From 64d7288428fa74e64d3e13e819263e5df4b88444 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Thu, 4 Feb 2016 22:51:06 +0900 Subject: [PATCH] nghttpd: Limit request header buffer --- src/HttpServer.cc | 9 ++++++++- src/HttpServer.h | 3 +++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/src/HttpServer.cc b/src/HttpServer.cc index b1e0b0fe..ee07845d 100644 --- a/src/HttpServer.cc +++ b/src/HttpServer.cc @@ -425,7 +425,7 @@ void release_fd_cb(struct ev_loop *loop, ev_timer *w, int revents) { Stream::Stream(Http2Handler *handler, int32_t stream_id) : handler(handler), file_ent(nullptr), body_length(0), body_offset(0), - stream_id(stream_id), echo_upload(false) { + header_buffer_size(0), stream_id(stream_id), echo_upload(false) { auto config = handler->get_config(); ev_timer_init(&rtimer, stream_timeout_cb, 0., config->stream_read_timeout); ev_timer_init(&wtimer, stream_timeout_cb, 0., config->stream_write_timeout); @@ -1316,6 +1316,13 @@ int on_header_callback(nghttp2_session *session, const nghttp2_frame *frame, return 0; } + if (stream->header_buffer_size + namelen + valuelen > 64_k) { + hd->submit_rst_stream(stream, NGHTTP2_INTERNAL_ERROR); + return 0; + } + + stream->header_buffer_size += namelen + valuelen; + auto token = http2::lookup_token(name, namelen); http2::index_header(stream->hdidx, token, stream->headers.size()); diff --git a/src/HttpServer.h b/src/HttpServer.h index 3e889711..1214e387 100644 --- a/src/HttpServer.h +++ b/src/HttpServer.h @@ -110,6 +110,9 @@ struct Stream { ev_timer wtimer; int64_t body_length; int64_t body_offset; + // Total amount of bytes (sum of name and value length) used in + // headers. + size_t header_buffer_size; int32_t stream_id; http2::HeaderIndex hdidx; bool echo_upload;