From 026919b7ea89b6167f0fb84824a644fbbdabc8e7 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Thu, 4 Feb 2016 23:05:05 +0900 Subject: [PATCH] asio: server: Limit incoming request header field buffer size --- src/asio_server_http2_handler.cc | 7 +++++++ src/asio_server_request_impl.cc | 8 +++++++- src/asio_server_request_impl.h | 4 ++++ 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/src/asio_server_http2_handler.cc b/src/asio_server_http2_handler.cc index 48e0bd14..52944942 100644 --- a/src/asio_server_http2_handler.cc +++ b/src/asio_server_http2_handler.cc @@ -105,6 +105,13 @@ int on_header_callback(nghttp2_session *session, const nghttp2_frame *frame, } // fall through default: + if (req.header_buffer_size() + namelen + valuelen > 64_k) { + nghttp2_submit_rst_stream(session, NGHTTP2_FLAG_NONE, frame->hd.stream_id, + NGHTTP2_INTERNAL_ERROR); + break; + } + req.update_header_buffer_size(namelen + valuelen); + req.header().emplace(std::string(name, name + namelen), header_value{std::string(value, value + valuelen), (flags & NGHTTP2_NV_FLAG_NO_INDEX) != 0}); diff --git a/src/asio_server_request_impl.cc b/src/asio_server_request_impl.cc index 64866fa2..8442ad05 100644 --- a/src/asio_server_request_impl.cc +++ b/src/asio_server_request_impl.cc @@ -28,7 +28,7 @@ namespace nghttp2 { namespace asio_http2 { namespace server { -request_impl::request_impl() : strm_(nullptr) {} +request_impl::request_impl() : strm_(nullptr), header_buffer_size_(0) {} const header_map &request_impl::header() const { return header_; } @@ -62,6 +62,12 @@ void request_impl::remote_endpoint(boost::asio::ip::tcp::endpoint ep) { remote_ep_ = std::move(ep); } +size_t request_impl::header_buffer_size() const { return header_buffer_size_; } + +void request_impl::update_header_buffer_size(size_t len) { + header_buffer_size_ += len; +} + } // namespace server } // namespace asio_http2 } // namespace nghttp2 diff --git a/src/asio_server_request_impl.h b/src/asio_server_request_impl.h index b4a37ff1..05de98a8 100644 --- a/src/asio_server_request_impl.h +++ b/src/asio_server_request_impl.h @@ -58,6 +58,9 @@ public: const boost::asio::ip::tcp::endpoint &remote_endpoint() const; void remote_endpoint(boost::asio::ip::tcp::endpoint ep); + size_t header_buffer_size() const; + void update_header_buffer_size(size_t len); + private: class stream *strm_; header_map header_; @@ -65,6 +68,7 @@ private: uri_ref uri_; data_cb on_data_cb_; boost::asio::ip::tcp::endpoint remote_ep_; + size_t header_buffer_size_; }; } // namespace server