Off-by-one in HTTP2SettingsRegistry.Merge() #228
Description
This affects BestHTTP at least versions 2.5.3 through 2.8.5: when the server-sent HTTP2Settings include SETTINGS_NO_RFC7540_PRIORITIES = 0x09 merging fails with an IndexOutOfRangeException.
Those versions have HTTP2SettingsManager.SettingsCount = 9 (0x01, ..., 0x08), which determines the length of the HTTP2SettingsRegistry.values array.
In HTTP2SettingsRegistry::Merge(),
if (key > 0 && key <= HTTP2SettingsManager.SettingsCount)
guards the merging, which wrongly allows SETTINGS_NO_RFC7540_PRIORITIES = 0x09 to be merged, causing the IndexOutOfRangeException.
With
if (key > 0 && key < HTTP2SettingsManager.SettingsCount)
the problem disappears.
Note that BestHTTP 2.5.3 silently drops this exception, but still closes the connection.
We've run into this problem after upgrading Caddy on our servers: the Http/2 implementation in the latest golang versions sends SETTINGS_NO_RFC7540_PRIORITIES by default.
BestHTTP 3+ isn't affected.