asio: server: Limit incoming request header field buffer size

src/asio_server_http2_handler.cc

@@ -105,6 +105,13 @@ int on_header_callback(nghttp2_session *session, const nghttp2_frame *frame,
     }
   // fall through
   default:
+    if (req.header_buffer_size() + namelen + valuelen > 64_k) {
+      nghttp2_submit_rst_stream(session, NGHTTP2_FLAG_NONE, frame->hd.stream_id,
+                                NGHTTP2_INTERNAL_ERROR);
+      break;
+    }
+    req.update_header_buffer_size(namelen + valuelen);
+
     req.header().emplace(std::string(name, name + namelen),
                          header_value{std::string(value, value + valuelen),
                                       (flags & NGHTTP2_NV_FLAG_NO_INDEX) != 0});

src/asio_server_request_impl.cc

@@ -28,7 +28,7 @@ namespace nghttp2 {
 namespace asio_http2 {
 namespace server {
 
-request_impl::request_impl() : strm_(nullptr) {}
+request_impl::request_impl() : strm_(nullptr), header_buffer_size_(0) {}
 
 const header_map &request_impl::header() const { return header_; }
 
@@ -62,6 +62,12 @@ void request_impl::remote_endpoint(boost::asio::ip::tcp::endpoint ep) {
   remote_ep_ = std::move(ep);
 }
 
+size_t request_impl::header_buffer_size() const { return header_buffer_size_; }
+
+void request_impl::update_header_buffer_size(size_t len) {
+  header_buffer_size_ += len;
+}
+
 } // namespace server
 } // namespace asio_http2
 } // namespace nghttp2

src/asio_server_request_impl.h

@@ -58,6 +58,9 @@ public:
   const boost::asio::ip::tcp::endpoint &remote_endpoint() const;
   void remote_endpoint(boost::asio::ip::tcp::endpoint ep);
 
+  size_t header_buffer_size() const;
+  void update_header_buffer_size(size_t len);
+
 private:
   class stream *strm_;
   header_map header_;
@@ -65,6 +68,7 @@ private:
   uri_ref uri_;
   data_cb on_data_cb_;
   boost::asio::ip::tcp::endpoint remote_ep_;
+  size_t header_buffer_size_;
 };
 
 } // namespace server