From 6b4b7bef237a24c7f22ceb3554dc3003f3be7c02 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sat, 24 Jan 2015 00:37:26 +0900
Subject: [PATCH] nghttpx: Reset stream if request header field name is
 malformed

---
 src/shrpx_http2_upstream.cc | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/shrpx_http2_upstream.cc b/src/shrpx_http2_upstream.cc
index 4edb1606..e92ce5c3 100644
--- a/src/shrpx_http2_upstream.cc
+++ b/src/shrpx_http2_upstream.cc
@@ -179,6 +179,15 @@ int on_header_callback(nghttp2_session *session, const nghttp2_frame *frame,
 
     return 0;
   }
+  if (!nghttp2_check_header_name(name, namelen)) {
+    // we are not forgiving for malformed header field name in
+    // request.
+    upstream->rst_stream(downstream, NGHTTP2_PROTOCOL_ERROR);
+    return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+  }
+  if (!nghttp2_check_header_value(value, valuelen)) {
+    return 0;
+  }
   if (!http2::check_nv(name, namelen, value, valuelen)) {
     // Simply discard name/value, as if it never happen.
     return 0;