grpc 1.55.0 → 1.55.3

data/src/core/ext/transport/chttp2/transport/hpack_parser.cc

@@ -24,7 +24,6 @@
 #include <stdlib.h>
 
 #include <algorithm>
-#include <initializer_list>
 #include <string>
 #include <utility>
 
@@ -32,21 +31,22 @@
 #include "absl/status/status.h"
 #include "absl/strings/match.h"
 #include "absl/strings/str_cat.h"
-#include "absl/strings/str_format.h"
 #include "absl/strings/string_view.h"
 #include "absl/types/optional.h"
 #include "absl/types/span.h"
 #include "absl/types/variant.h"
 
+#include <grpc/slice.h>
 #include <grpc/support/log.h>
 
 #include "src/core/ext/transport/chttp2/transport/decode_huff.h"
 #include "src/core/ext/transport/chttp2/transport/hpack_constants.h"
+#include "src/core/ext/transport/chttp2/transport/hpack_parse_result.h"
+#include "src/core/ext/transport/chttp2/transport/hpack_parser_table.h"
 #include "src/core/lib/debug/stats.h"
 #include "src/core/lib/debug/stats_data.h"
 #include "src/core/lib/debug/trace.h"
-#include "src/core/lib/gprpp/crash.h"
-#include "src/core/lib/gprpp/status_helper.h"
+#include "src/core/lib/gprpp/match.h"
 #include "src/core/lib/slice/slice.h"
 #include "src/core/lib/slice/slice_refcount.h"
 #include "src/core/lib/surface/validate_metadata.h"
@@ -82,39 +82,6 @@ struct Base64InverseTable {
 
 constexpr Base64InverseTable kBase64InverseTable;
 
-absl::Status EnsureStreamError(absl::Status error) {
-  if (error.ok()) return error;
-  return grpc_error_set_int(std::move(error), StatusIntProperty::kStreamId, 0);
-}
-
-bool IsStreamError(const absl::Status& status) {
-  intptr_t stream_id;
-  return grpc_error_get_int(status, StatusIntProperty::kStreamId, &stream_id);
-}
-
-class MetadataSizeLimitExceededEncoder {
- public:
-  explicit MetadataSizeLimitExceededEncoder(std::string& summary)
-      : summary_(summary) {}
-
-  void Encode(const Slice& key, const Slice& value) {
-    AddToSummary(key.as_string_view(), value.size());
-  }
-
-  template <typename Key, typename Value>
-  void Encode(Key, const Value& value) {
-    AddToSummary(Key::key(), EncodedSizeOfKey(Key(), value));
-  }
-
- private:
-  void AddToSummary(absl::string_view key,
-                    size_t value_length) GPR_ATTRIBUTE_NOINLINE {
-    absl::StrAppend(&summary_, " ", key, ":",
-                    hpack_constants::SizeForEntry(key.size(), value_length),
-                    "B");
-  }
-  std::string& summary_;
-};
 }  // namespace
 
 // Input tracks the current byte through the input data and provides it
@@ -122,11 +89,12 @@ class MetadataSizeLimitExceededEncoder {
 class HPackParser::Input {
  public:
   Input(grpc_slice_refcount* current_slice_refcount, const uint8_t* begin,
-        const uint8_t* end)
+        const uint8_t* end, HpackParseResult& error)
       : current_slice_refcount_(current_slice_refcount),
         begin_(begin),
         end_(end),
-        frontier_(begin) {}
+        frontier_(begin),
+        error_(error) {}
 
   // If input is backed by a slice, retrieve its refcount. If not, return
   // nullptr.
@@ -156,7 +124,7 @@ class HPackParser::Input {
   // of stream
   absl::optional<uint8_t> Next() {
     if (end_of_stream()) {
-      UnexpectedEOF();
+      UnexpectedEOF(/*min_progress_size=*/1);
       return absl::optional<uint8_t>();
     }
     return *begin_++;
@@ -202,9 +170,16 @@ class HPackParser::Input {
 
     // Spec weirdness: we can add an infinite stream of 0x80 at the end of a
     // varint and still end up with a correctly encoded varint.
+    // We allow up to 16 just for kicks, but any more and we'll assume the
+    // sender is being malicious.
+    int num_redundant_0x80 = 0;
     do {
       cur = Next();
       if (!cur.has_value()) return {};
+      ++num_redundant_0x80;
+      if (num_redundant_0x80 == 16) {
+        return ParseVarintMaliciousEncoding();
+      }
     } while (*cur == 0x80);
 
     // BUT... the last byte needs to be 0x00 or we'll overflow dramatically!
@@ -212,14 +187,6 @@ class HPackParser::Input {
     return ParseVarintOutOfRange(value, *cur);
   }
 
-  // Prefix for a string
-  struct StringPrefix {
-    // Number of bytes in input for string
-    uint32_t length;
-    // Is it huffman compressed
-    bool huff;
-  };
-
   // Parse a string prefix
   absl::optional<StringPrefix> ParseStringPrefix() {
     auto cur = Next();
@@ -243,17 +210,13 @@ class HPackParser::Input {
     return StringPrefix{strlen, huff};
   }
 
-  // Check if we saw an EOF.. must be verified before looking at TakeError
+  // Check if we saw an EOF
   bool eof_error() const {
-    return eof_error_ || (!error_.ok() && !IsStreamError(error_));
+    return min_progress_size_ != 0 || error_.connection_error();
   }
 
-  // Extract the parse error, leaving the current error as NONE.
-  grpc_error_handle TakeError() {
-    grpc_error_handle out = error_;
-    error_ = absl::OkStatus();
-    return out;
-  }
+  // Minimum number of bytes to unstuck the current parse
+  size_t min_progress_size() const { return min_progress_size_; }
 
   bool has_error() const { return !error_.ok(); }
 
@@ -261,31 +224,55 @@ class HPackParser::Input {
   // chttp2 does not close the connection.
   // Intended for errors that are specific to a stream and recoverable.
   // Callers should ensure that any hpack table updates happen.
-  GPR_ATTRIBUTE_NOINLINE void SetErrorAndContinueParsing(
-      grpc_error_handle error) {
-    GPR_ASSERT(!error.ok());
-    // StreamId is used as a signal to skip this stream but keep the connection
-    // alive
-    SetError(EnsureStreamError(std::move(error)));
+  void SetErrorAndContinueParsing(HpackParseResult error) {
+    GPR_DEBUG_ASSERT(error.stream_error());
+    SetError(std::move(error));
   }
 
   // Set the current error, and skip past remaining bytes.
   // Intended for unrecoverable errors, with the expectation that they will
   // close the connection on return to chttp2.
-  GPR_ATTRIBUTE_NOINLINE void SetErrorAndStopParsing(grpc_error_handle error) {
-    GPR_ASSERT(!error.ok());
+  void SetErrorAndStopParsing(HpackParseResult error) {
+    GPR_DEBUG_ASSERT(error.connection_error());
     SetError(std::move(error));
     begin_ = end_;
   }
 
-  // Set the error to an unexpected eof
-  void UnexpectedEOF() {
-    if (!error_.ok() && !IsStreamError(error_)) return;
-    eof_error_ = true;
+  // Set the error to an unexpected eof.
+  // min_progress_size: how many bytes beyond the current frontier do we need to
+  // read prior to being able to get further in this parse.
+  void UnexpectedEOF(size_t min_progress_size) {
+    GPR_ASSERT(min_progress_size > 0);
+    if (min_progress_size_ != 0 || error_.connection_error()) {
+      GPR_DEBUG_ASSERT(eof_error());
+      return;
+    }
+    // Set min progress size, taking into account bytes parsed already but not
+    // consumed.
+    min_progress_size_ = min_progress_size + (begin_ - frontier_);
+    GPR_DEBUG_ASSERT(eof_error());
   }
 
   // Update the frontier - signifies we've successfully parsed another element
-  void UpdateFrontier() { frontier_ = begin_; }
+  void UpdateFrontier() {
+    GPR_DEBUG_ASSERT(skip_bytes_ == 0);
+    frontier_ = begin_;
+  }
+
+  void UpdateFrontierAndSkipBytes(size_t skip_bytes) {
+    UpdateFrontier();
+    size_t remaining = end_ - begin_;
+    if (skip_bytes >= remaining) {
+      // If we have more bytes to skip than we have remaining in this buffer
+      // then we skip over what's there and stash that we need to skip some
+      // more.
+      skip_bytes_ = skip_bytes - remaining;
+      frontier_ = end_;
+    } else {
+      // Otherwise we zoom through some bytes and continue parsing.
+      frontier_ += skip_bytes_;
+    }
+  }
 
   // Get the frontier - for buffering should we fail due to eof
   const uint8_t* frontier() const { return frontier_; }
@@ -294,19 +281,23 @@ class HPackParser::Input {
   // Helper to set the error to out of range for ParseVarint
   absl::optional<uint32_t> ParseVarintOutOfRange(uint32_t value,
                                                  uint8_t last_byte) {
-    SetErrorAndStopParsing(absl::InternalError(absl::StrFormat(
-        "integer overflow in hpack integer decoding: have 0x%08x, "
-        "got byte 0x%02x on byte 5",
-        value, last_byte)));
+    SetErrorAndStopParsing(
+        HpackParseResult::VarintOutOfRangeError(value, last_byte));
+    return absl::optional<uint32_t>();
+  }
+
+  // Helper to set the error in the case of a malicious encoding
+  absl::optional<uint32_t> ParseVarintMaliciousEncoding() {
+    SetErrorAndStopParsing(HpackParseResult::MaliciousVarintEncodingError());
     return absl::optional<uint32_t>();
   }
 
   // If no error is set, set it to the given error (i.e. first error wins)
   // Do not use this directly, instead use SetErrorAndContinueParsing or
   // SetErrorAndStopParsing.
-  void SetError(grpc_error_handle error) {
-    if (!error_.ok() || eof_error_) {
-      if (!IsStreamError(error) && IsStreamError(error_)) {
+  void SetError(HpackParseResult error) {
+    if (!error_.ok() || min_progress_size_ > 0) {
+      if (error.connection_error() && !error_.connection_error()) {
         error_ = std::move(error);  // connection errors dominate
       }
       return;
@@ -323,211 +314,156 @@ class HPackParser::Input {
   // Frontier denotes the first byte past successfully processed input
   const uint8_t* frontier_;
   // Current error
-  grpc_error_handle error_;
-  // If the error was EOF, we flag it here..
-  bool eof_error_ = false;
+  HpackParseResult& error_;
+  // If the error was EOF, we flag it here by noting how many more bytes would
+  // be needed to make progress
+  size_t min_progress_size_ = 0;
+  // Number of bytes that should be skipped before parsing resumes.
+  // (We've failed parsing a request for whatever reason, but we're still
+  // continuing the connection so we need to see future opcodes after this bit).
+  size_t skip_bytes_ = 0;
 };
 
-// Helper to parse a string and turn it into a slice with appropriate memory
-// management characteristics
-class HPackParser::String {
- public:
-  // ParseResult carries both a ParseStatus and the parsed string
-  struct ParseResult;
-  // Result of parsing a string
-  enum class ParseStatus {
-    // Parsed OK
-    kOk,
-    // Parse reached end of the current frame
-    kEof,
-    // Parse failed due to a huffman decode error
-    kParseHuffFailed,
-    // Parse failed due to a base64 decode error
-    kUnbase64Failed,
-  };
-
-  String() : value_(absl::Span<const uint8_t>()) {}
-  String(const String&) = delete;
-  String& operator=(const String&) = delete;
-  String(String&& other) noexcept : value_(std::move(other.value_)) {
-    other.value_ = absl::Span<const uint8_t>();
-  }
-  String& operator=(String&& other) noexcept {
-    value_ = std::move(other.value_);
-    other.value_ = absl::Span<const uint8_t>();
-    return *this;
+absl::string_view HPackParser::String::string_view() const {
+  if (auto* p = absl::get_if<Slice>(&value_)) {
+    return p->as_string_view();
+  } else if (auto* p = absl::get_if<absl::Span<const uint8_t>>(&value_)) {
+    return absl::string_view(reinterpret_cast<const char*>(p->data()),
+                             p->size());
+  } else if (auto* p = absl::get_if<std::vector<uint8_t>>(&value_)) {
+    return absl::string_view(reinterpret_cast<const char*>(p->data()),
+                             p->size());
   }
+  GPR_UNREACHABLE_CODE(return absl::string_view());
+}
 
-  // Take the value and leave this empty
-  Slice Take();
-
-  // Return a reference to the value as a string view
-  absl::string_view string_view() const {
-    if (auto* p = absl::get_if<Slice>(&value_)) {
-      return p->as_string_view();
-    } else if (auto* p = absl::get_if<absl::Span<const uint8_t>>(&value_)) {
-      return absl::string_view(reinterpret_cast<const char*>(p->data()),
-                               p->size());
-    } else if (auto* p = absl::get_if<std::vector<uint8_t>>(&value_)) {
-      return absl::string_view(reinterpret_cast<const char*>(p->data()),
-                               p->size());
-    }
-    GPR_UNREACHABLE_CODE(return absl::string_view());
+template <typename Out>
+HpackParseStatus HPackParser::String::ParseHuff(Input* input, uint32_t length,
+                                                Out output) {
+  // If there's insufficient bytes remaining, return now.
+  if (input->remaining() < length) {
+    input->UnexpectedEOF(/*min_progress_size=*/length);
+    return HpackParseStatus::kEof;
   }
+  // Grab the byte range, and iterate through it.
+  const uint8_t* p = input->cur_ptr();
+  input->Advance(length);
+  return HuffDecoder<Out>(output, p, p + length).Run()
+             ? HpackParseStatus::kOk
+             : HpackParseStatus::kParseHuffFailed;
+}
 
-  // Parse a non-binary string
-  static ParseResult Parse(Input* input);
+struct HPackParser::String::StringResult {
+  StringResult() = delete;
+  StringResult(HpackParseStatus status, size_t wire_size, String value)
+      : status(status), wire_size(wire_size), value(std::move(value)) {}
+  HpackParseStatus status;
+  size_t wire_size;
+  String value;
+};
 
-  // Parse a binary string
-  static ParseResult ParseBinary(Input* input);
+HPackParser::String::StringResult HPackParser::String::ParseUncompressed(
+    Input* input, uint32_t length, uint32_t wire_size) {
+  // Check there's enough bytes
+  if (input->remaining() < length) {
+    input->UnexpectedEOF(/*min_progress_size=*/length);
+    GPR_DEBUG_ASSERT(input->eof_error());
+    return StringResult{HpackParseStatus::kEof, wire_size, String{}};
+  }
+  auto* refcount = input->slice_refcount();
+  auto* p = input->cur_ptr();
+  input->Advance(length);
+  if (refcount != nullptr) {
+    return StringResult{HpackParseStatus::kOk, wire_size,
+                        String(refcount, p, p + length)};
+  } else {
+    return StringResult{HpackParseStatus::kOk, wire_size,
+                        String(absl::Span<const uint8_t>(p, length))};
+  }
+}
 
- private:
-  void AppendBytes(const uint8_t* data, size_t length);
-  explicit String(std::vector<uint8_t> v) : value_(std::move(v)) {}
-  explicit String(absl::Span<const uint8_t> v) : value_(v) {}
-  String(grpc_slice_refcount* r, const uint8_t* begin, const uint8_t* end)
-      : value_(Slice::FromRefcountAndBytes(r, begin, end)) {}
-
-  // Parse some huffman encoded bytes, using output(uint8_t b) to emit each
-  // decoded byte.
-  template <typename Out>
-  static ParseStatus ParseHuff(Input* input, uint32_t length, Out output) {
-    // If there's insufficient bytes remaining, return now.
-    if (input->remaining() < length) {
-      input->UnexpectedEOF();
-      GPR_DEBUG_ASSERT(input->eof_error());
-      return ParseStatus::kEof;
-    }
-    // Grab the byte range, and iterate through it.
-    const uint8_t* p = input->cur_ptr();
-    input->Advance(length);
-    return HuffDecoder<Out>(output, p, p + length).Run()
-               ? ParseStatus::kOk
-               : ParseStatus::kParseHuffFailed;
+absl::optional<std::vector<uint8_t>> HPackParser::String::Unbase64Loop(
+    const uint8_t* cur, const uint8_t* end) {
+  while (cur != end && end[-1] == '=') {
+    --end;
   }
 
-  // Parse some uncompressed string bytes.
-  static ParseResult ParseUncompressed(Input* input, uint32_t length,
-                                       uint32_t wire_size);
+  std::vector<uint8_t> out;
+  out.reserve(3 * (end - cur) / 4 + 3);
+
+  // Decode 4 bytes at a time while we can
+  while (end - cur >= 4) {
+    uint32_t bits = kBase64InverseTable.table[*cur];
+    if (bits > 63) return {};
+    uint32_t buffer = bits << 18;
+    ++cur;
+
+    bits = kBase64InverseTable.table[*cur];
+    if (bits > 63) return {};
+    buffer |= bits << 12;
+    ++cur;
+
+    bits = kBase64InverseTable.table[*cur];
+    if (bits > 63) return {};
+    buffer |= bits << 6;
+    ++cur;
+
+    bits = kBase64InverseTable.table[*cur];
+    if (bits > 63) return {};
+    buffer |= bits;
+    ++cur;
+
+    out.insert(out.end(), {static_cast<uint8_t>(buffer >> 16),
+                           static_cast<uint8_t>(buffer >> 8),
+                           static_cast<uint8_t>(buffer)});
+  }
+  // Deal with the last 0, 1, 2, or 3 bytes.
+  switch (end - cur) {
+    case 0:
+      return out;
+    case 1:
+      return {};
+    case 2: {
+      uint32_t bits = kBase64InverseTable.table[*cur];
+      if (bits > 63) return {};
+      uint32_t buffer = bits << 18;
 
-  // Turn base64 encoded bytes into not base64 encoded bytes.
-  static ParseResult Unbase64(String s);
+      ++cur;
+      bits = kBase64InverseTable.table[*cur];
+      if (bits > 63) return {};
+      buffer |= bits << 12;
 
-  // Main loop for Unbase64
-  static absl::optional<std::vector<uint8_t>> Unbase64Loop(const uint8_t* cur,
-                                                           const uint8_t* end) {
-    while (cur != end && end[-1] == '=') {
-      --end;
+      if (buffer & 0xffff) return {};
+      out.push_back(static_cast<uint8_t>(buffer >> 16));
+      return out;
     }
-
-    std::vector<uint8_t> out;
-    out.reserve(3 * (end - cur) / 4 + 3);
-
-    // Decode 4 bytes at a time while we can
-    while (end - cur >= 4) {
+    case 3: {
       uint32_t bits = kBase64InverseTable.table[*cur];
       if (bits > 63) return {};
       uint32_t buffer = bits << 18;
-      ++cur;
 
+      ++cur;
       bits = kBase64InverseTable.table[*cur];
       if (bits > 63) return {};
       buffer |= bits << 12;
-      ++cur;
 
+      ++cur;
       bits = kBase64InverseTable.table[*cur];
       if (bits > 63) return {};
       buffer |= bits << 6;
-      ++cur;
 
-      bits = kBase64InverseTable.table[*cur];
-      if (bits > 63) return {};
-      buffer |= bits;
       ++cur;
-
-      out.insert(out.end(), {static_cast<uint8_t>(buffer >> 16),
-                             static_cast<uint8_t>(buffer >> 8),
-                             static_cast<uint8_t>(buffer)});
+      if (buffer & 0xff) return {};
+      out.push_back(static_cast<uint8_t>(buffer >> 16));
+      out.push_back(static_cast<uint8_t>(buffer >> 8));
+      return out;
     }
-    // Deal with the last 0, 1, 2, or 3 bytes.
-    switch (end - cur) {
-      case 0:
-        return out;
-      case 1:
-        return {};
-      case 2: {
-        uint32_t bits = kBase64InverseTable.table[*cur];
-        if (bits > 63) return {};
-        uint32_t buffer = bits << 18;
-
-        ++cur;
-        bits = kBase64InverseTable.table[*cur];
-        if (bits > 63) return {};
-        buffer |= bits << 12;
-
-        if (buffer & 0xffff) return {};
-        out.push_back(static_cast<uint8_t>(buffer >> 16));
-        return out;
-      }
-      case 3: {
-        uint32_t bits = kBase64InverseTable.table[*cur];
-        if (bits > 63) return {};
-        uint32_t buffer = bits << 18;
-
-        ++cur;
-        bits = kBase64InverseTable.table[*cur];
-        if (bits > 63) return {};
-        buffer |= bits << 12;
-
-        ++cur;
-        bits = kBase64InverseTable.table[*cur];
-        if (bits > 63) return {};
-        buffer |= bits << 6;
-
-        ++cur;
-        if (buffer & 0xff) return {};
-        out.push_back(static_cast<uint8_t>(buffer >> 16));
-        out.push_back(static_cast<uint8_t>(buffer >> 8));
-        return out;
-      }
-    }
-
-    GPR_UNREACHABLE_CODE(return out;);
   }
 
-  absl::variant<Slice, absl::Span<const uint8_t>, std::vector<uint8_t>> value_;
-};
-
-struct HPackParser::String::ParseResult {
-  ParseResult() = delete;
-  ParseResult(ParseStatus status, size_t wire_size, String value)
-      : status(status), wire_size(wire_size), value(std::move(value)) {}
-  ParseStatus status;
-  size_t wire_size;
-  String value;
-};
-
-HPackParser::String::ParseResult HPackParser::String::ParseUncompressed(
-    Input* input, uint32_t length, uint32_t wire_size) {
-  // Check there's enough bytes
-  if (input->remaining() < length) {
-    input->UnexpectedEOF();
-    GPR_DEBUG_ASSERT(input->eof_error());
-    return ParseResult{ParseStatus::kEof, wire_size, String{}};
-  }
-  auto* refcount = input->slice_refcount();
-  auto* p = input->cur_ptr();
-  input->Advance(length);
-  if (refcount != nullptr) {
-    return ParseResult{ParseStatus::kOk, wire_size,
-                       String(refcount, p, p + length)};
-  } else {
-    return ParseResult{ParseStatus::kOk, wire_size,
-                       String(absl::Span<const uint8_t>(p, length))};
-  }
+  GPR_UNREACHABLE_CODE(return out;);
 }
 
-HPackParser::String::ParseResult HPackParser::String::Unbase64(String s) {
+HPackParser::String::StringResult HPackParser::String::Unbase64(String s) {
   absl::optional<std::vector<uint8_t>> result;
   if (auto* p = absl::get_if<Slice>(&s.value_)) {
     result = Unbase64Loop(p->begin(), p->end());
@@ -539,46 +475,38 @@ HPackParser::String::ParseResult HPackParser::String::Unbase64(String s) {
     result = Unbase64Loop(p->data(), p->data() + p->size());
   }
   if (!result.has_value()) {
-    return ParseResult{ParseStatus::kUnbase64Failed, s.string_view().length(),
-                       String{}};
+    return StringResult{HpackParseStatus::kUnbase64Failed,
+                        s.string_view().length(), String{}};
   }
-  return ParseResult{ParseStatus::kOk, s.string_view().length(),
-                     String(std::move(*result))};
+  return StringResult{HpackParseStatus::kOk, s.string_view().length(),
+                      String(std::move(*result))};
 }
 
-HPackParser::String::ParseResult HPackParser::String::Parse(Input* input) {
-  auto pfx = input->ParseStringPrefix();
-  if (!pfx.has_value()) {
-    GPR_DEBUG_ASSERT(input->eof_error());
-    return ParseResult{ParseStatus::kEof, 0, String{}};
-  }
-  if (pfx->huff) {
+HPackParser::String::StringResult HPackParser::String::Parse(Input* input,
+                                                             bool is_huff,
+                                                             size_t length) {
+  if (is_huff) {
     // Huffman coded
     std::vector<uint8_t> output;
-    ParseStatus sts = ParseHuff(input, pfx->length,
-                                [&output](uint8_t c) { output.push_back(c); });
+    HpackParseStatus sts =
+        ParseHuff(input, length, [&output](uint8_t c) { output.push_back(c); });
     size_t wire_len = output.size();
-    return ParseResult{sts, wire_len, String(std::move(output))};
+    return StringResult{sts, wire_len, String(std::move(output))};
   }
-  return ParseUncompressed(input, pfx->length, pfx->length);
+  return ParseUncompressed(input, length, length);
 }
 
-HPackParser::String::ParseResult HPackParser::String::ParseBinary(
-    Input* input) {
-  auto pfx = input->ParseStringPrefix();
-  if (!pfx.has_value()) {
-    GPR_DEBUG_ASSERT(input->eof_error());
-    return ParseResult{ParseStatus::kEof, 0, String{}};
-  }
-  if (!pfx->huff) {
-    if (pfx->length > 0 && input->peek() == 0) {
+HPackParser::String::StringResult HPackParser::String::ParseBinary(
+    Input* input, bool is_huff, size_t length) {
+  if (!is_huff) {
+    if (length > 0 && input->peek() == 0) {
       // 'true-binary'
       input->Advance(1);
-      return ParseUncompressed(input, pfx->length - 1, pfx->length);
+      return ParseUncompressed(input, length - 1, length);
     }
     // Base64 encoded... pull out the string, then unbase64 it
-    auto base64 = ParseUncompressed(input, pfx->length, pfx->length);
-    if (base64.status != ParseStatus::kOk) return base64;
+    auto base64 = ParseUncompressed(input, length, length);
+    if (base64.status != HpackParseStatus::kOk) return base64;
     return Unbase64(std::move(base64.value));
   } else {
     // Huffman encoded...
@@ -587,36 +515,35 @@ HPackParser::String::ParseResult HPackParser::String::ParseBinary(
     // and what is it.
     enum class State { kUnsure, kBinary, kBase64 };
     State state = State::kUnsure;
-    auto sts =
-        ParseHuff(input, pfx->length, [&state, &decompressed](uint8_t c) {
-          if (state == State::kUnsure) {
-            // First byte... if it's zero it's binary
-            if (c == 0) {
-              // Save the type, and skip the zero
-              state = State::kBinary;
-              return;
-            } else {
-              // Flag base64, store this value
-              state = State::kBase64;
-            }
-          }
-          // Non-first byte, or base64 first byte
-          decompressed.push_back(c);
-        });
-    if (sts != ParseStatus::kOk) {
-      return ParseResult{sts, 0, String{}};
+    auto sts = ParseHuff(input, length, [&state, &decompressed](uint8_t c) {
+      if (state == State::kUnsure) {
+        // First byte... if it's zero it's binary
+        if (c == 0) {
+          // Save the type, and skip the zero
+          state = State::kBinary;
+          return;
+        } else {
+          // Flag base64, store this value
+          state = State::kBase64;
+        }
+      }
+      // Non-first byte, or base64 first byte
+      decompressed.push_back(c);
+    });
+    if (sts != HpackParseStatus::kOk) {
+      return StringResult{sts, 0, String{}};
     }
     switch (state) {
       case State::kUnsure:
         // No bytes, empty span
-        return ParseResult{ParseStatus::kOk, 0,
-                           String(absl::Span<const uint8_t>())};
+        return StringResult{HpackParseStatus::kOk, 0,
+                            String(absl::Span<const uint8_t>())};
       case State::kBinary:
         // Binary, we're done
         {
           size_t wire_len = decompressed.size();
-          return ParseResult{ParseStatus::kOk, wire_len,
-                             String(std::move(decompressed))};
+          return StringResult{HpackParseStatus::kOk, wire_len,
+                              String(std::move(decompressed))};
         }
       case State::kBase64:
         // Base64 - unpack it
@@ -629,28 +556,38 @@ HPackParser::String::ParseResult HPackParser::String::ParseBinary(
 // Parser parses one key/value pair from a byte stream.
 class HPackParser::Parser {
  public:
-  Parser(Input* input, grpc_metadata_batch* metadata_buffer, HPackTable* table,
-         uint8_t* dynamic_table_updates_allowed, uint32_t* frame_length,
-         RandomEarlyDetection* metadata_early_detection, LogInfo log_info)
+  Parser(Input* input, grpc_metadata_batch*& metadata_buffer,
+         InterSliceState& state, LogInfo log_info)
       : input_(input),
         metadata_buffer_(metadata_buffer),
-        table_(table),
-        dynamic_table_updates_allowed_(dynamic_table_updates_allowed),
-        frame_length_(frame_length),
-        metadata_early_detection_(metadata_early_detection),
+        state_(state),
         log_info_(log_info) {}
 
-  // Skip any priority bits, or return false on failure
-  bool SkipPriority() {
-    if (input_->remaining() < 5) {
-      input_->UnexpectedEOF();
-      return false;
+  bool Parse() {
+    switch (state_.parse_state) {
+      case ParseState::kTop:
+        return ParseTop();
+      case ParseState::kParsingKeyLength:
+        return ParseKeyLength();
+      case ParseState::kParsingKeyBody:
+        return ParseKeyBody();
+      case ParseState::kSkippingKeyBody:
+        return SkipKeyBody();
+      case ParseState::kParsingValueLength:
+        return ParseValueLength();
+      case ParseState::kParsingValueBody:
+        return ParseValueBody();
+      case ParseState::kSkippingValueLength:
+        return SkipValueLength();
+      case ParseState::kSkippingValueBody:
+        return SkipValueBody();
     }
-    input_->Advance(5);
-    return true;
+    GPR_UNREACHABLE_CODE(return false);
   }
 
-  bool Parse() {
+ private:
+  bool ParseTop() {
+    GPR_DEBUG_ASSERT(state_.parse_state == ParseState::kTop);
     auto cur = *input_->Next();
     switch (cur >> 4) {
         // Literal header not indexed - First byte format: 0000xxxx
@@ -663,11 +600,11 @@ class HPackParser::Parser {
       case 1:
         switch (cur & 0xf) {
           case 0:  // literal key
-            return FinishHeaderOmitFromTable(ParseLiteralKey());
+            return StartParseLiteralKey(false);
           case 0xf:  // varint encoded key index
-            return FinishHeaderOmitFromTable(ParseVarIdxKey(0xf));
+            return StartVarIdxKey(0xf, false);
           default:  // inline encoded key index
-            return FinishHeaderOmitFromTable(ParseIdxKey(cur & 0xf));
+            return StartIdxKey(cur & 0xf, false);
         }
         // Update max table size.
         // First byte format: 001xxxxx
@@ -694,20 +631,20 @@ class HPackParser::Parser {
       case 4:
         if (cur == 0x40) {
           // literal key
-          return FinishHeaderAndAddToTable(ParseLiteralKey());
+          return StartParseLiteralKey(true);
         }
         ABSL_FALLTHROUGH_INTENDED;
       case 5:
       case 6:
         // inline encoded key index
-        return FinishHeaderAndAddToTable(ParseIdxKey(cur & 0x3f));
+        return StartIdxKey(cur & 0x3f, true);
       case 7:
         if (cur == 0x7f) {
           // varint encoded key index
-          return FinishHeaderAndAddToTable(ParseVarIdxKey(0x3f));
+          return StartVarIdxKey(0x3f, true);
         } else {
           // inline encoded key index
-          return FinishHeaderAndAddToTable(ParseIdxKey(cur & 0x3f));
+          return StartIdxKey(cur & 0x3f, true);
         }
         // Indexed Header Field Representation
         // First byte format: 1xxxxxxx
@@ -719,7 +656,7 @@ class HPackParser::Parser {
         if (cur == 0x80) {
           // illegal value.
           input_->SetErrorAndStopParsing(
-              absl::InternalError("Illegal hpack op code"));
+              HpackParseResult::IllegalHpackOpCode());
           return false;
         }
         ABSL_FALLTHROUGH_INTENDED;
@@ -743,7 +680,6 @@ class HPackParser::Parser {
     GPR_UNREACHABLE_CODE(abort());
   }
 
- private:
   void GPR_ATTRIBUTE_NOINLINE LogHeader(const HPackTable::Memento& memento) {
     const char* type;
     switch (log_info_.type) {
@@ -757,46 +693,48 @@ class HPackParser::Parser {
         type = "???";
         break;
     }
-    gpr_log(GPR_DEBUG, "HTTP:%d:%s:%s: %s%s", log_info_.stream_id, type,
-            log_info_.is_client ? "CLI" : "SVR",
-            memento.md.DebugString().c_str(),
-            memento.parse_status.ok()
-                ? ""
-                : absl::StrCat(
-                      " (parse error: ", memento.parse_status.ToString(), ")")
-                      .c_str());
+    gpr_log(
+        GPR_DEBUG, "HTTP:%d:%s:%s: %s%s", log_info_.stream_id, type,
+        log_info_.is_client ? "CLI" : "SVR", memento.md.DebugString().c_str(),
+        memento.parse_status.ok()
+            ? ""
+            : absl::StrCat(" (parse error: ",
+                           memento.parse_status.Materialize().ToString(), ")")
+                  .c_str());
   }
 
   void EmitHeader(const HPackTable::Memento& md) {
     // Pass up to the transport
-    *frame_length_ += md.md.transport_size();
-    if (!input_->has_error() &&
-        metadata_early_detection_->MustReject(*frame_length_)) {
-      // Reject any requests above hard metadata limit.
-      HandleMetadataHardSizeLimitExceeded(md);
-    }
+    state_.frame_length += md.md.transport_size();
     if (!md.parse_status.ok()) {
       // Reject any requests with invalid metadata.
-      HandleMetadataParseError(md.parse_status);
+      input_->SetErrorAndContinueParsing(md.parse_status);
     }
     if (GPR_LIKELY(metadata_buffer_ != nullptr)) {
       metadata_buffer_->Set(md.md);
     }
+    if (state_.metadata_early_detection.MustReject(state_.frame_length)) {
+      // Reject any requests above hard metadata limit.
+      input_->SetErrorAndContinueParsing(
+          HpackParseResult::HardMetadataLimitExceededError(
+              std::exchange(metadata_buffer_, nullptr), state_.frame_length,
+              state_.metadata_early_detection.hard_limit()));
+    }
   }
 
-  bool FinishHeaderAndAddToTable(absl::optional<HPackTable::Memento> md) {
-    // Allow higher code to just pass in failures ... simplifies things a bit.
-    if (!md.has_value()) return false;
+  bool FinishHeaderAndAddToTable(HPackTable::Memento md) {
     // Log if desired
     if (GRPC_TRACE_FLAG_ENABLED(grpc_trace_chttp2_hpack_parser)) {
-      LogHeader(*md);
+      LogHeader(md);
     }
     // Emit whilst we own the metadata.
-    EmitHeader(*md);
+    EmitHeader(md);
     // Add to the hpack table
-    grpc_error_handle err = table_->Add(std::move(*md));
-    if (GPR_UNLIKELY(!err.ok())) {
-      input_->SetErrorAndStopParsing(std::move(err));
+    if (GPR_UNLIKELY(!state_.hpack_table.Add(std::move(md)))) {
+      input_->SetErrorAndStopParsing(
+          HpackParseResult::AddBeforeTableSizeUpdated(
+              state_.hpack_table.current_table_bytes(),
+              state_.hpack_table.max_bytes()));
       return false;
     };
     return true;
@@ -817,136 +755,269 @@ class HPackParser::Parser {
     EmitHeader(md);
   }
 
-  // Helper type to build a memento from a key & value, and to consolidate some
-  // tricky error path code.
-  class MementoBuilder {
-   public:
-    explicit MementoBuilder(Input* input, absl::string_view key_string,
-                            absl::Status status = absl::OkStatus())
-        : input_(input), key_string_(key_string), status_(std::move(status)) {}
-
-    auto ErrorHandler() {
-      return [this](absl::string_view error, const Slice&) {
-        auto message =
-            absl::StrCat("Error parsing '", key_string_,
-                         "' metadata: error=", error, " key=", key_string_);
-        gpr_log(GPR_ERROR, "%s", message.c_str());
-        if (status_.ok()) {
-          status_ = absl::InternalError(message);
-        }
-      };
+  // Parse an index encoded key and a string encoded value
+  bool StartIdxKey(uint32_t index, bool add_to_table) {
+    GPR_DEBUG_ASSERT(state_.parse_state == ParseState::kTop);
+    input_->UpdateFrontier();
+    const auto* elem = state_.hpack_table.Lookup(index);
+    if (GPR_UNLIKELY(elem == nullptr)) {
+      InvalidHPackIndexError(index);
+      return false;
     }
+    state_.parse_state = ParseState::kParsingValueLength;
+    state_.is_binary_header = elem->md.is_binary_header();
+    state_.key.emplace<const HPackTable::Memento*>(elem);
+    state_.add_to_table = add_to_table;
+    return ParseValueLength();
+  };
 
-    HPackTable::Memento Build(ParsedMetadata<grpc_metadata_batch> memento) {
-      return HPackTable::Memento{std::move(memento), std::move(status_)};
-    }
+  // Parse a varint index encoded key and a string encoded value
+  bool StartVarIdxKey(uint32_t offset, bool add_to_table) {
+    GPR_DEBUG_ASSERT(state_.parse_state == ParseState::kTop);
+    auto index = input_->ParseVarint(offset);
+    if (GPR_UNLIKELY(!index.has_value())) return false;
+    return StartIdxKey(*index, add_to_table);
+  }
 
-    // Handle the result of parsing a value.
-    // Returns true if parsing should continue, false if it should stop.
-    // Stores an error on the input if necessary.
-    bool HandleParseResult(String::ParseStatus status) {
-      auto continuable = [this](absl::string_view error) {
-        auto this_error = absl::InternalError(absl::StrCat(
-            "Error parsing '", key_string_, "' metadata: error=", error));
-        if (status_.ok()) status_ = this_error;
-        input_->SetErrorAndContinueParsing(std::move(this_error));
-      };
-      switch (status) {
-        case String::ParseStatus::kOk:
-          return true;
-        case String::ParseStatus::kParseHuffFailed:
-          input_->SetErrorAndStopParsing(
-              absl::InternalError("Huffman decoding failed"));
-          return false;
-        case String::ParseStatus::kUnbase64Failed:
-          continuable("illegal base64 encoding");
-          return true;
-        case String::ParseStatus::kEof:
-          GPR_DEBUG_ASSERT(input_->eof_error());
-          return false;
-      }
-      GPR_UNREACHABLE_CODE(return false);
-    }
+  bool StartParseLiteralKey(bool add_to_table) {
+    GPR_DEBUG_ASSERT(state_.parse_state == ParseState::kTop);
+    state_.add_to_table = add_to_table;
+    state_.parse_state = ParseState::kParsingKeyLength;
+    input_->UpdateFrontier();
+    return ParseKeyLength();
+  }
 
-   private:
-    Input* input_;
-    absl::string_view key_string_;
-    absl::Status status_;
-  };
+  bool ShouldSkipParsingString(uint64_t string_length) const {
+    // We skip parsing if the string is longer than the current table size, and
+    // if we would have to reject the string due to metadata length limits
+    // regardless of what else was in the metadata batch.
+    //
+    // Why longer than the current table size? - it simplifies the logic at the
+    // end of skipping the string (and possibly a second if this is a key).
+    // If a key/value pair longer than the current table size is added to the
+    // hpack table we're forced to clear the entire table - this is a
+    // predictable operation that's easy to encode and doesn't need any state
+    // other than "skipping" to be carried forward.
+    // If we did not do this, we could end up in a situation where even though
+    // the metadata would overflow the current limit, it might not overflow the
+    // current hpack table size, and so we could not skip in on the off chance
+    // that we'd need to add it to the hpack table *and* reject the batch as a
+    // whole.
+    // That would be a mess, we're not doing it.
+    //
+    // These rules will end up having us parse some things that ultimately get
+    // rejected, and that's ok: the important thing is to have a bounded maximum
+    // so we can't be forced to infinitely buffer - not to have a perfect
+    // computation here.
+    return string_length > state_.hpack_table.current_table_size() &&
+           state_.metadata_early_detection.MustReject(
+               string_length + hpack_constants::kEntryOverhead);
+  }
+
+  bool ParseKeyLength() {
+    GPR_DEBUG_ASSERT(state_.parse_state == ParseState::kParsingKeyLength);
+    auto pfx = input_->ParseStringPrefix();
+    if (!pfx.has_value()) return false;
+    state_.is_string_huff_compressed = pfx->huff;
+    state_.string_length = pfx->length;
+    input_->UpdateFrontier();
+    if (ShouldSkipParsingString(state_.string_length)) {
+      input_->SetErrorAndContinueParsing(
+          HpackParseResult::HardMetadataLimitExceededByKeyError(
+              state_.string_length,
+              state_.metadata_early_detection.hard_limit()));
+      metadata_buffer_ = nullptr;
+      state_.parse_state = ParseState::kSkippingKeyBody;
+      return SkipKeyBody();
+    } else {
+      state_.parse_state = ParseState::kParsingKeyBody;
+      return ParseKeyBody();
+    }
+  }
 
-  // Parse a string encoded key and a string encoded value
-  absl::optional<HPackTable::Memento> ParseLiteralKey() {
-    auto key = String::Parse(input_);
+  bool ParseKeyBody() {
+    GPR_DEBUG_ASSERT(state_.parse_state == ParseState::kParsingKeyBody);
+    auto key = String::Parse(input_, state_.is_string_huff_compressed,
+                             state_.string_length);
     switch (key.status) {
-      case String::ParseStatus::kOk:
+      case HpackParseStatus::kOk:
         break;
-      case String::ParseStatus::kParseHuffFailed:
-        input_->SetErrorAndStopParsing(
-            absl::InternalError("Huffman decoding failed"));
-        return absl::nullopt;
-      case String::ParseStatus::kUnbase64Failed:
-        Crash("unreachable");
-      case String::ParseStatus::kEof:
+      case HpackParseStatus::kEof:
         GPR_DEBUG_ASSERT(input_->eof_error());
-        return absl::nullopt;
+        return false;
+      default:
+        input_->SetErrorAndStopParsing(
+            HpackParseResult::FromStatus(key.status));
+        return false;
     }
-    auto key_string = key.value.string_view();
-    auto value = ParseValueString(absl::EndsWith(key_string, "-bin"));
-    MementoBuilder builder(input_, key_string,
-                           EnsureStreamError(ValidateKey(key_string)));
-    if (!builder.HandleParseResult(value.status)) return absl::nullopt;
-    auto value_slice = value.value.Take();
-    const auto transport_size =
-        key_string.size() + value.wire_size + hpack_constants::kEntryOverhead;
-    return builder.Build(
-        grpc_metadata_batch::Parse(key_string, std::move(value_slice),
-                                   transport_size, builder.ErrorHandler()));
+    input_->UpdateFrontier();
+    state_.parse_state = ParseState::kParsingValueLength;
+    state_.is_binary_header = absl::EndsWith(key.value.string_view(), "-bin");
+    state_.key.emplace<Slice>(key.value.Take());
+    return ParseValueLength();
   }
 
-  absl::Status ValidateKey(absl::string_view key) {
-    if (key == HttpSchemeMetadata::key() || key == HttpMethodMetadata::key() ||
-        key == HttpAuthorityMetadata::key() || key == HttpPathMetadata::key() ||
-        key == HttpStatusMetadata::key()) {
-      return absl::OkStatus();
+  bool SkipStringBody() {
+    auto remaining = input_->remaining();
+    if (remaining >= state_.string_length) {
+      input_->Advance(state_.string_length);
+      return true;
+    } else {
+      input_->Advance(remaining);
+      input_->UpdateFrontier();
+      state_.string_length -= remaining;
+      // The default action of our outer loop is to buffer up to
+      // min_progress_size bytes.
+      // We know we need to do nothing up to the string length, so it would be
+      // legal to pass that here - however that would cause a client selected
+      // large buffer size to be accumulated, which would be an attack vector.
+      // We could also pass 1 here, and we'd be called to parse potentially
+      // every byte, which would give clients a way to consume substantial CPU -
+      // again not great.
+      // So we pick some tradeoff number - big enough to amortize wakeups, but
+      // probably not big enough to cause excessive memory use on the receiver.
+      input_->UnexpectedEOF(
+          /*min_progress_size=*/std::min(state_.string_length, 1024u));
+      return false;
     }
-    return ValidateHeaderKeyIsLegal(key);
   }
 
-  // Parse an index encoded key and a string encoded value
-  absl::optional<HPackTable::Memento> ParseIdxKey(uint32_t index) {
-    const auto* elem = table_->Lookup(index);
-    if (GPR_UNLIKELY(elem == nullptr)) {
-      InvalidHPackIndexError(index);
-      return absl::optional<HPackTable::Memento>();
+  bool SkipKeyBody() {
+    GPR_DEBUG_ASSERT(state_.parse_state == ParseState::kSkippingKeyBody);
+    if (!SkipStringBody()) return false;
+    input_->UpdateFrontier();
+    state_.parse_state = ParseState::kSkippingValueLength;
+    return SkipValueLength();
+  }
+
+  bool SkipValueLength() {
+    GPR_DEBUG_ASSERT(state_.parse_state == ParseState::kSkippingValueLength);
+    auto pfx = input_->ParseStringPrefix();
+    if (!pfx.has_value()) return false;
+    state_.string_length = pfx->length;
+    input_->UpdateFrontier();
+    state_.parse_state = ParseState::kSkippingValueBody;
+    return SkipValueBody();
+  }
+
+  bool SkipValueBody() {
+    GPR_DEBUG_ASSERT(state_.parse_state == ParseState::kSkippingValueBody);
+    if (!SkipStringBody()) return false;
+    input_->UpdateFrontier();
+    state_.parse_state = ParseState::kTop;
+    if (state_.add_to_table) {
+      state_.hpack_table.AddLargerThanCurrentTableSize();
     }
-    MementoBuilder builder(input_, elem->md.key(), elem->parse_status);
-    auto value = ParseValueString(elem->md.is_binary_header());
-    if (!builder.HandleParseResult(value.status)) return absl::nullopt;
-    return builder.Build(elem->md.WithNewValue(
-        value.value.Take(), value.wire_size, builder.ErrorHandler()));
-  };
+    return true;
+  }
 
-  // Parse a varint index encoded key and a string encoded value
-  absl::optional<HPackTable::Memento> ParseVarIdxKey(uint32_t offset) {
-    auto index = input_->ParseVarint(offset);
-    if (GPR_UNLIKELY(!index.has_value())) return absl::nullopt;
-    return ParseIdxKey(*index);
+  bool ParseValueLength() {
+    GPR_DEBUG_ASSERT(state_.parse_state == ParseState::kParsingValueLength);
+    auto pfx = input_->ParseStringPrefix();
+    if (!pfx.has_value()) return false;
+    state_.is_string_huff_compressed = pfx->huff;
+    state_.string_length = pfx->length;
+    input_->UpdateFrontier();
+    if (ShouldSkipParsingString(state_.string_length)) {
+      input_->SetErrorAndContinueParsing(
+          HpackParseResult::HardMetadataLimitExceededByValueError(
+              Match(
+                  state_.key, [](const Slice& s) { return s.as_string_view(); },
+                  [](const HPackTable::Memento* m) { return m->md.key(); }),
+              state_.string_length,
+              state_.metadata_early_detection.hard_limit()));
+      metadata_buffer_ = nullptr;
+      state_.parse_state = ParseState::kSkippingValueBody;
+      return SkipValueBody();
+    } else {
+      state_.parse_state = ParseState::kParsingValueBody;
+      return ParseValueBody();
+    }
   }
 
-  // Parse a string, figuring out if it's binary or not by the key name.
-  String::ParseResult ParseValueString(bool is_binary) {
-    if (is_binary) {
-      return String::ParseBinary(input_);
+  bool ParseValueBody() {
+    GPR_DEBUG_ASSERT(state_.parse_state == ParseState::kParsingValueBody);
+    auto value =
+        state_.is_binary_header
+            ? String::ParseBinary(input_, state_.is_string_huff_compressed,
+                                  state_.string_length)
+            : String::Parse(input_, state_.is_string_huff_compressed,
+                            state_.string_length);
+    HpackParseResult& status = state_.frame_error;
+    absl::string_view key_string;
+    if (auto* s = absl::get_if<Slice>(&state_.key)) {
+      key_string = s->as_string_view();
+      if (status.ok()) {
+        auto r = ValidateKey(key_string);
+        if (r != ValidateMetadataResult::kOk) {
+          input_->SetErrorAndContinueParsing(
+              HpackParseResult::InvalidMetadataError(r, key_string));
+        }
+      }
     } else {
-      return String::Parse(input_);
+      const auto* memento = absl::get<const HPackTable::Memento*>(state_.key);
+      key_string = memento->md.key();
+      if (status.ok() && !memento->parse_status.ok()) {
+        input_->SetErrorAndContinueParsing(memento->parse_status);
+      }
+    }
+    switch (value.status) {
+      case HpackParseStatus::kOk:
+        break;
+      case HpackParseStatus::kEof:
+        GPR_DEBUG_ASSERT(input_->eof_error());
+        return false;
+      default: {
+        auto result =
+            HpackParseResult::FromStatusWithKey(value.status, key_string);
+        if (result.stream_error()) {
+          input_->SetErrorAndContinueParsing(std::move(result));
+          break;
+        } else {
+          input_->SetErrorAndStopParsing(std::move(result));
+          return false;
+        }
+      }
+    }
+    auto value_slice = value.value.Take();
+    const auto transport_size =
+        key_string.size() + value.wire_size + hpack_constants::kEntryOverhead;
+    auto md = grpc_metadata_batch::Parse(
+        key_string, std::move(value_slice), transport_size,
+        [key_string, &status, this](absl::string_view message, const Slice&) {
+          if (!status.ok()) return;
+          input_->SetErrorAndContinueParsing(
+              HpackParseResult::MetadataParseError(key_string));
+          gpr_log(GPR_ERROR, "Error parsing '%s' metadata: %s",
+                  std::string(key_string).c_str(),
+                  std::string(message).c_str());
+        });
+    HPackTable::Memento memento{std::move(md),
+                                status.PersistentStreamErrorOrOk()};
+    input_->UpdateFrontier();
+    state_.parse_state = ParseState::kTop;
+    if (state_.add_to_table) {
+      return FinishHeaderAndAddToTable(std::move(memento));
+    } else {
+      FinishHeaderOmitFromTable(memento);
+      return true;
     }
   }
 
+  ValidateMetadataResult ValidateKey(absl::string_view key) {
+    if (key == HttpSchemeMetadata::key() || key == HttpMethodMetadata::key() ||
+        key == HttpAuthorityMetadata::key() || key == HttpPathMetadata::key() ||
+        key == HttpStatusMetadata::key()) {
+      return ValidateMetadataResult::kOk;
+    }
+    return ValidateHeaderKeyIsLegal(key);
+  }
+
   // Emit an indexed field
   bool FinishIndexed(absl::optional<uint32_t> index) {
-    *dynamic_table_updates_allowed_ = 0;
+    state_.dynamic_table_updates_allowed = 0;
     if (!index.has_value()) return false;
-    const auto* elem = table_->Lookup(*index);
+    const auto* elem = state_.hpack_table.Lookup(*index);
     if (GPR_UNLIKELY(elem == nullptr)) {
       InvalidHPackIndexError(*index);
       return false;
@@ -958,15 +1029,16 @@ class HPackParser::Parser {
   // finish parsing a max table size change
   bool FinishMaxTableSize(absl::optional<uint32_t> size) {
     if (!size.has_value()) return false;
-    if (*dynamic_table_updates_allowed_ == 0) {
-      input_->SetErrorAndStopParsing(absl::InternalError(
-          "More than two max table size changes in a single frame"));
+    if (state_.dynamic_table_updates_allowed == 0) {
+      input_->SetErrorAndStopParsing(
+          HpackParseResult::TooManyDynamicTableSizeChangesError());
       return false;
     }
-    (*dynamic_table_updates_allowed_)--;
-    grpc_error_handle err = table_->SetCurrentTableSize(*size);
-    if (!err.ok()) {
-      input_->SetErrorAndStopParsing(std::move(err));
+    state_.dynamic_table_updates_allowed--;
+    if (!state_.hpack_table.SetCurrentTableSize(*size)) {
+      input_->SetErrorAndStopParsing(
+          HpackParseResult::IllegalTableSizeChangeError(
+              *size, state_.hpack_table.max_bytes()));
       return false;
     }
     return true;
@@ -975,51 +1047,13 @@ class HPackParser::Parser {
   // Set an invalid hpack index error if no error has been set. Returns result
   // unmodified.
   void InvalidHPackIndexError(uint32_t index) {
-    input_->SetErrorAndStopParsing(grpc_error_set_int(
-        grpc_error_set_int(absl::InternalError("Invalid HPACK index received"),
-                           StatusIntProperty::kIndex,
-                           static_cast<intptr_t>(index)),
-        StatusIntProperty::kSize,
-        static_cast<intptr_t>(this->table_->num_entries())));
-  }
-
-  GPR_ATTRIBUTE_NOINLINE
-  void HandleMetadataParseError(const absl::Status& status) {
-    if (metadata_buffer_ != nullptr) {
-      metadata_buffer_->Clear();
-      metadata_buffer_ = nullptr;
-    }
-    // StreamId is used as a signal to skip this stream but keep the connection
-    // alive
-    input_->SetErrorAndContinueParsing(status);
-  }
-
-  GPR_ATTRIBUTE_NOINLINE
-  void HandleMetadataHardSizeLimitExceeded(const HPackTable::Memento& md) {
-    // Collect a summary of sizes so far for debugging
-    // Do not collect contents, for fear of exposing PII.
-    std::string summary;
-    std::string error_message;
-    if (metadata_buffer_ != nullptr) {
-      MetadataSizeLimitExceededEncoder encoder(summary);
-      metadata_buffer_->Encode(&encoder);
-    }
-    summary = absl::StrCat("; adding ", md.md.key(), " (length ",
-                           md.md.transport_size(), "B)",
-                           summary.empty() ? "" : " to ", summary);
-    error_message = absl::StrCat(
-        "received metadata size exceeds hard limit (", *frame_length_, " vs. ",
-        metadata_early_detection_->hard_limit(), ")", summary);
-    HandleMetadataParseError(absl::ResourceExhaustedError(error_message));
+    input_->SetErrorAndStopParsing(
+        HpackParseResult::InvalidHpackIndexError(index));
   }
 
   Input* const input_;
-  grpc_metadata_batch* metadata_buffer_;
-  HPackTable* const table_;
-  uint8_t* const dynamic_table_updates_allowed_;
-  uint32_t* const frame_length_;
-  // Random early detection of metadata size limits.
-  RandomEarlyDetection* metadata_early_detection_;
+  grpc_metadata_batch*& metadata_buffer_;
+  InterSliceState& state_;
   const LogInfo log_info_;
 };
 
@@ -1051,9 +1085,8 @@ void HPackParser::BeginFrame(grpc_metadata_batch* metadata_buffer,
   }
   boundary_ = boundary;
   priority_ = priority;
-  dynamic_table_updates_allowed_ = 2;
-  frame_length_ = 0;
-  metadata_early_detection_ = RandomEarlyDetection(
+  state_.dynamic_table_updates_allowed = 2;
+  state_.metadata_early_detection.SetLimits(
       /*soft_limit=*/metadata_size_soft_limit,
       /*hard_limit=*/metadata_size_hard_limit);
   log_info_ = log_info;
@@ -1061,36 +1094,43 @@ void HPackParser::BeginFrame(grpc_metadata_batch* metadata_buffer,
 
 grpc_error_handle HPackParser::Parse(const grpc_slice& slice, bool is_last) {
   if (GPR_UNLIKELY(!unparsed_bytes_.empty())) {
+    unparsed_bytes_.insert(unparsed_bytes_.end(), GRPC_SLICE_START_PTR(slice),
+                           GRPC_SLICE_END_PTR(slice));
+    if (!(is_last && is_boundary()) &&
+        unparsed_bytes_.size() < min_progress_size_) {
+      // We wouldn't make progress anyway, skip out.
+      return absl::OkStatus();
+    }
     std::vector<uint8_t> buffer = std::move(unparsed_bytes_);
-    buffer.insert(buffer.end(), GRPC_SLICE_START_PTR(slice),
-                  GRPC_SLICE_END_PTR(slice));
-    return ParseInput(
-        Input(nullptr, buffer.data(), buffer.data() + buffer.size()), is_last);
+    return ParseInput(Input(nullptr, buffer.data(),
+                            buffer.data() + buffer.size(), state_.frame_error),
+                      is_last);
   }
   return ParseInput(Input(slice.refcount, GRPC_SLICE_START_PTR(slice),
-                          GRPC_SLICE_END_PTR(slice)),
+                          GRPC_SLICE_END_PTR(slice), state_.frame_error),
                     is_last);
 }
 
 grpc_error_handle HPackParser::ParseInput(Input input, bool is_last) {
   ParseInputInner(&input);
-  if (is_last) {
-    if (metadata_early_detection_.Reject(frame_length_)) {
+  if (is_last && is_boundary()) {
+    if (state_.metadata_early_detection.Reject(state_.frame_length)) {
       HandleMetadataSoftSizeLimitExceeded(&input);
     }
-    global_stats().IncrementHttp2MetadataSize(frame_length_);
-  }
-  if (input.eof_error()) {
-    if (GPR_UNLIKELY(is_last && is_boundary())) {
-      auto err = input.TakeError();
-      if (!err.ok() && !IsStreamError(err)) return err;
-      return absl::InternalError(
-          "Incomplete header at the end of a header/continuation sequence");
+    global_stats().IncrementHttp2MetadataSize(state_.frame_length);
+    if (!state_.frame_error.connection_error() &&
+        (input.eof_error() || state_.parse_state != ParseState::kTop)) {
+      state_.frame_error = HpackParseResult::IncompleteHeaderAtBoundaryError();
+    }
+    state_.frame_length = 0;
+    return std::exchange(state_.frame_error, HpackParseResult()).Materialize();
+  } else {
+    if (input.eof_error() && !state_.frame_error.connection_error()) {
+      unparsed_bytes_ = std::vector<uint8_t>(input.frontier(), input.end_ptr());
+      min_progress_size_ = input.min_progress_size();
     }
-    unparsed_bytes_ = std::vector<uint8_t>(input.frontier(), input.end_ptr());
-    return input.TakeError();
+    return state_.frame_error.Materialize();
   }
-  return input.TakeError();
 }
 
 void HPackParser::ParseInputInner(Input* input) {
@@ -1099,7 +1139,7 @@ void HPackParser::ParseInputInner(Input* input) {
       break;
     case Priority::Included: {
       if (input->remaining() < 5) {
-        input->UnexpectedEOF();
+        input->UnexpectedEOF(/*min_progress_size=*/5);
         return;
       }
       input->Advance(5);
@@ -1108,10 +1148,8 @@ void HPackParser::ParseInputInner(Input* input) {
     }
   }
   while (!input->end_of_stream()) {
-    if (GPR_UNLIKELY(!Parser(input, metadata_buffer_, &table_,
-                             &dynamic_table_updates_allowed_, &frame_length_,
-                             &metadata_early_detection_, log_info_)
-                          .Parse())) {
+    if (GPR_UNLIKELY(
+            !Parser(input, metadata_buffer_, state_, log_info_).Parse())) {
       return;
     }
     input->UpdateFrontier();
@@ -1121,24 +1159,10 @@ void HPackParser::ParseInputInner(Input* input) {
 void HPackParser::FinishFrame() { metadata_buffer_ = nullptr; }
 
 void HPackParser::HandleMetadataSoftSizeLimitExceeded(Input* input) {
-  // Collect a summary of sizes so far for debugging
-  // Do not collect contents, for fear of exposing PII.
-  std::string summary;
-  std::string error_message;
-  if (metadata_buffer_ != nullptr) {
-    MetadataSizeLimitExceededEncoder encoder(summary);
-    metadata_buffer_->Encode(&encoder);
-  }
-  error_message = absl::StrCat(
-      "received metadata size exceeds soft limit (", frame_length_, " vs. ",
-      metadata_early_detection_.soft_limit(),
-      "), rejecting requests with some random probability", summary);
-  if (metadata_buffer_ != nullptr) {
-    metadata_buffer_->Clear();
-    metadata_buffer_ = nullptr;
-  }
   input->SetErrorAndContinueParsing(
-      absl::ResourceExhaustedError(error_message));
+      HpackParseResult::SoftMetadataLimitExceededError(
+          std::exchange(metadata_buffer_, nullptr), state_.frame_length,
+          state_.metadata_early_detection.soft_limit()));
 }
 
 }  // namespace grpc_core