nghttpd: Limit request header buffer

src/HttpServer.cc

@@ -447,6 +447,7 @@ Stream::Stream(Http2Handler *handler, int32_t stream_id)
       file_ent(nullptr),
       body_length(0),
       body_offset(0),
+      header_buffer_size(0),
       stream_id(stream_id),
       echo_upload(false) {
   auto config = handler->get_config();
@@ -1389,6 +1390,13 @@ int on_header_callback(nghttp2_session *session, const nghttp2_frame *frame,
     return 0;
   }
 
+  if (stream->header_buffer_size + namelen + valuelen > 64_k) {
+    hd->submit_rst_stream(stream, NGHTTP2_INTERNAL_ERROR);
+    return 0;
+  }
+
+  stream->header_buffer_size += namelen + valuelen;
+
   auto token = http2::lookup_token(name, namelen);
 
   http2::index_header(stream->hdidx, token, stream->headers.size());

src/HttpServer.h

@@ -119,6 +119,9 @@ struct Stream {
   ev_timer wtimer;
   int64_t body_length;
   int64_t body_offset;
+  // Total amount of bytes (sum of name and value length) used in
+  // headers.
+  size_t header_buffer_size;
   int32_t stream_id;
   http2::HeaderIndex hdidx;
   bool echo_upload;