0x005be15e <+830>: mov 0x20000000(%edx),%dl
0x005be164 <+836>: test %dl,%dl
0x005be166 <+838>: jne 0x5bf038 <h2_parse_frame_settings+4632>
0x005be16c <+844>: mov 0x7fac4c,%edx
0x005be172 <+850>: mov 0x323c(%edx),%bl
0x005be178 <+856>: add $0x1,%bl
0x005be17b <+859>: adc $0x0,%bl
0x005be17e <+862>: mov %bl,0x323c(%edx)
0x005be184 <+868>: movzbl 0x5(%eax),%esi
0x005be188 <+872>: mov %eax,%edx
0x005be18a <+874>: shr $0x3,%edx
0x005be18d <+877>: mov 0x20000000(%edx),%bl
0x005be193 <+883>: test %bl,%bl
0x005be195 <+885>: mov %esi,0x10(%esp)
0x005be199 <+889>: jne 0x5bf07a <h2_parse_frame_settings+4698>
0x005be19f <+895>: mov 0x7fac4c,%edx
0x005be1a5 <+901>: mov 0x3238(%edx),%bl
0x005be1ab <+907>: add $0x1,%bl
0x005be1ae <+910>: adc $0x0,%bl
0x005be1b1 <+913>: mov %bl,0x3238(%edx)
0x005be1b7 <+919>: lea 0x1(%eax),%ebx
0x005be1ba <+922>: movzbl (%eax),%esi
0x005be1bd <+925>: mov %ebx,%edx
0x005be1bf <+927>: shr $0x3,%edx
0x005be1c2 <+930>: mov 0x20000000(%edx),%dl
0x005be1c8 <+936>: test %dl,%dl
0x005be1ca <+938>: jne 0x5bf0bc <h2_parse_frame_settings+4764>
0x005be1d0 <+944>: mov 0x7fac4c,%edx
0x005be1d6 <+950>: mov 0x3234(%edx),%al
0x005be1dc <+956>: add $0x1,%al
0x005be1de <+958>: adc $0x0,%al
0x005be1e0 <+960>: mov %al,0x3234(%edx)
0x005be1e6 <+966>: shl $0x8,%esi
0x005be1e9 <+969>: movzbl (%ebx),%eax
0x005be1ec <+972>: or %eax,%esi
0x005be1ee <+974>: dec %esi
0x005be1ef <+975>: cmp $0x5,%si
0x005be1f3 <+979>: ja 0x5be9d8 <h2_parse_frame_settings+3000>
0x005be1f9 <+985>: shl $0x18,%edi
0x005be1fc <+988>: shl $0x10,%ecx
0x005be1ff <+991>: or %edi,%ecx
0x005be201 <+993>: shl $0x8,%ebp
0x005be204 <+996>: or %ecx,%ebp
0x005be206 <+998>: or 0x10(%esp),%ebp
0x005be20a <+1002>: movzwl %si,%eax
0x005be20d <+1005>: jmp *0x433c90(,%eax,4)
0x005be214 <+1012>: mov 0x7fac4c,%eax
0x005be219 <+1017>: mov 0x322c(%eax),%cl
0x005be21f <+1023>: add $0x1,%cl
0x005be222 <+1026>: adc $0x0,%cl
0x005be225 <+1029>: mov %cl,0x322c(%eax)
0x005be22b <+1035>: cmp $0x1000,%ebp
0x005be231 <+1041>: mov $0x1000,%eax
0x005be236 <+1046>: cmovae %eax,%ebp
0x005be239 <+1049>: cmpb $0x0,0x1f(%esp)
0x005be23e <+1054>: jne 0x5bf55f <h2_parse_frame_settings+5951>
0x005be244 <+1060>: mov %ebp,%edx
0x005be246 <+1062>: mov 0x7fac4c,%eax
0x005be24b <+1067>: mov 0x322a(%eax),%cl
0x005be251 <+1073>: add $0x1,%cl
0x005be254 <+1076>: adc $0x0,%cl
0x005be257 <+1079>: mov %cl,0x322a(%eax)
0x005be25d <+1085>: mov 0x50(%esp),%eax
0x005be261 <+1089>: mov (%eax),%al
0x005be263 <+1091>: test %al,%al
0x005be265 <+1093>: je 0x5be271 <h2_parse_frame_settings+1105>
0x005be267 <+1095>: cmp %al,0x9(%esp)
0x005be26b <+1099>: jge 0x5bf578 <h2_parse_frame_settings+5976>
0x005be271 <+1105>: mov 0x7fac4c,%eax
0x005be276 <+1110>: mov 0x3227(%eax),%cl
0x005be27c <+1116>: add $0x1,%cl
0x005be27f <+1119>: adc $0x0,%cl
0x005be282 <+1122>: mov %cl,0x3227(%eax)
0x005be288 <+1128>: mov 0x24(%esp),%eax
0x005be28c <+1132>: cmp (%eax),%edx
0x005be28e <+1134>: jne 0x5be9f4 <h2_parse_frame_settings+3028>
0x005be294 <+1140>: mov 0x7fac4c,%eax
0x005be299 <+1145>: mov 0x3225(%eax),%cl
0x005be29f <+1151>: add $0x1,%cl
0x005be2a2 <+1154>: adc $0x0,%cl
0x005be2a5 <+1157>: mov %cl,0x3225(%eax)
0x005be2ab <+1163>: jmp 0x5bef00 <h2_parse_frame_settings+4320>
0x005be2b0 <+1168>: mov 0x7fac4c,%eax
0x005be2b5 <+1173>: mov 0x3230(%eax),%cl
0x005be2bb <+1179>: add $0x1,%cl
0x005be2be <+1182>: adc $0x0,%cl
0x005be2c1 <+1185>: mov %cl,0x3230(%eax)
0x005be2c7 <+1191>: lea -0x4000(%ebp),%eax
0x005be2cd <+1197>: cmp $0xffc000,%eax
0x005be2d2 <+1202>: jae 0x5bf139 <h2_parse_frame_settings+4889>
0x005be2d8 <+1208>: mov 0x7fac4c,%eax
0x005be2dd <+1213>: mov 0x31be(%eax),%cl
0x005be2e3 <+1219>: add $0x1,%cl
0x005be2e6 <+1222>: adc $0x0,%cl
0x005be2e9 <+1225>: mov %cl,0x31be(%eax)
0x005be2ef <+1231>: cmpb $0x0,0x1c(%esp)
0x005be2f4 <+1236>: jne 0x5bf5d7 <h2_parse_frame_settings+6071>
0x005be2fa <+1242>: mov 0x7fac4c,%eax
0x005be2ff <+1247>: mov 0x31bc(%eax),%cl
0x005be305 <+1253>: add $0x1,%cl
0x005be308 <+1256>: adc $0x0,%cl
0x005be30b <+1259>: mov %cl,0x31bc(%eax)
0x005be311 <+1265>: mov 0x6c(%esp),%eax
0x005be315 <+1269>: mov (%eax),%al
0x005be317 <+1271>: test %al,%al
0x005be319 <+1273>: je 0x5be325 <h2_parse_frame_settings+1285>
0x005be31b <+1275>: cmp %al,0x17(%esp)
0x005be31f <+1279>: jge 0x5bf5f0 <h2_parse_frame_settings+6096>
0x005be325 <+1285>: mov 0x7fac4c,%eax
0x005be32a <+1290>: mov 0x31b9(%eax),%cl
0x005be330 <+1296>: add $0x1,%cl
0x005be333 <+1299>: adc $0x0,%cl
0x005be336 <+1302>: mov %cl,0x31b9(%eax)
0x005be33c <+1308>: mov 0x48(%esp),%eax
0x005be340 <+1312>: jmp 0x5be9d1 <h2_parse_frame_settings+2993>
0x005be345 <+1317>: mov 0x7fac4c,%eax
0x005be34a <+1322>: mov 0x322e(%eax),%cl
0x005be350 <+1328>: add $0x1,%cl
0x005be353 <+1331>: adc $0x0,%cl
0x005be356 <+1334>: mov %cl,0x322e(%eax)
0x005be35c <+1340>: cmpb $0x0,0x1d(%esp)
0x005be361 <+1345>: jne 0x5bf46d <h2_parse_frame_settings+5709>
0x005be367 <+1351>: mov 0x7fac4c,%eax
0x005be36c <+1356>: mov 0x321c(%eax),%cl
0x005be372 <+1362>: add $0x1,%cl
0x005be375 <+1365>: adc $0x0,%cl
0x005be378 <+1368>: mov %cl,0x321c(%eax)
0x005be37e <+1374>: mov 0x74(%esp),%eax
0x005be382 <+1378>: mov (%eax),%al
0x005be384 <+1380>: test %al,%al
0x005be386 <+1382>: je 0x5be392 <h2_parse_frame_settings+1394>
0x005be388 <+1384>: cmp %al,0x18(%esp)
0x005be38c <+1388>: jge 0x5bf486 <h2_parse_frame_settings+5734>
0x005be392 <+1394>: mov 0x7fac4c,%eax
0x005be397 <+1399>: mov 0x3219(%eax),%cl
0x005be39d <+1405>: add $0x1,%cl
0x005be3a0 <+1408>: adc $0x0,%cl
0x005be3a3 <+1411>: mov %cl,0x3219(%eax)
0x005be3a9 <+1417>: mov 0x34(%esp),%eax
0x005be3ad <+1421>: jmp 0x5be9d1 <h2_parse_frame_settings+2993>
0x005be3b2 <+1426>: mov %ebp,0x3c(%esp)
0x005be3b6 <+1430>: mov 0x7fac4c,%eax
0x005be3bb <+1435>: mov 0x322f(%eax),%cl
0x005be3c1 <+1441>: add $0x1,%cl
0x005be3c4 <+1444>: adc $0x0,%cl
0x005be3c7 <+1447>: mov %cl,0x322f(%eax)
0x005be3cd <+1453>: cmpb $0x0,0x1e(%esp)
0x005be3d2 <+1458>: jne 0x5bf4a9 <h2_parse_frame_settings+5769>
0x005be3d8 <+1464>: mov 0x7fac4c,%eax
0x005be3dd <+1469>: mov 0x3218(%eax),%cl
0x005be3e3 <+1475>: add $0x1,%cl
0x005be3e6 <+1478>: adc $0x0,%cl
0x005be3e9 <+1481>: mov %cl,0x3218(%eax)
0x005be3ef <+1487>: mov 0x78(%esp),%eax
0x005be3f3 <+1491>: mov (%eax),%al
0x005be3f5 <+1493>: test %al,%al
0x005be3f7 <+1495>: mov 0x3c(%esp),%edx
0x005be3fb <+1499>: je 0x5be407 <h2_parse_frame_settings+1511>
0x005be3fd <+1501>: cmp %al,0x19(%esp)
0x005be401 <+1505>: jge 0x5bf42a <h2_parse_frame_settings+5642>
0x005be407 <+1511>: mov 0x7fac4c,%eax
0x005be40c <+1516>: mov 0x3215(%eax),%cl
0x005be412 <+1522>: add $0x1,%cl
0x005be415 <+1525>: adc $0x0,%cl
0x005be418 <+1528>: mov %cl,0x3215(%eax)
0x005be41e <+1534>: mov 0x38(%esp),%eax
0x005be422 <+1538>: mov (%eax),%ebp
0x005be424 <+1540>: test %ebp,%ebp
0x005be426 <+1542>: je 0x5bea51 <h2_parse_frame_settings+3121>
0x005be42c <+1548>: mov 0x7fac4c,%eax
0x005be431 <+1553>: mov 0x3214(%eax),%cl
0x005be437 <+1559>: add $0x1,%cl
0x005be43a <+1562>: adc $0x0,%cl
0x005be43d <+1565>: testb $0x3,0x20(%esp)
0x005be442 <+1570>: mov %cl,0x3214(%eax)
0x005be448 <+1576>: jne 0x5bf725 <h2_parse_frame_settings+6405>
0x005be44e <+1582>: mov 0x7fac4c,%eax
0x005be453 <+1587>: mov 0x3211(%eax),%cl
0x005be459 <+1593>: add $0x1,%cl
0x005be45c <+1596>: adc $0x0,%cl
0x005be45f <+1599>: mov %cl,0x3211(%eax)
0x005be465 <+1605>: mov 0x54(%esp),%eax
0x005be469 <+1609>: mov (%eax),%al
0x005be46b <+1611>: test %al,%al
0x005be46d <+1613>: je 0x5be479 <h2_parse_frame_settings+1625>
0x005be46f <+1615>: cmp %al,0xa(%esp)
0x005be473 <+1619>: jge 0x5bf73e <h2_parse_frame_settings+6430>
0x005be479 <+1625>: mov 0x7fac4c,%eax
0x005be47e <+1630>: mov 0x320f(%eax),%cl
0x005be484 <+1636>: add $0x1,%cl
0x005be487 <+1639>: adc $0x0,%cl
0x005be48a <+1642>: mov %cl,0x320f(%eax)
0x005be490 <+1648>: mov 0x20(%esp),%eax
0x005be494 <+1652>: sub (%eax),%edx
0x005be496 <+1654>: mov %edx,0x58(%esp)
0x005be49a <+1658>: js 0x5bea6d <h2_parse_frame_settings+3149>
0x005be4a0 <+1664>: mov $0x7fffffff,%eax
0x005be4a5 <+1669>: sub %edx,%eax
0x005be4a7 <+1671>: mov %eax,0x40(%esp)
0x005be4ab <+1675>: mov 0x7fac4c,%eax
0x005be4b0 <+1680>: mov 0x320d(%eax),%cl
0x005be4b6 <+1686>: add $0x1,%cl
0x005be4b9 <+1689>: adc $0x0,%cl
0x005be4bc <+1692>: mov %cl,0x320d(%eax)
0x005be4c2 <+1698>: dec %ebp
0x005be4c3 <+1699>: xor %esi,%esi
0x005be4c5 <+1701>: cmp $0x20,%esi
0x005be4c8 <+1704>: je 0x5bf2b3 <h2_parse_frame_settings+5267>
0x005be4ce <+1710>: nop
0x005be4cf <+1711>: nop
0x005be4d0 <+1712>: mov 0x7fac4c,%eax
0x005be4d5 <+1717>: movzbl 0x320c(%eax),%ecx
0x005be4dc <+1724>: add $0x1,%cl
0x005be4df <+1727>: adc $0x0,%cl
0x005be4e2 <+1730>: mov %cl,0x320c(%eax)
0x005be4e8 <+1736>: cmp 0x5c(%esp),%esi
0x005be4ec <+1740>: ja 0x5bf29a <h2_parse_frame_settings+5242>
0x005be4f2 <+1746>: mov 0x60(%esp),%eax
0x005be4f6 <+1750>: add %esi,%eax
0x005be4f8 <+1752>: mov 0x7fac4c,%ecx
0x005be4fe <+1758>: movzbl 0x320a(%ecx),%edx
0x005be505 <+1765>: add $0x1,%dl
0x005be508 <+1768>: adc $0x0,%dl
0x005be50b <+1771>: mov %dl,0x320a(%ecx)
0x005be511 <+1777>: test $0x3,%al
0x005be513 <+1779>: jne 0x5bf24f <h2_parse_frame_settings+5167>
0x005be519 <+1785>: mov 0x7fac4c,%ecx
0x005be51f <+1791>: movzbl 0x3207(%ecx),%edx
0x005be526 <+1798>: add $0x1,%dl
0x005be529 <+1801>: adc $0x0,%dl
0x005be52c <+1804>: mov %dl,0x3207(%ecx)
0x005be532 <+1810>: mov %eax,%ecx
0x005be534 <+1812>: shr $0x3,%ecx
0x005be537 <+1815>: movzbl 0x20000000(%ecx),%ecx
0x005be53e <+1822>: test %cl,%cl
0x005be540 <+1824>: jne 0x5be739 <h2_parse_frame_settings+2329>
0x005be546 <+1830>: mov 0x7fac4c,%ecx
0x005be54c <+1836>: movzbl 0x3205(%ecx),%edx
0x005be553 <+1843>: add $0x1,%dl
0x005be556 <+1846>: adc $0x0,%dl
0x005be559 <+1849>: mov %dl,0x3205(%ecx)
0x005be55f <+1855>: mov (%eax),%ecx
0x005be561 <+1857>: test $0x3,%cl
0x005be564 <+1860>: jne 0x5bf21d <h2_parse_frame_settings+5117>
0x005be56a <+1866>: test %ecx,%ecx
0x005be56c <+1868>: je 0x5bf21d <h2_parse_frame_settings+5117>
0x005be572 <+1874>: mov 0x7fac4c,%eax
0x005be577 <+1879>: movzbl 0x3201(%eax),%edx
0x005be57e <+1886>: add $0x1,%dl
0x005be581 <+1889>: adc $0x0,%dl
0x005be584 <+1892>: mov %dl,0x3201(%eax)
0x005be58a <+1898>: lea 0x14(%ecx),%ebx
0x005be58d <+1901>: test $0x3,%bl
0x005be590 <+1904>: jne 0x5bf268 <h2_parse_frame_settings+5192>
0x005be596 <+1910>: mov 0x7fac4c,%eax
0x005be59b <+1915>: movzbl 0x31ff(%eax),%edx
0x005be5a2 <+1922>: add $0x1,%dl
0x005be5a5 <+1925>: adc $0x0,%dl
0x005be5a8 <+1928>: mov %dl,0x31ff(%eax)
0x005be5ae <+1934>: mov %ebx,0xc(%esp)
0x005be5b2 <+1938>: mov %ebx,%edi
0x005be5b4 <+1940>: shr $0x3,%edi
0x005be5b7 <+1943>: movzbl 0x20000000(%edi),%ebx
0x005be5be <+1950>: test %bl,%bl
0x005be5c0 <+1952>: mov %esi,0x10(%esp)
0x005be5c4 <+1956>: jne 0x5be78a <h2_parse_frame_settings+2410>
0x005be5ca <+1962>: mov 0x7fac4c,%eax
0x005be5cf <+1967>: movzbl 0x31fd(%eax),%ebx
0x005be5d6 <+1974>: add $0x1,%bl
0x005be5d9 <+1977>: adc $0x0,%bl
0x005be5dc <+1980>: mov %bl,0x31fd(%eax)
0x005be5e2 <+1986>: lea 0x8(%ecx),%ebx
0x005be5e5 <+1989>: test $0x3,%bl
0x005be5e8 <+1992>: jne 0x5bf281 <h2_parse_frame_settings+5217>
0x005be5ee <+1998>: mov %ebp,%esi
0x005be5f0 <+2000>: mov 0x14(%ecx),%ebp
0x005be5f3 <+2003>: mov 0x7fac4c,%eax
0x005be5f8 <+2008>: movzbl 0x31f9(%eax),%edx
0x005be5ff <+2015>: add $0x1,%dl
0x005be602 <+2018>: adc $0x0,%dl
0x005be605 <+2021>: mov %dl,0x31f9(%eax)
0x005be60b <+2027>: mov %ebx,%eax
0x005be60d <+2029>: shr $0x3,%eax
0x005be610 <+2032>: movzbl 0x20000000(%eax),%eax
0x005be617 <+2039>: test %al,%al
0x005be619 <+2041>: jne 0x5be7da <h2_parse_frame_settings+2490>
0x005be61f <+2047>: mov 0x7fac4c,%eax
0x005be624 <+2052>: movzbl 0x31f7(%eax),%edx
0x005be62b <+2059>: add $0x1,%dl
0x005be62e <+2062>: adc $0x0,%dl
0x005be631 <+2065>: mov %dl,0x31f7(%eax)
0x005be637 <+2071>: mov (%ebx),%eax
0x005be639 <+2073>: cmp $0x4,%eax
0x005be63c <+2076>: je 0x5be830 <h2_parse_frame_settings+2576>
0x005be642 <+2082>: cmp $0x6,%eax
0x005be645 <+2085>: jne 0x5be670 <h2_parse_frame_settings+2128>
0x005be647 <+2087>: mov 0x7fac4c,%eax
0x005be64c <+2092>: movzbl 0x31f4(%eax),%ecx
0x005be653 <+2099>: add $0x1,%cl
0x005be656 <+2102>: adc $0x0,%cl
0x005be659 <+2105>: mov %cl,0x31f4(%eax)
0x005be65f <+2111>: test %esi,%esi
0x005be661 <+2113>: jne 0x5be84c <h2_parse_frame_settings+2604>
0x005be667 <+2119>: jmp 0x5be8c3 <h2_parse_frame_settings+2723>
0x005be66c <+2124>: nop
0x005be66d <+2125>: nop
0x005be66e <+2126>: nop
0x005be66f <+2127>: nop
0x005be670 <+2128>: mov 0x7fac4c,%eax
0x005be675 <+2133>: movzbl 0x31f2(%eax),%edx
0x005be67c <+2140>: add $0x1,%dl
0x005be67f <+2143>: adc $0x0,%dl
0x005be682 <+2146>: mov %dl,0x31f2(%eax)
0x005be688 <+2152>: cmp 0x40(%esp),%ebp
0x005be68c <+2156>: jg 0x5be704 <h2_parse_frame_settings+2276>
0x005be68e <+2158>: mov 0x7fac4c,%eax
0x005be693 <+2163>: movzbl 0x31f1(%eax),%ecx
0x005be69a <+2170>: add $0x1,%cl
0x005be69d <+2173>: adc $0x0,%cl
0x005be6a0 <+2176>: mov %cl,0x31f1(%eax)
0x005be6a6 <+2182>: add 0x58(%esp),%ebp
0x005be6aa <+2186>: jo 0x5bf3df <h2_parse_frame_settings+5567>
0x005be6b0 <+2192>: or $0x20000000,%edi
0x005be6b6 <+2198>: mov 0x7fac4c,%eax
0x005be6bb <+2203>: movzbl 0x31ef(%eax),%ecx
0x005be6c2 <+2210>: add $0x1,%cl
0x005be6c5 <+2213>: adc $0x0,%cl
0x005be6c8 <+2216>: mov %cl,0x31ef(%eax)
0x005be6ce <+2222>: movzbl (%edi),%eax
0x005be6d1 <+2225>: test %al,%al
0x005be6d3 <+2227>: mov 0xc(%esp),%ebx
0x005be6d7 <+2231>: jne 0x5be87c <h2_parse_frame_settings+2652>
0x005be6dd <+2237>: mov 0x7fac4c,%eax
0x005be6e2 <+2242>: movzbl 0x31ec(%eax),%ecx
0x005be6e9 <+2249>: add $0x1,%cl
0x005be6ec <+2252>: adc $0x0,%cl
0x005be6ef <+2255>: mov %cl,0x31ec(%eax)
0x005be6f5 <+2261>: mov %ebp,(%ebx)
0x005be6f7 <+2263>: test %esi,%esi
0x005be6f9 <+2265>: jne 0x5be84c <h2_parse_frame_settings+2604>
0x005be6ff <+2271>: jmp 0x5be8c3 <h2_parse_frame_settings+2723>
0x005be704 <+2276>: mov 0x7fac4c,%eax
0x005be709 <+2281>: movzbl 0x31f0(%eax),%edx
0x005be710 <+2288>: add $0x1,%dl
0x005be713 <+2291>: adc $0x0,%dl
0x005be716 <+2294>: mov %dl,0x31f0(%eax)
0x005be71c <+2300>: movl $0x3,(%esp)
0x005be723 <+2307>: mov 0x2c(%esp),%edx
0x005be727 <+2311>: call 0x5a5a7e <h2_send_rst_stream>
0x005be72c <+2316>: test %esi,%esi
0x005be72e <+2318>: jne 0x5be84c <h2_parse_frame_settings+2604>
0x005be734 <+2324>: jmp 0x5be8c3 <h2_parse_frame_settings+2723>
0x005be739 <+2329>: mov 0x7fac4c,%edx
0x005be73f <+2335>: mov 0x3206(%edx),%ch
0x005be745 <+2341>: add $0x1,%ch
0x005be748 <+2344>: adc $0x0,%ch
0x005be74b <+2347>: mov %ch,0x3206(%edx)
0x005be751 <+2353>: mov %eax,%edx
0x005be753 <+2355>: and $0x7,%dl
0x005be756 <+2358>: add $0x3,%dl
0x005be759 <+2361>: cmp %cl,%dl
0x005be75b <+2363>: jge 0x5bf44d <h2_parse_frame_settings+5677>
0x005be761 <+2369>: mov 0x7fac4c,%ecx
0x005be767 <+2375>: movzbl 0x3203(%ecx),%edx
0x005be76e <+2382>: add $0x1,%dl
0x005be771 <+2385>: adc $0x0,%dl
0x005be774 <+2388>: mov %dl,0x3203(%ecx)
0x005be77a <+2394>: mov (%eax),%ecx
0x005be77c <+2396>: test $0x3,%cl
0x005be77f <+2399>: je 0x5be56a <h2_parse_frame_settings+1866>
0x005be785 <+2405>: jmp 0x5bf21d <h2_parse_frame_settings+5117>
0x005be78a <+2410>: mov 0x7fac4c,%eax
0x005be78f <+2415>: mov 0x31fe(%eax),%bh
0x005be795 <+2421>: add $0x1,%bh
0x005be798 <+2424>: adc $0x0,%bh
0x005be79b <+2427>: mov %bh,0x31fe(%eax)
0x005be7a1 <+2433>: mov 0xc(%esp),%eax
0x005be7a5 <+2437>: and $0x7,%al
0x005be7a7 <+2439>: add $0x3,%al
0x005be7a9 <+2441>: cmp %bl,%al
0x005be7ab <+2443>: jge 0x5bf4c2 <h2_parse_frame_settings+5794>
0x005be7b1 <+2449>: mov 0x7fac4c,%eax
0x005be7b6 <+2454>: movzbl 0x31fb(%eax),%ebx
0x005be7bd <+2461>: add $0x1,%bl
0x005be7c0 <+2464>: adc $0x0,%bl
0x005be7c3 <+2467>: mov %bl,0x31fb(%eax)
0x005be7c9 <+2473>: lea 0x8(%ecx),%ebx
0x005be7cc <+2476>: test $0x3,%bl
0x005be7cf <+2479>: je 0x5be5ee <h2_parse_frame_settings+1998>
0x005be7d5 <+2485>: jmp 0x5bf281 <h2_parse_frame_settings+5217>
0x005be7da <+2490>: mov 0x7fac4c,%edx
0x005be7e0 <+2496>: mov 0x31f8(%edx),%ah
0x005be7e6 <+2502>: add $0x1,%ah
0x005be7e9 <+2505>: adc $0x0,%ah
0x005be7ec <+2508>: mov %ah,0x31f8(%edx)
0x005be7f2 <+2514>: mov %ebx,%edx
0x005be7f4 <+2516>: and $0x7,%dl
0x005be7f7 <+2519>: add $0x3,%dl
0x005be7fa <+2522>: cmp %al,%dl
0x005be7fc <+2524>: jge 0x5bf4e5 <h2_parse_frame_settings+5829>
0x005be802 <+2530>: mov 0x7fac4c,%eax
0x005be807 <+2535>: movzbl 0x31f5(%eax),%edx
0x005be80e <+2542>: add $0x1,%dl
0x005be811 <+2545>: adc $0x0,%dl
0x005be814 <+2548>: mov %dl,0x31f5(%eax)
0x005be81a <+2554>: mov (%ebx),%eax
0x005be81c <+2556>: cmp $0x4,%eax
0x005be81f <+2559>: jne 0x5be642 <h2_parse_frame_settings+2082>
0x005be825 <+2565>: nop
0x005be826 <+2566>: nop
0x005be827 <+2567>: nop
0x005be828 <+2568>: nop
0x005be829 <+2569>: nop
0x005be82a <+2570>: nop
0x005be82b <+2571>: nop
0x005be82c <+2572>: nop
0x005be82d <+2573>: nop
0x005be82e <+2574>: nop
0x005be82f <+2575>: nop
0x005be830 <+2576>: mov 0x7fac4c,%eax
0x005be835 <+2581>: movzbl 0x31f3(%eax),%ecx
0x005be83c <+2588>: add $0x1,%cl
0x005be83f <+2591>: adc $0x0,%cl
0x005be842 <+2594>: mov %cl,0x31f3(%eax)
0x005be848 <+2600>: test %esi,%esi
0x005be84a <+2602>: je 0x5be8c3 <h2_parse_frame_settings+2723>
0x005be84c <+2604>: mov %esi,%ebp
0x005be84e <+2606>: mov 0x7fac4c,%eax
0x005be853 <+2611>: movzbl 0x31e9(%eax),%ecx
0x005be85a <+2618>: add $0x1,%cl
0x005be85d <+2621>: adc $0x0,%cl
0x005be860 <+2624>: mov %cl,0x31e9(%eax)
0x005be866 <+2630>: mov 0x10(%esp),%esi
0x005be86a <+2634>: add $0x4,%esi
0x005be86d <+2637>: dec %ebp
0x005be86e <+2638>: cmp $0x20,%esi
0x005be871 <+2641>: jne 0x5be4d0 <h2_parse_frame_settings+1712>
0x005be877 <+2647>: jmp 0x5bf2b3 <h2_parse_frame_settings+5267>
0x005be87c <+2652>: mov 0x7fac4c,%ecx
0x005be882 <+2658>: movzbl 0x31ed(%ecx),%edx
0x005be889 <+2665>: add $0x1,%dl
0x005be88c <+2668>: adc $0x0,%dl
0x005be88f <+2671>: mov %dl,0x31ed(%ecx)
0x005be895 <+2677>: mov %ebx,%ecx
0x005be897 <+2679>: and $0x7,%cl
0x005be89a <+2682>: add $0x3,%cl
0x005be89d <+2685>: cmp %al,%cl
0x005be89f <+2687>: jge 0x5bf504 <h2_parse_frame_settings+5860>
0x005be8a5 <+2693>: mov 0x7fac4c,%eax
0x005be8aa <+2698>: movzbl 0x31ea(%eax),%ecx
0x005be8b1 <+2705>: add $0x1,%cl
0x005be8b4 <+2708>: adc $0x0,%cl
0x005be8b7 <+2711>: mov %cl,0x31ea(%eax)
0x005be8bd <+2717>: mov %ebp,(%ebx)
0x005be8bf <+2719>: test %esi,%esi
0x005be8c1 <+2721>: jne 0x5be84c <h2_parse_frame_settings+2604>
0x005be8c3 <+2723>: mov 0x7fac4c,%eax
0x005be8c8 <+2728>: mov 0x31e8(%eax),%cl
0x005be8ce <+2734>: add $0x1,%cl
0x005be8d1 <+2737>: adc $0x0,%cl
0x005be8d4 <+2740>: mov %cl,0x31e8(%eax)
0x005be8da <+2746>: jmp 0x5bee9d <h2_parse_frame_settings+4221>
0x005be8df <+2751>: mov 0x7fac4c,%eax
0x005be8e4 <+2756>: mov 0x322d(%eax),%cl
0x005be8ea <+2762>: add $0x1,%cl
0x005be8ed <+2765>: adc $0x0,%cl
0x005be8f0 <+2768>: mov %cl,0x322d(%eax)
0x005be8f6 <+2774>: cmp $0x2,%ebp
0x005be8f9 <+2777>: jae 0x5bf152 <h2_parse_frame_settings+4914>
0x005be8ff <+2783>: mov 0x7fac4c,%eax
0x005be904 <+2788>: mov 0x3221(%eax),%cl
0x005be90a <+2794>: add $0x1,%cl
0x005be90d <+2797>: adc $0x0,%cl
0x005be910 <+2800>: mov %cl,0x3221(%eax)
0x005be916 <+2806>: cmpb $0x0,0x1b(%esp)
0x005be91b <+2811>: jne 0x5bf59b <h2_parse_frame_settings+6011>
0x005be921 <+2817>: mov 0x7fac4c,%eax
0x005be926 <+2822>: mov 0x3220(%eax),%cl
0x005be92c <+2828>: add $0x1,%cl
0x005be92f <+2831>: adc $0x0,%cl
0x005be932 <+2834>: mov %cl,0x3220(%eax)
0x005be938 <+2840>: mov 0x68(%esp),%eax
0x005be93c <+2844>: mov (%eax),%al
0x005be93e <+2846>: test %al,%al
0x005be940 <+2848>: je 0x5be94c <h2_parse_frame_settings+2860>
0x005be942 <+2850>: cmp %al,0x16(%esp)
0x005be946 <+2854>: jge 0x5bf5b4 <h2_parse_frame_settings+6036>
0x005be94c <+2860>: mov 0x7fac4c,%eax
0x005be951 <+2865>: mov 0x321d(%eax),%cl
0x005be957 <+2871>: add $0x1,%cl
0x005be95a <+2874>: adc $0x0,%cl
0x005be95d <+2877>: mov %cl,0x321d(%eax)
0x005be963 <+2883>: mov 0x30(%esp),%eax
0x005be967 <+2887>: jmp 0x5be9d1 <h2_parse_frame_settings+2993>
0x005be969 <+2889>: mov 0x7fac4c,%eax
0x005be96e <+2894>: mov 0x3231(%eax),%cl
0x005be974 <+2900>: add $0x1,%cl
0x005be977 <+2903>: adc $0x0,%cl
0x005be97a <+2906>: mov %cl,0x3231(%eax)
0x005be980 <+2912>: cmpb $0x0,0xb(%esp)
0x005be985 <+2917>: jne 0x5bf613 <h2_parse_frame_settings+6131>
0x005be98b <+2923>: mov 0x7fac4c,%eax
0x005be990 <+2928>: mov 0x31b8(%eax),%cl
0x005be996 <+2934>: add $0x1,%cl
0x005be999 <+2937>: adc $0x0,%cl
0x005be99c <+2940>: mov %cl,0x31b8(%eax)
0x005be9a2 <+2946>: mov 0x70(%esp),%eax
0x005be9a6 <+2950>: mov (%eax),%al
0x005be9a8 <+2952>: test %al,%al
0x005be9aa <+2954>: je 0x5be9b6 <h2_parse_frame_settings+2966>
0x005be9ac <+2956>: cmp %al,0x1a(%esp)
0x005be9b0 <+2960>: jge 0x5bf62c <h2_parse_frame_settings+6156>
0x005be9b6 <+2966>: mov 0x7fac4c,%eax
0x005be9bb <+2971>: mov 0x31b5(%eax),%cl
0x005be9c1 <+2977>: add $0x1,%cl
0x005be9c4 <+2980>: adc $0x0,%cl
0x005be9c7 <+2983>: mov %cl,0x31b5(%eax)
0x005be9cd <+2989>: mov 0x4c(%esp),%eax
0x005be9d1 <+2993>: mov %ebp,(%eax)
0x005be9d3 <+2995>: jmp 0x5bef00 <h2_parse_frame_settings+4320>
0x005be9d8 <+3000>: mov 0x7fac4c,%eax
0x005be9dd <+3005>: mov 0x322b(%eax),%cl
0x005be9e3 <+3011>: add $0x1,%cl
0x005be9e6 <+3014>: adc $0x0,%cl
0x005be9e9 <+3017>: mov %cl,0x322b(%eax)
0x005be9ef <+3023>: jmp 0x5bef00 <h2_parse_frame_settings+4320>
0x005be9f4 <+3028>: mov 0x7fac4c,%eax
0x005be9f9 <+3033>: mov 0x3226(%eax),%cl
0x005be9ff <+3039>: add $0x1,%cl
0x005bea02 <+3042>: adc $0x0,%cl
0x005bea05 <+3045>: mov %cl,0x3226(%eax)
0x005bea0b <+3051>: mov 0x50(%esp),%eax
0x005bea0f <+3055>: mov (%eax),%al
0x005bea11 <+3057>: test %al,%al
0x005bea13 <+3059>: je 0x5bea1f <h2_parse_frame_settings+3071>
0x005bea15 <+3061>: cmp %al,0x9(%esp)
0x005bea19 <+3065>: jge 0x5bf7e6 <h2_parse_frame_settings+6598>
0x005bea1f <+3071>: mov 0x7fac4c,%eax
0x005bea24 <+3076>: mov 0x3223(%eax),%cl
0x005bea2a <+3082>: add $0x1,%cl
0x005bea2d <+3085>: adc $0x0,%cl
0x005bea30 <+3088>: mov %cl,0x3223(%eax)
0x005bea36 <+3094>: mov 0x24(%esp),%eax
0x005bea3a <+3098>: mov %edx,(%eax)
0x005bea3c <+3100>: mov %edx,0x4(%esp)
0x005bea40 <+3104>: mov 0x64(%esp),%eax
0x005bea44 <+3108>: mov %eax,(%esp)
0x005bea47 <+3111>: call 0x6034b0 <lshpack_enc_set_max_capacity>
0x005bea4c <+3116>: jmp 0x5bef00 <h2_parse_frame_settings+4320>
0x005bea51 <+3121>: mov 0x7fac4c,%eax
0x005bea56 <+3126>: mov 0x3213(%eax),%cl
0x005bea5c <+3132>: add $0x1,%cl
0x005bea5f <+3135>: adc $0x0,%cl
0x005bea62 <+3138>: mov %cl,0x3213(%eax)
0x005bea68 <+3144>: jmp 0x5beea1 <h2_parse_frame_settings+4225>
0x005bea6d <+3149>: mov $0x80000000,%eax
0x005bea72 <+3154>: sub %edx,%eax
0x005bea74 <+3156>: mov %eax,0x40(%esp)
0x005bea78 <+3160>: mov 0x7fac4c,%eax
0x005bea7d <+3165>: mov 0x320e(%eax),%cl
0x005bea83 <+3171>: add $0x1,%cl
0x005bea86 <+3174>: adc $0x0,%cl
0x005bea89 <+3177>: mov %cl,0x320e(%eax)
0x005bea8f <+3183>: dec %ebp
0x005bea90 <+3184>: xor %esi,%esi
0x005bea92 <+3186>: cmp $0x20,%esi
0x005bea95 <+3189>: je 0x5bf330 <h2_parse_frame_settings+5392>
0x005bea9b <+3195>: nop
0x005bea9c <+3196>: nop
0x005bea9d <+3197>: nop
0x005bea9e <+3198>: nop
0x005bea9f <+3199>: nop
0x005beaa0 <+3200>: mov 0x7fac4c,%eax
0x005beaa5 <+3205>: movzbl 0x31e7(%eax),%ecx
0x005beaac <+3212>: add $0x1,%cl
0x005beaaf <+3215>: adc $0x0,%cl
0x005beab2 <+3218>: mov %cl,0x31e7(%eax)
0x005beab8 <+3224>: cmp 0x5c(%esp),%esi
0x005beabc <+3228>: ja 0x5bf317 <h2_parse_frame_settings+5367>
0x005beac2 <+3234>: mov 0x60(%esp),%eax
0x005beac6 <+3238>: add %esi,%eax
0x005beac8 <+3240>: mov 0x7fac4c,%ecx
0x005beace <+3246>: movzbl 0x31e5(%ecx),%edx
0x005bead5 <+3253>: add $0x1,%dl
0x005bead8 <+3256>: adc $0x0,%dl
0x005beadb <+3259>: mov %dl,0x31e5(%ecx)
0x005beae1 <+3265>: test $0x3,%al
0x005beae3 <+3267>: jne 0x5bf2cc <h2_parse_frame_settings+5292>
0x005beae9 <+3273>: mov 0x7fac4c,%ecx
0x005beaef <+3279>: movzbl 0x31e2(%ecx),%edx
0x005beaf6 <+3286>: add $0x1,%dl
0x005beaf9 <+3289>: adc $0x0,%dl
0x005beafc <+3292>: mov %dl,0x31e2(%ecx)
0x005beb02 <+3298>: mov %eax,%ecx
0x005beb04 <+3300>: shr $0x3,%ecx
0x005beb07 <+3303>: movzbl 0x20000000(%ecx),%ecx
0x005beb0e <+3310>: test %cl,%cl
0x005beb10 <+3312>: jne 0x5becf9 <h2_parse_frame_settings+3801>
0x005beb16 <+3318>: mov 0x7fac4c,%ecx
0x005beb1c <+3324>: movzbl 0x31e0(%ecx),%edx
0x005beb23 <+3331>: add $0x1,%dl
0x005beb26 <+3334>: adc $0x0,%dl
0x005beb29 <+3337>: mov %dl,0x31e0(%ecx)
0x005beb2f <+3343>: mov (%eax),%ecx
0x005beb31 <+3345>: test $0x3,%cl
0x005beb34 <+3348>: jne 0x5bf236 <h2_parse_frame_settings+5142>
0x005beb3a <+3354>: test %ecx,%ecx
0x005beb3c <+3356>: je 0x5bf236 <h2_parse_frame_settings+5142>
0x005beb42 <+3362>: mov 0x7fac4c,%eax
0x005beb47 <+3367>: movzbl 0x31dc(%eax),%edx
0x005beb4e <+3374>: add $0x1,%dl
0x005beb51 <+3377>: adc $0x0,%dl
0x005beb54 <+3380>: mov %dl,0x31dc(%eax)
0x005beb5a <+3386>: lea 0x14(%ecx),%ebx
0x005beb5d <+3389>: test $0x3,%bl
0x005beb60 <+3392>: jne 0x5bf2e5 <h2_parse_frame_settings+5317>
0x005beb66 <+3398>: mov 0x7fac4c,%eax
0x005beb6b <+3403>: movzbl 0x31da(%eax),%edx
0x005beb72 <+3410>: add $0x1,%dl
0x005beb75 <+3413>: adc $0x0,%dl
0x005beb78 <+3416>: mov %dl,0x31da(%eax)
0x005beb7e <+3422>: mov %ebx,0xc(%esp)
0x005beb82 <+3426>: mov %ebx,%edi
0x005beb84 <+3428>: shr $0x3,%edi
0x005beb87 <+3431>: movzbl 0x20000000(%edi),%ebx
0x005beb8e <+3438>: test %bl,%bl
0x005beb90 <+3440>: mov %esi,0x10(%esp)
0x005beb94 <+3444>: jne 0x5bed4a <h2_parse_frame_settings+3882>
0x005beb9a <+3450>: mov 0x7fac4c,%eax
0x005beb9f <+3455>: movzbl 0x31d8(%eax),%ebx
0x005beba6 <+3462>: add $0x1,%bl
0x005beba9 <+3465>: adc $0x0,%bl
0x005bebac <+3468>: mov %bl,0x31d8(%eax)
0x005bebb2 <+3474>: lea 0x8(%ecx),%ebx
0x005bebb5 <+3477>: test $0x3,%bl
0x005bebb8 <+3480>: jne 0x5bf2fe <h2_parse_frame_settings+5342>
0x005bebbe <+3486>: mov %ebp,%esi
0x005bebc0 <+3488>: mov 0x14(%ecx),%ebp
0x005bebc3 <+3491>: mov 0x7fac4c,%eax
0x005bebc8 <+3496>: movzbl 0x31d4(%eax),%edx
0x005bebcf <+3503>: add $0x1,%dl
0x005bebd2 <+3506>: adc $0x0,%dl
0x005bebd5 <+3509>: mov %dl,0x31d4(%eax)
0x005bebdb <+3515>: mov %ebx,%eax
0x005bebdd <+3517>: shr $0x3,%eax
0x005bebe0 <+3520>: movzbl 0x20000000(%eax),%eax
0x005bebe7 <+3527>: test %al,%al
0x005bebe9 <+3529>: jne 0x5bed9a <h2_parse_frame_settings+3962>
0x005bebef <+3535>: mov 0x7fac4c,%eax
0x005bebf4 <+3540>: movzbl 0x31d2(%eax),%edx
0x005bebfb <+3547>: add $0x1,%dl
0x005bebfe <+3550>: adc $0x0,%dl
0x005bec01 <+3553>: mov %dl,0x31d2(%eax)
0x005bec07 <+3559>: mov (%ebx),%eax
0x005bec09 <+3561>: cmp $0x4,%eax
0x005bec0c <+3564>: je 0x5bedf0 <h2_parse_frame_settings+4048>
0x005bec12 <+3570>: cmp $0x6,%eax
0x005bec15 <+3573>: jne 0x5bec40 <h2_parse_frame_settings+3616>
0x005bec17 <+3575>: mov 0x7fac4c,%eax
0x005bec1c <+3580>: movzbl 0x31cf(%eax),%ecx
0x005bec23 <+3587>: add $0x1,%cl
0x005bec26 <+3590>: adc $0x0,%cl
0x005bec29 <+3593>: mov %cl,0x31cf(%eax)
0x005bec2f <+3599>: jmp 0x5bee08 <h2_parse_frame_settings+4072>
0x005bec34 <+3604>: nop
0x005bec35 <+3605>: nop
0x005bec36 <+3606>: nop
0x005bec37 <+3607>: nop
0x005bec38 <+3608>: nop
0x005bec39 <+3609>: nop
0x005bec3a <+3610>: nop
0x005bec3b <+3611>: nop
0x005bec3c <+3612>: nop
0x005bec3d <+3613>: nop
0x005bec3e <+3614>: nop
0x005bec3f <+3615>: nop
0x005bec40 <+3616>: mov 0x7fac4c,%eax
0x005bec45 <+3621>: movzbl 0x31cd(%eax),%edx
0x005bec4c <+3628>: add $0x1,%dl
0x005bec4f <+3631>: adc $0x0,%dl
0x005bec52 <+3634>: mov %dl,0x31cd(%eax)
0x005bec58 <+3640>: cmp 0x40(%esp),%ebp
0x005bec5c <+3644>: jl 0x5beccc <h2_parse_frame_settings+3756>
0x005bec5e <+3646>: mov 0x7fac4c,%eax
0x005bec63 <+3651>: movzbl 0x31cc(%eax),%ecx
0x005bec6a <+3658>: add $0x1,%cl
0x005bec6d <+3661>: adc $0x0,%cl
0x005bec70 <+3664>: mov %cl,0x31cc(%eax)
0x005bec76 <+3670>: add 0x58(%esp),%ebp
0x005bec7a <+3674>: jo 0x5bf3f8 <h2_parse_frame_settings+5592>
0x005bec80 <+3680>: or $0x20000000,%edi
0x005bec86 <+3686>: mov 0x7fac4c,%eax
0x005bec8b <+3691>: movzbl 0x31ca(%eax),%ecx
0x005bec92 <+3698>: add $0x1,%cl
0x005bec95 <+3701>: adc $0x0,%cl
0x005bec98 <+3704>: mov %cl,0x31ca(%eax)
0x005bec9e <+3710>: movzbl (%edi),%eax
0x005beca1 <+3713>: test %al,%al
0x005beca3 <+3715>: mov 0xc(%esp),%ebx
0x005beca7 <+3719>: jne 0x5bee3c <h2_parse_frame_settings+4124>
0x005becad <+3725>: mov 0x7fac4c,%eax
0x005becb2 <+3730>: movzbl 0x31c7(%eax),%ecx
0x005becb9 <+3737>: add $0x1,%cl
0x005becbc <+3740>: adc $0x0,%cl
0x005becbf <+3743>: mov %cl,0x31c7(%eax)
0x005becc5 <+3749>: mov %ebp,(%ebx)
0x005becc7 <+3751>: jmp 0x5bee08 <h2_parse_frame_settings+4072>
0x005beccc <+3756>: mov 0x7fac4c,%eax
0x005becd1 <+3761>: movzbl 0x31cb(%eax),%edx
0x005becd8 <+3768>: add $0x1,%dl
0x005becdb <+3771>: adc $0x0,%dl
0x005becde <+3774>: mov %dl,0x31cb(%eax)
0x005bece4 <+3780>: movl $0x3,(%esp)
0x005beceb <+3787>: mov 0x2c(%esp),%edx
0x005becef <+3791>: call 0x5a5a7e <h2_send_rst_stream>
0x005becf4 <+3796>: jmp 0x5bee08 <h2_parse_frame_settings+4072>
0x005becf9 <+3801>: mov 0x7fac4c,%edx
0x005becff <+3807>: mov 0x31e1(%edx),%ch
0x005bed05 <+3813>: add $0x1,%ch
0x005bed08 <+3816>: adc $0x0,%ch
0x005bed0b <+3819>: mov %ch,0x31e1(%edx)
0x005bed11 <+3825>: mov %eax,%edx
0x005bed13 <+3827>: and $0x7,%dl
0x005bed16 <+3830>: add $0x3,%dl
0x005bed19 <+3833>: cmp %cl,%dl
0x005bed1b <+3835>: jge 0x5bf761 <h2_parse_frame_settings+6465>
0x005bed21 <+3841>: mov 0x7fac4c,%ecx
0x005bed27 <+3847>: movzbl 0x31de(%ecx),%edx
0x005bed2e <+3854>: add $0x1,%dl
0x005bed31 <+3857>: adc $0x0,%dl
0x005bed34 <+3860>: mov %dl,0x31de(%ecx)
0x005bed3a <+3866>: mov (%eax),%ecx
0x005bed3c <+3868>: test $0x3,%cl
0x005bed3f <+3871>: je 0x5beb3a <h2_parse_frame_settings+3354>
0x005bed45 <+3877>: jmp 0x5bf236 <h2_parse_frame_settings+5142>
0x005bed4a <+3882>: mov 0x7fac4c,%eax
0x005bed4f <+3887>: mov 0x31d9(%eax),%bh
0x005bed55 <+3893>: add $0x1,%bh
0x005bed58 <+3896>: adc $0x0,%bh
0x005bed5b <+3899>: mov %bh,0x31d9(%eax)
0x005bed61 <+3905>: mov 0xc(%esp),%eax
0x005bed65 <+3909>: and $0x7,%al
0x005bed67 <+3911>: add $0x3,%al
0x005bed69 <+3913>: cmp %bl,%al
0x005bed6b <+3915>: jge 0x5bf781 <h2_parse_frame_settings+6497>
0x005bed71 <+3921>: mov 0x7fac4c,%eax
0x005bed76 <+3926>: movzbl 0x31d6(%eax),%ebx
0x005bed7d <+3933>: add $0x1,%bl
0x005bed80 <+3936>: adc $0x0,%bl
0x005bed83 <+3939>: mov %bl,0x31d6(%eax)
0x005bed89 <+3945>: lea 0x8(%ecx),%ebx
0x005bed8c <+3948>: test $0x3,%bl
0x005bed8f <+3951>: je 0x5bebbe <h2_parse_frame_settings+3486>
0x005bed95 <+3957>: jmp 0x5bf2fe <h2_parse_frame_settings+5342>
0x005bed9a <+3962>: mov 0x7fac4c,%edx
0x005beda0 <+3968>: mov 0x31d3(%edx),%ah
0x005beda6 <+3974>: add $0x1,%ah
0x005beda9 <+3977>: adc $0x0,%ah
0x005bedac <+3980>: mov %ah,0x31d3(%edx)
0x005bedb2 <+3986>: mov %ebx,%edx
0x005bedb4 <+3988>: and $0x7,%dl
0x005bedb7 <+3991>: add $0x3,%dl
0x005bedba <+3994>: cmp %al,%dl
0x005bedbc <+3996>: jge 0x5bf7a4 <h2_parse_frame_settings+6532>
0x005bedc2 <+4002>: mov 0x7fac4c,%eax
0x005bedc7 <+4007>: movzbl 0x31d0(%eax),%edx
0x005bedce <+4014>: add $0x1,%dl
0x005bedd1 <+4017>: adc $0x0,%dl
0x005bedd4 <+4020>: mov %dl,0x31d0(%eax)
0x005bedda <+4026>: mov (%ebx),%eax
0x005beddc <+4028>: cmp $0x4,%eax
0x005beddf <+4031>: jne 0x5bec12 <h2_parse_frame_settings+3570>
0x005bede5 <+4037>: nop
0x005bede6 <+4038>: nop
0x005bede7 <+4039>: nop
0x005bede8 <+4040>: nop
0x005bede9 <+4041>: nop
0x005bedea <+4042>: nop
0x005bedeb <+4043>: nop
0x005bedec <+4044>: nop
0x005beded <+4045>: nop
0x005bedee <+4046>: nop
0x005bedef <+4047>: nop
0x005bedf0 <+4048>: mov 0x7fac4c,%eax
0x005bedf5 <+4053>: movzbl 0x31ce(%eax),%ecx
0x005bedfc <+4060>: add $0x1,%cl
0x005bedff <+4063>: adc $0x0,%cl
0x005bee02 <+4066>: mov %cl,0x31ce(%eax)
0x005bee08 <+4072>: test %esi,%esi
0x005bee0a <+4074>: je 0x5bee86 <h2_parse_frame_settings+4198>
0x005bee0c <+4076>: mov %esi,%ebp
0x005bee0e <+4078>: mov 0x7fac4c,%eax
0x005bee13 <+4083>: movzbl 0x31c4(%eax),%ecx
0x005bee1a <+4090>: add $0x1,%cl
0x005bee1d <+4093>: adc $0x0,%cl
0x005bee20 <+4096>: mov %cl,0x31c4(%eax)
0x005bee26 <+4102>: mov 0x10(%esp),%esi
0x005bee2a <+4106>: add $0x4,%esi
0x005bee2d <+4109>: dec %ebp
0x005bee2e <+4110>: cmp $0x20,%esi
0x005bee31 <+4113>: jne 0x5beaa0 <h2_parse_frame_settings+3200>
0x005bee37 <+4119>: jmp 0x5bf330 <h2_parse_frame_settings+5392>
0x005bee3c <+4124>: mov 0x7fac4c,%ecx
0x005bee42 <+4130>: movzbl 0x31c8(%ecx),%edx
0x005bee49 <+4137>: add $0x1,%dl
0x005bee4c <+4140>: adc $0x0,%dl
0x005bee4f <+4143>: mov %dl,0x31c8(%ecx)
0x005bee55 <+4149>: mov %ebx,%ecx
0x005bee57 <+4151>: and $0x7,%cl
0x005bee5a <+4154>: add $0x3,%cl
0x005bee5d <+4157>: cmp %al,%cl
0x005bee5f <+4159>: jge 0x5bf7c3 <h2_parse_frame_settings+6563>
0x005bee65 <+4165>: mov 0x7fac4c,%eax
0x005bee6a <+4170>: movzbl 0x31c5(%eax),%ecx
0x005bee71 <+4177>: add $0x1,%cl
0x005bee74 <+4180>: adc $0x0,%cl
0x005bee77 <+4183>: mov %cl,0x31c5(%eax)
0x005bee7d <+4189>: mov 0xc(%esp),%ebx
0x005bee81 <+4193>: jmp 0x5becc5 <h2_parse_frame_settings+3749>
0x005bee86 <+4198>: mov 0x7fac4c,%eax
0x005bee8b <+4203>: mov 0x31c3(%eax),%cl
0x005bee91 <+4209>: add $0x1,%cl
0x005bee94 <+4212>: adc $0x0,%cl
0x005bee97 <+4215>: mov %cl,0x31c3(%eax)
0x005bee9d <+4221>: mov 0x3c(%esp),%edx
0x005beea1 <+4225>: testb $0x3,0x20(%esp)
0x005beea6 <+4230>: jne 0x5bf523 <h2_parse_frame_settings+5891>
0x005beeac <+4236>: mov 0x7fac4c,%eax
0x005beeb1 <+4241>: mov 0x31c1(%eax),%cl
0x005beeb7 <+4247>: add $0x1,%cl
0x005beeba <+4250>: adc $0x0,%cl
0x005beebd <+4253>: mov %cl,0x31c1(%eax)
0x005beec3 <+4259>: mov 0x54(%esp),%eax
0x005beec7 <+4263>: mov (%eax),%al
0x005beec9 <+4265>: test %al,%al
0x005beecb <+4267>: je 0x5beed7 <h2_parse_frame_settings+4279>
0x005beecd <+4269>: cmp %al,0xa(%esp)
0x005beed1 <+4273>: jge 0x5bf53c <h2_parse_frame_settings+5916>
0x005beed7 <+4279>: mov 0x7fac4c,%eax
0x005beedc <+4284>: mov 0x31bf(%eax),%cl
0x005beee2 <+4290>: add $0x1,%cl
0x005beee5 <+4293>: adc $0x0,%cl
0x005beee8 <+4296>: mov %cl,0x31bf(%eax)
0x005beeee <+4302>: mov 0x20(%esp),%eax
0x005beef2 <+4306>: mov %edx,(%eax)
0x005beef4 <+4308>: nop
0x005beef5 <+4309>: nop
0x005beef6 <+4310>: nop
0x005beef7 <+4311>: nop
0x005beef8 <+4312>: nop
0x005beef9 <+4313>: nop
0x005beefa <+4314>: nop
0x005beefb <+4315>: nop
0x005beefc <+4316>: nop
0x005beefd <+4317>: nop
0x005beefe <+4318>: nop
0x005beeff <+4319>: nop
0x005bef00 <+4320>: mov 0x28(%esp),%eax
0x005bef04 <+4324>: xor $0xfffffffe,%eax
0x005bef07 <+4327>: cmp $0x5,%eax
0x005bef0a <+4330>: jbe 0x5bf3ad <h2_parse_frame_settings+5517>
0x005bef10 <+4336>: mov 0x7fac4c,%eax
0x005bef15 <+4341>: mov 0x31b4(%eax),%cl
0x005bef1b <+4347>: add $0x1,%cl
0x005bef1e <+4350>: adc $0x0,%cl
0x005bef21 <+4353>: mov %cl,0x31b4(%eax)
0x005bef27 <+4359>: mov 0x44(%esp),%eax
0x005bef2b <+4363>: add $0xfffffffa,%eax
0x005bef2e <+4366>: mov %eax,0x44(%esp)
0x005bef32 <+4370>: cmp $0x5,%eax
0x005bef35 <+4373>: jbe 0x5bf0fb <h2_parse_frame_settings+4827>
0x005bef3b <+4379>: mov 0x28(%esp),%edx
0x005bef3f <+4383>: add $0x6,%edx
0x005bef42 <+4386>: mov 0x7fac4c,%eax
0x005bef47 <+4391>: mov 0x31b1(%eax),%cl
0x005bef4d <+4397>: add $0x1,%cl
0x005bef50 <+4400>: adc $0x0,%cl
0x005bef53 <+4403>: mov %cl,0x31b1(%eax)
0x005bef59 <+4409>: cmp $0xfffffffe,%edx
0x005bef5c <+4412>: jne 0x5be050 <h2_parse_frame_settings+560>
0x005bef62 <+4418>: jmp 0x5bf3c6 <h2_parse_frame_settings+5542>
0x005bef67 <+4423>: mov 0x7fac4c,%edx
0x005bef6d <+4429>: mov 0x324d(%edx),%ch
0x005bef73 <+4435>: add $0x1,%ch
0x005bef76 <+4438>: adc $0x0,%ch
0x005bef79 <+4441>: mov %ch,0x324d(%edx)
0x005bef7f <+4447>: mov %eax,%edx
0x005bef81 <+4449>: and $0x7,%dl
0x005bef84 <+4452>: cmp %cl,%dl
0x005bef86 <+4454>: jge 0x5bf668 <h2_parse_frame_settings+6216>
0x005bef8c <+4460>: mov 0x7fac4c,%ecx
0x005bef92 <+4466>: mov 0x324a(%ecx),%dl
0x005bef98 <+4472>: add $0x1,%dl
0x005bef9b <+4475>: adc $0x0,%dl
0x005bef9e <+4478>: mov %dl,0x324a(%ecx)
0x005befa4 <+4484>: movzbl (%eax),%eax
0x005befa7 <+4487>: test %al,%al
0x005befa9 <+4489>: jns 0x5be0b5 <h2_parse_frame_settings+661>
0x005befaf <+4495>: jmp 0x5bf349 <h2_parse_frame_settings+5417>
0x005befb4 <+4500>: mov 0x7fac4c,%esi
0x005befba <+4506>: mov 0x3245(%esi),%dh
0x005befc0 <+4512>: add $0x1,%dh
0x005befc3 <+4515>: adc $0x0,%dh
0x005befc6 <+4518>: mov %dh,0x3245(%esi)
0x005befcc <+4524>: mov %cl,%dh
0x005befce <+4526>: and $0x7,%dh
0x005befd1 <+4529>: cmp %dl,%dh
0x005befd3 <+4531>: jge 0x5bf688 <h2_parse_frame_settings+6248>
0x005befd9 <+4537>: mov 0x7fac4c,%edx
0x005befdf <+4543>: mov 0x3242(%edx),%bl
0x005befe5 <+4549>: add $0x1,%bl
0x005befe8 <+4552>: adc $0x0,%bl
0x005befeb <+4555>: mov %bl,0x3242(%edx)
0x005beff1 <+4561>: jmp 0x5be122 <h2_parse_frame_settings+770>
0x005beff6 <+4566>: mov 0x7fac4c,%esi
0x005beffc <+4572>: mov 0x3241(%esi),%bh
0x005bf002 <+4578>: add $0x1,%bh
0x005bf005 <+4581>: adc $0x0,%bh
0x005bf008 <+4584>: mov %bh,0x3241(%esi)
0x005bf00e <+4590>: mov %dl,%bh
0x005bf010 <+4592>: and $0x7,%bh
0x005bf013 <+4595>: cmp %bl,%bh
0x005bf015 <+4597>: jge 0x5bf6a7 <h2_parse_frame_settings+6279>
0x005bf01b <+4603>: mov 0x7fac4c,%esi
0x005bf021 <+4609>: mov 0x323e(%esi),%bl
0x005bf027 <+4615>: add $0x1,%bl
0x005bf02a <+4618>: adc $0x0,%bl
0x005bf02d <+4621>: mov %bl,0x323e(%esi)
0x005bf033 <+4627>: jmp 0x5be153 <h2_parse_frame_settings+819>
0x005bf038 <+4632>: mov 0x7fac4c,%esi
0x005bf03e <+4638>: mov 0x323d(%esi),%dh
0x005bf044 <+4644>: add $0x1,%dh
0x005bf047 <+4647>: adc $0x0,%dh
0x005bf04a <+4650>: mov %dh,0x323d(%esi)
0x005bf050 <+4656>: mov %bl,%dh
0x005bf052 <+4658>: and $0x7,%dh
0x005bf055 <+4661>: cmp %dl,%dh
0x005bf057 <+4663>: jge 0x5bf6c6 <h2_parse_frame_settings+6310>
0x005bf05d <+4669>: mov 0x7fac4c,%edx
0x005bf063 <+4675>: mov 0x323a(%edx),%bl
0x005bf069 <+4681>: add $0x1,%bl
0x005bf06c <+4684>: adc $0x0,%bl
0x005bf06f <+4687>: mov %bl,0x323a(%edx)
0x005bf075 <+4693>: jmp 0x5be184 <h2_parse_frame_settings+868>
0x005bf07a <+4698>: mov 0x7fac4c,%edx
0x005bf080 <+4704>: mov 0x3239(%edx),%bh
0x005bf086 <+4710>: add $0x1,%bh
0x005bf089 <+4713>: adc $0x0,%bh
0x005bf08c <+4716>: mov %bh,0x3239(%edx)
0x005bf092 <+4722>: mov %eax,%edx
0x005bf094 <+4724>: and $0x7,%dl
0x005bf097 <+4727>: cmp %bl,%dl
0x005bf099 <+4729>: jge 0x5bf6e5 <h2_parse_frame_settings+6341>
0x005bf09f <+4735>: mov 0x7fac4c,%edx
0x005bf0a5 <+4741>: mov 0x3236(%edx),%bl
0x005bf0ab <+4747>: add $0x1,%bl
0x005bf0ae <+4750>: adc $0x0,%bl
0x005bf0b1 <+4753>: mov %bl,0x3236(%edx)
0x005bf0b7 <+4759>: jmp 0x5be1b7 <h2_parse_frame_settings+919>
0x005bf0bc <+4764>: mov 0x7fac4c,%eax
0x005bf0c1 <+4769>: mov 0x3235(%eax),%dh
0x005bf0c7 <+4775>: add $0x1,%dh
0x005bf0ca <+4778>: adc $0x0,%dh
0x005bf0cd <+4781>: mov %dh,0x3235(%eax)
0x005bf0d3 <+4787>: mov %ebx,%eax
0x005bf0d5 <+4789>: and $0x7,%al
0x005bf0d7 <+4791>: cmp %dl,%al
0x005bf0d9 <+4793>: jge 0x5bf706 <h2_parse_frame_settings+6374>
0x005bf0df <+4799>: mov 0x7fac4c,%eax
0x005bf0e4 <+4804>: mov 0x3232(%eax),%dl
0x005bf0ea <+4810>: add $0x1,%dl
0x005bf0ed <+4813>: adc $0x0,%dl
0x005bf0f0 <+4816>: mov %dl,0x3232(%eax)
0x005bf0f6 <+4822>: jmp 0x5be1e6 <h2_parse_frame_settings+966>
0x005bf0fb <+4827>: mov 0x7fac4c,%eax
0x005bf100 <+4832>: mov 0x31b2(%eax),%cl
0x005bf106 <+4838>: add $0x1,%cl
0x005bf109 <+4841>: adc $0x0,%cl
0x005bf10c <+4844>: mov %cl,0x31b2(%eax)
0x005bf112 <+4850>: cmpl $0x0,0x44(%esp)
0x005bf117 <+4855>: jne 0x5bf1e9 <h2_parse_frame_settings+5065>
0x005bf11d <+4861>: mov 0x7fac4c,%eax
0x005bf122 <+4866>: mov 0x31af(%eax),%cl
0x005bf128 <+4872>: add $0x1,%cl
0x005bf12b <+4875>: adc $0x0,%cl
0x005bf12e <+4878>: mov %cl,0x31af(%eax)
0x005bf134 <+4884>: jmp 0x5bf215 <h2_parse_frame_settings+5109>
0x005bf139 <+4889>: mov 0x7fac4c,%eax
0x005bf13e <+4894>: mov 0x31bd(%eax),%cl
0x005bf144 <+4900>: add $0x1,%cl
0x005bf147 <+4903>: adc $0x0,%cl
0x005bf14a <+4906>: mov %cl,0x31bd(%eax)
0x005bf150 <+4912>: jmp 0x5bf169 <h2_parse_frame_settings+4937>
0x005bf152 <+4914>: mov 0x7fac4c,%eax
0x005bf157 <+4919>: mov 0x3222(%eax),%cl
0x005bf15d <+4925>: add $0x1,%cl
0x005bf160 <+4928>: adc $0x0,%cl
0x005bf163 <+4931>: mov %cl,0x3222(%eax)
0x005bf169 <+4937>: mov $0x1,%eax
0x005bf16e <+4942>: jmp 0x5bf205 <h2_parse_frame_settings+5093>
0x005bf173 <+4947>: mov 0x7fac4c,%esi
0x005bf179 <+4953>: mov 0x3257(%esi),%ch
0x005bf17f <+4959>: add $0x1,%ch
0x005bf182 <+4962>: adc $0x0,%ch
0x005bf185 <+4965>: mov %ch,0x3257(%esi)
0x005bf18b <+4971>: mov %al,%ch
0x005bf18d <+4973>: and $0x7,%ch
0x005bf190 <+4976>: add $0x3,%ch
0x005bf193 <+4979>: cmp %cl,%ch
0x005bf195 <+4981>: jge 0x5bf809 <h2_parse_frame_settings+6633>
0x005bf19b <+4987>: mov 0x7fac4c,%ecx
0x005bf1a1 <+4993>: mov 0x3254(%ecx),%bl
0x005bf1a7 <+4999>: add $0x1,%bl
0x005bf1aa <+5002>: adc $0x0,%bl
0x005bf1ad <+5005>: mov %bl,0x3254(%ecx)
0x005bf1b3 <+5011>: mov 0x90(%esp),%ecx
0x005bf1ba <+5018>: mov %ecx,0x44(%esp)
0x005bf1be <+5022>: cmp $0x5,%ecx
0x005bf1c1 <+5025>: ja 0x5bdebe <h2_parse_frame_settings+158>
0x005bf1c7 <+5031>: mov 0x7fac4c,%eax
0x005bf1cc <+5036>: mov 0x3253(%eax),%cl
0x005bf1d2 <+5042>: add $0x1,%cl
0x005bf1d5 <+5045>: adc $0x0,%cl
0x005bf1d8 <+5048>: mov %cl,0x3253(%eax)
0x005bf1de <+5054>: cmpl $0x0,0x44(%esp)
0x005bf1e3 <+5059>: je 0x5bf11d <h2_parse_frame_settings+4861>
0x005bf1e9 <+5065>: mov 0x7fac4c,%eax
0x005bf1ee <+5070>: mov 0x31b0(%eax),%cl
0x005bf1f4 <+5076>: add $0x1,%cl
0x005bf1f7 <+5079>: adc $0x0,%cl
0x005bf1fa <+5082>: mov %cl,0x31b0(%eax)
0x005bf200 <+5088>: mov $0x6,%eax
0x005bf205 <+5093>: mov %eax,0x4(%esp)
0x005bf209 <+5097>: mov 0x2c(%esp),%eax
0x005bf20d <+5101>: mov %eax,(%esp)
0x005bf210 <+5104>: call 0x5a4ab0 <h2_send_goaway>
0x005bf215 <+5109>: add $0x7c,%esp
0x005bf218 <+5112>: pop %esi
0x005bf219 <+5113>: pop %edi
0x005bf21a <+5114>: pop %ebx
0x005bf21b <+5115>: pop %ebp
0x005bf21c <+5116>: ret
0x005bf21d <+5117>: mov 0x7fac4c,%eax
0x005bf222 <+5122>: mov 0x3202(%eax),%cl
0x005bf228 <+5128>: add $0x1,%cl
0x005bf22b <+5131>: adc $0x0,%cl
0x005bf22e <+5134>: mov %cl,0x3202(%eax)
0x005bf234 <+5140>: ud2
0x005bf236 <+5142>: mov 0x7fac4c,%eax
0x005bf23b <+5147>: mov 0x31dd(%eax),%cl
0x005bf241 <+5153>: add $0x1,%cl
0x005bf244 <+5156>: adc $0x0,%cl
0x005bf247 <+5159>: mov %cl,0x31dd(%eax)
0x005bf24d <+5165>: ud2
0x005bf24f <+5167>: mov 0x7fac4c,%eax
0x005bf254 <+5172>: mov 0x3208(%eax),%cl
0x005bf25a <+5178>: add $0x1,%cl
0x005bf25d <+5181>: adc $0x0,%cl
0x005bf260 <+5184>: mov %cl,0x3208(%eax)
0x005bf266 <+5190>: ud2
0x005bf268 <+5192>: mov 0x7fac4c,%eax
0x005bf26d <+5197>: mov 0x3200(%eax),%cl
0x005bf273 <+5203>: add $0x1,%cl
0x005bf276 <+5206>: adc $0x0,%cl
0x005bf279 <+5209>: mov %cl,0x3200(%eax)
0x005bf27f <+5215>: ud2
0x005bf281 <+5217>: mov 0x7fac4c,%eax
0x005bf286 <+5222>: mov 0x31fa(%eax),%cl
0x005bf28c <+5228>: add $0x1,%cl
0x005bf28f <+5231>: adc $0x0,%cl
0x005bf292 <+5234>: mov %cl,0x31fa(%eax)
0x005bf298 <+5240>: ud2
0x005bf29a <+5242>: mov 0x7fac4c,%eax
0x005bf29f <+5247>: mov 0x3209(%eax),%cl
0x005bf2a5 <+5253>: add $0x1,%cl
0x005bf2a8 <+5256>: adc $0x0,%cl
0x005bf2ab <+5259>: mov %cl,0x3209(%eax)
0x005bf2b1 <+5265>: ud2
0x005bf2b3 <+5267>: mov 0x7fac4c,%eax
0x005bf2b8 <+5272>: mov 0x320b(%eax),%cl
0x005bf2be <+5278>: add $0x1,%cl
0x005bf2c1 <+5281>: adc $0x0,%cl
0x005bf2c4 <+5284>: mov %cl,0x320b(%eax)
0x005bf2ca <+5290>: ud2
0x005bf2cc <+5292>: mov 0x7fac4c,%eax
0x005bf2d1 <+5297>: mov 0x31e3(%eax),%cl
0x005bf2d7 <+5303>: add $0x1,%cl
0x005bf2da <+5306>: adc $0x0,%cl
0x005bf2dd <+5309>: mov %cl,0x31e3(%eax)
0x005bf2e3 <+5315>: ud2
0x005bf2e5 <+5317>: mov 0x7fac4c,%eax
0x005bf2ea <+5322>: mov 0x31db(%eax),%cl
0x005bf2f0 <+5328>: add $0x1,%cl
0x005bf2f3 <+5331>: adc $0x0,%cl
0x005bf2f6 <+5334>: mov %cl,0x31db(%eax)
0x005bf2fc <+5340>: ud2
0x005bf2fe <+5342>: mov 0x7fac4c,%eax
0x005bf303 <+5347>: mov 0x31d5(%eax),%cl
0x005bf309 <+5353>: add $0x1,%cl
0x005bf30c <+5356>: adc $0x0,%cl
0x005bf30f <+5359>: mov %cl,0x31d5(%eax)
0x005bf315 <+5365>: ud2
0x005bf317 <+5367>: mov 0x7fac4c,%eax
0x005bf31c <+5372>: mov 0x31e4(%eax),%cl
0x005bf322 <+5378>: add $0x1,%cl
0x005bf325 <+5381>: adc $0x0,%cl
0x005bf328 <+5384>: mov %cl,0x31e4(%eax)
0x005bf32e <+5390>: ud2
0x005bf330 <+5392>: mov 0x7fac4c,%eax
0x005bf335 <+5397>: mov 0x31e6(%eax),%cl
0x005bf33b <+5403>: add $0x1,%cl
0x005bf33e <+5406>: adc $0x0,%cl
0x005bf341 <+5409>: mov %cl,0x31e6(%eax)
0x005bf347 <+5415>: ud2
0x005bf349 <+5417>: mov 0x7fac4c,%eax
0x005bf34e <+5422>: mov 0x3249(%eax),%cl
0x005bf354 <+5428>: add $0x1,%cl
0x005bf357 <+5431>: adc $0x0,%cl
0x005bf35a <+5434>: mov %cl,0x3249(%eax)
=> 0x005bf360 <+5440>: ud2
0x005bf362 <+5442>: mov 0x7fac4c,%eax
0x005bf367 <+5447>: mov 0x324f(%eax),%cl
0x005bf36d <+5453>: add $0x1,%cl
0x005bf370 <+5456>: adc $0x0,%cl
0x005bf373 <+5459>: mov %cl,0x324f(%eax)
0x005bf379 <+5465>: ud2
0x005bf37b <+5467>: mov 0x7fac4c,%eax
0x005bf380 <+5472>: mov 0x3251(%eax),%cl
0x005bf386 <+5478>: add $0x1,%cl
0x005bf389 <+5481>: adc $0x0,%cl
0x005bf38c <+5484>: mov %cl,0x3251(%eax)
0x005bf392 <+5490>: ud2
0x005bf394 <+5492>: mov 0x7fac4c,%eax
0x005bf399 <+5497>: mov 0x3246(%eax),%cl
0x005bf39f <+5503>: add $0x1,%cl
0x005bf3a2 <+5506>: adc $0x0,%cl
0x005bf3a5 <+5509>: mov %cl,0x3246(%eax)
0x005bf3ab <+5515>: ud2
0x005bf3ad <+5517>: mov 0x7fac4c,%eax
0x005bf3b2 <+5522>: mov 0x31b3(%eax),%cl
0x005bf3b8 <+5528>: add $0x1,%cl
0x005bf3bb <+5531>: adc $0x0,%cl
0x005bf3be <+5534>: mov %cl,0x31b3(%eax)
0x005bf3c4 <+5540>: ud2
0x005bf3c6 <+5542>: mov 0x7fac4c,%eax
0x005bf3cb <+5547>: mov 0x3250(%eax),%cl
0x005bf3d1 <+5553>: add $0x1,%cl
0x005bf3d4 <+5556>: adc $0x0,%cl
0x005bf3d7 <+5559>: mov %cl,0x3250(%eax)
0x005bf3dd <+5565>: ud2
0x005bf3df <+5567>: mov 0x7fac4c,%eax
0x005bf3e4 <+5572>: mov 0x31ee(%eax),%cl
0x005bf3ea <+5578>: add $0x1,%cl
0x005bf3ed <+5581>: adc $0x0,%cl
0x005bf3f0 <+5584>: mov %cl,0x31ee(%eax)
0x005bf3f6 <+5590>: ud2
0x005bf3f8 <+5592>: mov 0x7fac4c,%eax
0x005bf3fd <+5597>: mov 0x31c9(%eax),%cl
0x005bf403 <+5603>: add $0x1,%cl
0x005bf406 <+5606>: adc $0x0,%cl
0x005bf409 <+5609>: mov %cl,0x31c9(%eax)
0x005bf40f <+5615>: ud2
0x005bf411 <+5617>: mov 0x7fac4c,%eax
0x005bf416 <+5622>: mov 0x325b(%eax),%cl
0x005bf41c <+5628>: add $0x1,%cl
0x005bf41f <+5631>: adc $0x0,%cl
0x005bf422 <+5634>: mov %cl,0x325b(%eax)
0x005bf428 <+5640>: ud2
0x005bf42a <+5642>: mov 0x7fac4c,%eax
0x005bf42f <+5647>: mov 0x3216(%eax),%cl
0x005bf435 <+5653>: add $0x1,%cl
0x005bf438 <+5656>: adc $0x0,%cl
0x005bf43b <+5659>: mov %cl,0x3216(%eax)
0x005bf441 <+5665>: mov 0x38(%esp),%eax
0x005bf445 <+5669>: mov %eax,(%esp)
0x005bf448 <+5672>: call 0x51b0b0 <__asan_report_load4>
0x005bf44d <+5677>: mov 0x7fac4c,%ecx
0x005bf453 <+5683>: mov 0x3204(%ecx),%dl
0x005bf459 <+5689>: add $0x1,%dl
0x005bf45c <+5692>: adc $0x0,%dl
0x005bf45f <+5695>: mov %dl,0x3204(%ecx)
0x005bf465 <+5701>: mov %eax,(%esp)
0x005bf468 <+5704>: call 0x51b0b0 <__asan_report_load4>
0x005bf46d <+5709>: mov 0x7fac4c,%eax
0x005bf472 <+5714>: mov 0x321b(%eax),%cl
0x005bf478 <+5720>: add $0x1,%cl
0x005bf47b <+5723>: adc $0x0,%cl
0x005bf47e <+5726>: mov %cl,0x321b(%eax)
0x005bf484 <+5732>: ud2
0x005bf486 <+5734>: mov 0x7fac4c,%eax
0x005bf48b <+5739>: mov 0x321a(%eax),%cl
0x005bf491 <+5745>: add $0x1,%cl
0x005bf494 <+5748>: adc $0x0,%cl
0x005bf497 <+5751>: mov %cl,0x321a(%eax)
0x005bf49d <+5757>: mov 0x34(%esp),%eax
0x005bf4a1 <+5761>: mov %eax,(%esp)
0x005bf4a4 <+5764>: call 0x51b380 <__asan_report_store4>
0x005bf4a9 <+5769>: mov 0x7fac4c,%eax
0x005bf4ae <+5774>: mov 0x3217(%eax),%cl
0x005bf4b4 <+5780>: add $0x1,%cl
0x005bf4b7 <+5783>: adc $0x0,%cl
0x005bf4ba <+5786>: mov %cl,0x3217(%eax)
0x005bf4c0 <+5792>: ud2
0x005bf4c2 <+5794>: mov 0x7fac4c,%eax
0x005bf4c7 <+5799>: mov 0x31fc(%eax),%cl
0x005bf4cd <+5805>: add $0x1,%cl
0x005bf4d0 <+5808>: adc $0x0,%cl
0x005bf4d3 <+5811>: mov %cl,0x31fc(%eax)
0x005bf4d9 <+5817>: mov 0xc(%esp),%eax
0x005bf4dd <+5821>: mov %eax,(%esp)
0x005bf4e0 <+5824>: call 0x51b0b0 <__asan_report_load4>
0x005bf4e5 <+5829>: mov 0x7fac4c,%eax
0x005bf4ea <+5834>: mov 0x31f6(%eax),%cl
0x005bf4f0 <+5840>: add $0x1,%cl
0x005bf4f3 <+5843>: adc $0x0,%cl
0x005bf4f6 <+5846>: mov %cl,0x31f6(%eax)
0x005bf4fc <+5852>: mov %ebx,(%esp)
0x005bf4ff <+5855>: call 0x51b0b0 <__asan_report_load4>
0x005bf504 <+5860>: mov 0x7fac4c,%eax
0x005bf509 <+5865>: mov 0x31eb(%eax),%cl
0x005bf50f <+5871>: add $0x1,%cl
0x005bf512 <+5874>: adc $0x0,%cl
0x005bf515 <+5877>: mov %cl,0x31eb(%eax)
0x005bf51b <+5883>: mov %ebx,(%esp)
0x005bf51e <+5886>: call 0x51b380 <__asan_report_store4>
0x005bf523 <+5891>: mov 0x7fac4c,%eax
0x005bf528 <+5896>: mov 0x31c2(%eax),%cl
0x005bf52e <+5902>: add $0x1,%cl
0x005bf531 <+5905>: adc $0x0,%cl
0x005bf534 <+5908>: mov %cl,0x31c2(%eax)
0x005bf53a <+5914>: ud2
0x005bf53c <+5916>: mov 0x7fac4c,%eax
0x005bf541 <+5921>: mov 0x31c0(%eax),%cl
0x005bf547 <+5927>: add $0x1,%cl
0x005bf54a <+5930>: adc $0x0,%cl
0x005bf54d <+5933>: mov %cl,0x31c0(%eax)
0x005bf553 <+5939>: mov 0x20(%esp),%eax
0x005bf557 <+5943>: mov %eax,(%esp)
0x005bf55a <+5946>: call 0x51b380 <__asan_report_store4>
0x005bf55f <+5951>: mov 0x7fac4c,%eax
0x005bf564 <+5956>: mov 0x3229(%eax),%cl
0x005bf56a <+5962>: add $0x1,%cl
0x005bf56d <+5965>: adc $0x0,%cl
0x005bf570 <+5968>: mov %cl,0x3229(%eax)
0x005bf576 <+5974>: ud2
0x005bf578 <+5976>: mov 0x7fac4c,%eax
0x005bf57d <+5981>: mov 0x3228(%eax),%cl
0x005bf583 <+5987>: add $0x1,%cl
0x005bf586 <+5990>: adc $0x0,%cl
0x005bf589 <+5993>: mov %cl,0x3228(%eax)
0x005bf58f <+5999>: mov 0x24(%esp),%eax
0x005bf593 <+6003>: mov %eax,(%esp)
0x005bf596 <+6006>: call 0x51b0b0 <__asan_report_load4>
0x005bf59b <+6011>: mov 0x7fac4c,%eax
0x005bf5a0 <+6016>: mov 0x321f(%eax),%cl
0x005bf5a6 <+6022>: add $0x1,%cl
0x005bf5a9 <+6025>: adc $0x0,%cl
0x005bf5ac <+6028>: mov %cl,0x321f(%eax)
0x005bf5b2 <+6034>: ud2
0x005bf5b4 <+6036>: mov 0x7fac4c,%eax
0x005bf5b9 <+6041>: mov 0x321e(%eax),%cl
0x005bf5bf <+6047>: add $0x1,%cl
0x005bf5c2 <+6050>: adc $0x0,%cl
0x005bf5c5 <+6053>: mov %cl,0x321e(%eax)
0x005bf5cb <+6059>: mov 0x30(%esp),%eax
0x005bf5cf <+6063>: mov %eax,(%esp)
0x005bf5d2 <+6066>: call 0x51b380 <__asan_report_store4>
0x005bf5d7 <+6071>: mov 0x7fac4c,%eax
0x005bf5dc <+6076>: mov 0x31bb(%eax),%cl
0x005bf5e2 <+6082>: add $0x1,%cl
0x005bf5e5 <+6085>: adc $0x0,%cl
0x005bf5e8 <+6088>: mov %cl,0x31bb(%eax)
0x005bf5ee <+6094>: ud2
0x005bf5f0 <+6096>: mov 0x7fac4c,%eax
0x005bf5f5 <+6101>: mov 0x31ba(%eax),%cl
0x005bf5fb <+6107>: add $0x1,%cl
0x005bf5fe <+6110>: adc $0x0,%cl
0x005bf601 <+6113>: mov %cl,0x31ba(%eax)
0x005bf607 <+6119>: mov 0x48(%esp),%eax
0x005bf60b <+6123>: mov %eax,(%esp)
0x005bf60e <+6126>: call 0x51b380 <__asan_report_store4>
0x005bf613 <+6131>: mov 0x7fac4c,%eax
0x005bf618 <+6136>: mov 0x31b7(%eax),%cl
0x005bf61e <+6142>: add $0x1,%cl
0x005bf621 <+6145>: adc $0x0,%cl
0x005bf624 <+6148>: mov %cl,0x31b7(%eax)
0x005bf62a <+6154>: ud2
0x005bf62c <+6156>: mov 0x7fac4c,%eax
0x005bf631 <+6161>: mov 0x31b6(%eax),%cl
0x005bf637 <+6167>: add $0x1,%cl
0x005bf63a <+6170>: adc $0x0,%cl
0x005bf63d <+6173>: mov %cl,0x31b6(%eax)
0x005bf643 <+6179>: mov 0x4c(%esp),%eax
0x005bf647 <+6183>: mov %eax,(%esp)
0x005bf64a <+6186>: call 0x51b380 <__asan_report_store4>
0x005bf64f <+6191>: mov 0x7fac4c,%eax
0x005bf654 <+6196>: mov 0x3259(%eax),%cl
0x005bf65a <+6202>: add $0x1,%cl
0x005bf65d <+6205>: adc $0x0,%cl
0x005bf660 <+6208>: mov %cl,0x3259(%eax)
0x005bf666 <+6214>: ud2
0x005bf668 <+6216>: mov 0x7fac4c,%ecx
0x005bf66e <+6222>: mov 0x324b(%ecx),%dl
0x005bf674 <+6228>: add $0x1,%dl
0x005bf677 <+6231>: adc $0x0,%dl
0x005bf67a <+6234>: mov %dl,0x324b(%ecx)
0x005bf680 <+6240>: mov %eax,(%esp)
0x005bf683 <+6243>: call 0x51af90 <__asan_report_load1>
0x005bf688 <+6248>: mov 0x7fac4c,%eax
0x005bf68d <+6253>: mov 0x3243(%eax),%dl
0x005bf693 <+6259>: add $0x1,%dl
0x005bf696 <+6262>: adc $0x0,%dl
0x005bf699 <+6265>: mov %dl,0x3243(%eax)
0x005bf69f <+6271>: mov %ecx,(%esp)
0x005bf6a2 <+6274>: call 0x51af90 <__asan_report_load1>
0x005bf6a7 <+6279>: mov 0x7fac4c,%eax
0x005bf6ac <+6284>: mov 0x323f(%eax),%cl
0x005bf6b2 <+6290>: add $0x1,%cl
0x005bf6b5 <+6293>: adc $0x0,%cl
0x005bf6b8 <+6296>: mov %cl,0x323f(%eax)
0x005bf6be <+6302>: mov %edx,(%esp)
0x005bf6c1 <+6305>: call 0x51af90 <__asan_report_load1>
0x005bf6c6 <+6310>: mov 0x7fac4c,%eax
0x005bf6cb <+6315>: mov 0x323b(%eax),%cl
0x005bf6d1 <+6321>: add $0x1,%cl
0x005bf6d4 <+6324>: adc $0x0,%cl
0x005bf6d7 <+6327>: mov %cl,0x323b(%eax)
0x005bf6dd <+6333>: mov %ebx,(%esp)
0x005bf6e0 <+6336>: call 0x51af90 <__asan_report_load1>
0x005bf6e5 <+6341>: mov %eax,%edx
0x005bf6e7 <+6343>: mov 0x7fac4c,%eax
0x005bf6ec <+6348>: mov 0x3237(%eax),%cl
0x005bf6f2 <+6354>: add $0x1,%cl
0x005bf6f5 <+6357>: adc $0x0,%cl
0x005bf6f8 <+6360>: mov %cl,0x3237(%eax)
0x005bf6fe <+6366>: mov %edx,(%esp)
0x005bf701 <+6369>: call 0x51af90 <__asan_report_load1>
0x005bf706 <+6374>: mov 0x7fac4c,%eax
0x005bf70b <+6379>: mov 0x3233(%eax),%cl
0x005bf711 <+6385>: add $0x1,%cl
0x005bf714 <+6388>: adc $0x0,%cl
0x005bf717 <+6391>: mov %cl,0x3233(%eax)
0x005bf71d <+6397>: mov %ebx,(%esp)
0x005bf720 <+6400>: call 0x51af90 <__asan_report_load1>
0x005bf725 <+6405>: mov 0x7fac4c,%eax
0x005bf72a <+6410>: mov 0x3212(%eax),%cl
0x005bf730 <+6416>: add $0x1,%cl
0x005bf733 <+6419>: adc $0x0,%cl
0x005bf736 <+6422>: mov %cl,0x3212(%eax)
0x005bf73c <+6428>: ud2
0x005bf73e <+6430>: mov 0x7fac4c,%eax
0x005bf743 <+6435>: mov 0x3210(%eax),%cl
0x005bf749 <+6441>: add $0x1,%cl
0x005bf74c <+6444>: adc $0x0,%cl
0x005bf74f <+6447>: mov %cl,0x3210(%eax)
0x005bf755 <+6453>: mov 0x20(%esp),%eax
0x005bf759 <+6457>: mov %eax,(%esp)
0x005bf75c <+6460>: call 0x51b0b0 <__asan_report_load4>
0x005bf761 <+6465>: mov 0x7fac4c,%ecx
0x005bf767 <+6471>: mov 0x31df(%ecx),%dl
0x005bf76d <+6477>: add $0x1,%dl
0x005bf770 <+6480>: adc $0x0,%dl
0x005bf773 <+6483>: mov %dl,0x31df(%ecx)
0x005bf779 <+6489>: mov %eax,(%esp)
0x005bf77c <+6492>: call 0x51b0b0 <__asan_report_load4>
0x005bf781 <+6497>: mov 0x7fac4c,%eax
0x005bf786 <+6502>: mov 0x31d7(%eax),%cl
0x005bf78c <+6508>: add $0x1,%cl
0x005bf78f <+6511>: adc $0x0,%cl
0x005bf792 <+6514>: mov %cl,0x31d7(%eax)
0x005bf798 <+6520>: mov 0xc(%esp),%eax
0x005bf79c <+6524>: mov %eax,(%esp)
0x005bf79f <+6527>: call 0x51b0b0 <__asan_report_load4>
0x005bf7a4 <+6532>: mov 0x7fac4c,%eax
0x005bf7a9 <+6537>: mov 0x31d1(%eax),%cl
0x005bf7af <+6543>: add $0x1,%cl
0x005bf7b2 <+6546>: adc $0x0,%cl
0x005bf7b5 <+6549>: mov %cl,0x31d1(%eax)
0x005bf7bb <+6555>: mov %ebx,(%esp)
0x005bf7be <+6558>: call 0x51b0b0 <__asan_report_load4>
0x005bf7c3 <+6563>: mov 0x7fac4c,%eax
0x005bf7c8 <+6568>: mov 0x31c6(%eax),%cl
0x005bf7ce <+6574>: add $0x1,%cl
0x005bf7d1 <+6577>: adc $0x0,%cl
0x005bf7d4 <+6580>: mov %cl,0x31c6(%eax)
0x005bf7da <+6586>: mov 0xc(%esp),%eax
0x005bf7de <+6590>: mov %eax,(%esp)
0x005bf7e1 <+6593>: call 0x51b380 <__asan_report_store4>
0x005bf7e6 <+6598>: mov 0x7fac4c,%eax
0x005bf7eb <+6603>: mov 0x3224(%eax),%cl
0x005bf7f1 <+6609>: add $0x1,%cl
0x005bf7f4 <+6612>: adc $0x0,%cl
0x005bf7f7 <+6615>: mov %cl,0x3224(%eax)
0x005bf7fd <+6621>: mov 0x24(%esp),%eax
0x005bf801 <+6625>: mov %eax,(%esp)
0x005bf804 <+6628>: call 0x51b380 <__asan_report_store4>
0x005bf809 <+6633>: mov 0x7fac4c,%ecx
0x005bf80f <+6639>: mov 0x3255(%ecx),%dl
0x005bf815 <+6645>: add $0x1,%dl
0x005bf818 <+6648>: adc $0x0,%dl
0x005bf81b <+6651>: mov %dl,0x3255(%ecx)
0x005bf821 <+6657>: mov %eax,(%esp)
0x005bf824 <+6660>: call 0x51b0b0 <__asan_report_load4>
End of assembler dump.
Here are the info registers.
eax 0xf5b3c800 -172767232
ecx 0xf5b3c801 -172767231
edx 0xf5501503 -179301117
ebx 0xf5501507 -179301113
esp 0xffff43a0 0xffff43a0
ebp 0x0 0x0
esi 0x0 0
edi 0x0 0
eip 0x5bf360 0x5bf360 <h2_parse_frame_settings+5440>
eflags 0x10202 [ IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
Updated by gstrauss almost 4 years ago
It looks like you missed the #0 ...
at the beginning of the full stack. That is critical information to match up to the disassembly.
[Edit] looking at the eip in info registers
0x005bf349 <+5417>: mov 0x7fac4c,%eax 0x005bf34e <+5422>: mov 0x3249(%eax),%cl 0x005bf354 <+5428>: add $0x1,%cl 0x005bf357 <+5431>: adc $0x0,%cl 0x005bf35a <+5434>: mov %cl,0x3249(%eax) => 0x005bf360 <+5440>: ud2
Updated by gstrauss almost 4 years ago
As suggested by stbuehler, please provide a tcpdump of the traffic or an strace -o strace.log -s 4096 ...
of your tests program. You words above have not described the requests sufficiently for someone to attempt to reproduce them.
Alternatively, please also consider sharing your test program (attach as a file by clicking the "Browse" button below).
Updated by axe34 almost 4 years ago
Here is the fixed full stack.
#0 h2_parse_frame_settings (con=<optimized out>, s=0xf550150c "", len=6) at h2.c:603
h2c = 0xf4303300
#1 0x005c1a5a in h2_init_con (h2r=0xf3703880, con=0xf3703880, http2_settings=0xf59006f0) at h2.c:1656
h2settings = "\000\000\f\004\000\000\000\000\000\000\003\000\000\000\b\000\006\000\000\377\377"
h2c = <optimized out>
#2 0x005d383d in h2_check_con_upgrade_h2c (r=<optimized out>) at h2.c:2538
upgrade = <optimized out>
http_connection = <optimized out>
http2_settings = <optimized out>
#3 0x00599e36 in connection_handle_read_state (con=0xf3703880) at connections.c:808
hoff = <optimized out>
cq = <optimized out>
discard_blank = <optimized out>
pipelined_request_start = <optimized out>
keepalive_request_start = <optimized out>
r = 0xf3703880
header_len = 149
clen = <optimized out>
c = 0xf3703914
hdrs = <optimized out>
#4 0x00590dfb in connection_state_machine_loop (r=<optimized out>, con=0xf3703880) at connections.c:1079
ostate = CON_STATE_REQUEST_START
#5 0x0058dea3 in connection_state_machine_h1 (r=0xf3703880, con=0xf5501503) at connections.c:1418
log_state_handling = <optimized out>
#6 0x005eada2 in network_server_handle_fdevent (context=0xf4503030, revents=1) at connections.c:1436
srv_socket = 0xf4503030
srv = 0xf5703c40
loops = <optimized out>
con = 0xf3b50800
--Type <RET> for more, q to quit, c to continue without paging--c
#7 0x00792764 in fdevent_linux_sysepoll_poll (ev=0xf3703c80, timeout_ms=1000) at fdevent_linux_sysepoll.c:43
n = 1
#8 0x006e4133 in fdevent_poll (ev=0xf3703c80, timeout_ms=1000) at fdevent.c:436
n = <optimized out>
#9 0x00555964 in server_main_loop (srv=<optimized out>) at server.c:1902
min_ts = <optimized out>
joblist = <optimized out>
last_active_ts = 1612724530
#10 0x00547964 in main (argc=<optimized out>, argv=<optimized out>) at server.c:2034
srv = 0xf5703c40
rc = 1
I do not want to share my test program. It is super simple. It creates a new thread and opens a socket connection to the server and sends the input.
Updated by axe34 almost 4 years ago
For the request, I will provide the tcpdump later.
To explain it more, there is only one http request needed.
This is the http request
GET /alias/index.html HTTP/1.1
Host: 127.0.0.1:3000
Connection: Upgrade, HTTP2-Settings
Upgrade: h2c
HTTP2-Settings: AAMAAABkAAEAAAAAAA3AAAAA
All my program does is that it takes this http request and sends it to the server.
Updated by gstrauss almost 4 years ago
Does the crash occur if you build without -fsanitize=address,undefined
and with -O0
?CFLAGS='-m32 -g -O0' CXXFLAGS='-m32 -g -O0' ./configure
The assembly will be much easier to read without the additional instrumentation.
Updated by axe34 almost 4 years ago
The crash does not occur if I do not build with -fsanitize=address,undefined and -O0
The response is the standard one.
HTTP/1.1 101 Switching Protocols
Connection: Upgrade
Upgrade: h2c
Updated by gstrauss almost 4 years ago
I have inspected the ls-hpack code around its HPACK encoder history table and the code is fairly simple and straightforward. Since the issue still occurs for you with the patch disabling the call to lshpack_enc_use_hist(&h2c->encoder, 1);
in h2.c, I believe that there is a better chance that there is something amiss in the libubsan instrumentation that results in SIGILL, rather than an issue in the lighttpd code. Still, I will leave this issue open for another week so that you can dig into the other request you mentioned which trigger crashes with lighttpd instrumented with libasan/libubsan. You might see if there is a difference if you compile lighttpd with gcc and with clang.
I do not want to share my test program. It is super simple. It creates a new thread and opens a socket connection to the server and sends the input.
After the initial HTTP/1.1 request with Connection: Upgrade, HTTP2-Settings
, does your program decode the HTTP/2 frames? Does your program send an HTTP/2 GOAWAY frame or other HTTP/2 frames? Or does your program close the connection?
Updated by axe34 almost 4 years ago
My program just sends the request and then closes the connection.
Updated by gstrauss almost 4 years ago
stbuehler pointed out to me on IRC that your "crash" might be a hard failure of the instrumentation, which should have issued trace instead.
In my tests, I was able to elicit the warning:h2.c:605:28: runtime error: left shift of 192 by 24 places cannot be represented in type 'int'
That '192' comes from the 3rd setting of your fabricated HTTP2-Settings 000d c000 0000
. The c0
is bit-shifted left 24 bits, and the high bit ends up shifting into the sign bit of the 32-bit quantity, which may technically be undefined behavior on a 32-bit int (to which a (uint8_t *) character was promoted).
See if this patch makes your SIGILL disappear. (I have a more comprehensive patch on my dev branch)
--- a/src/h2.c +++ b/src/h2.c @@ -602,7 +602,7 @@ h2_parse_frame_settings (connection * const con, const uint8_t *s, uint32_t len) /*(caller must validate frame len, frame type == 0x04, frame id == 0)*/ h2con * const h2c = con->h2; for (; len >= 6; len -= 6, s += 6) { - uint32_t v = (s[2] << 24) | (s[3] << 16) | (s[4] << 8) | s[5]; + uint32_t v = (((uint32_t)s[2]) << 24) | (s[3] << 16) | (s[4] << 8) | s[5]; switch (((s[0] << 8) | s[1])) { case H2_SETTINGS_HEADER_TABLE_SIZE: /* encoder may use any table size <= value sent by peer */
Updated by axe34 almost 4 years ago
The response is the standard response.
HTTP/1.1 101 Switching Protocols
Connection: Upgrade
Upgrade: h2c
Updated by gstrauss almost 4 years ago
- Subject changed from Illegal Instruction when sending Malicious Data through HTTP2 Frame to pedantic warning from -fsanitize=undefined
- Status changed from Need Feedback to Patch Pending
- Target version changed from 1.4.x to 1.4.60
Retitled this issue. The behavior is defined in C++. While technically undefined behavior in C according to the spec, in practice, the bit-shift is within the range of the register, whether 32-bit or 64-bit, and the result in the code is assigned to a uint32_t.
Updated by axe34 almost 4 years ago
But wouldn't this be an integer overflow because of the bitshift
Updated by gstrauss almost 4 years ago
I see so it does not warrant a cve
It does not. It does not even qualify as a bug. It is a pedantic warning.
But wouldn't this be an integer overflow because of the bitshift
No, not for logical bit shift. Yes, if arithmetic shift on int. The result is assigned to a uint32_t, so it does not matter.
A uint8_t is bit-shifted left 24 bits. Please re-read what I already posted and count the bits yourself.
Updated by gstrauss almost 4 years ago
You seem to have a misunderstanding about what a CVE is and what qualifies as a CVE.
As I have posted before, not all bugs are vulnerabilities. Vulnerabilities are a subset of bugs.
Please do some reading on the official CVE site:
https://cve.mitre.org/about/terminology.html#vulnerability and see their definition of "vulnerability"
https://cve.mitre.org/cve/cna/rules.html#section_7-1_what_is_a_vulnerability
More specifically, a bug must violate security policy and have an impact. In other words, before you would even try to file a CVE, you need to do a much, much, much better job of understanding the impact of a bug, how the bug is a vulnerability, and be able to demonstrate or describe how the vulnerability might be exploited.
Updated by gstrauss almost 4 years ago
- Status changed from Patch Pending to Fixed
Applied in changeset 603a1fa573f05fa38050fb664382d4d3696ec573.
Also available in: Atom