diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h index 21672cd2..76cc0c05 100644 --- a/lib/includes/nghttp2/nghttp2.h +++ b/lib/includes/nghttp2/nghttp2.h @@ -152,13 +152,6 @@ typedef struct { */ #define NGHTTP2_INITIAL_CONNECTION_WINDOW_SIZE ((1 << 16) - 1) -/** - * @macro - * - * The maximum header table size. - */ -#define NGHTTP2_MAX_HEADER_TABLE_SIZE (1 << 28) - /** * @macro * diff --git a/lib/nghttp2_frame.c b/lib/nghttp2_frame.c index 154a8e35..c045e9d4 100644 --- a/lib/nghttp2_frame.c +++ b/lib/nghttp2_frame.c @@ -1008,6 +1008,10 @@ int nghttp2_iv_check(const nghttp2_settings_entry *iv, size_t niv) for(i = 0; i < niv; ++i) { switch(iv[i].settings_id) { case NGHTTP2_SETTINGS_HEADER_TABLE_SIZE: + if(iv[i].value > NGHTTP2_MAX_HEADER_TABLE_SIZE) { + return 0; + } + break; case NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS: break; case NGHTTP2_SETTINGS_ENABLE_PUSH: diff --git a/lib/nghttp2_frame.h b/lib/nghttp2_frame.h index a1ee6f23..ca5ca7b6 100644 --- a/lib/nghttp2_frame.h +++ b/lib/nghttp2_frame.h @@ -57,6 +57,9 @@ /* The number of bytes for each SETTINGS entry */ #define NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH 5 +/* The maximum header table size in SETTINGS_HEADER_TABLE_SIZE */ +#define NGHTTP2_MAX_HEADER_TABLE_SIZE ((1u << 31) - 1) + /* Category of frames. */ typedef enum { /* non-DATA frame */ diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c index 63b21864..3635c157 100644 --- a/lib/nghttp2_session.c +++ b/lib/nghttp2_session.c @@ -3265,7 +3265,8 @@ static int session_update_local_initial_window_size /* * Apply SETTINGS values |iv| having |niv| elements to the local - * settings. + * settings. We assumes that all values in |iv| is correct, since we + * validated them in nghttp2_session_add_settings() already. * * This function returns 0 if it succeeds, or one of the following * negative error codes: @@ -3297,10 +3298,6 @@ int nghttp2_session_update_local_settings(nghttp2_session *session, } } if(header_table_size_seen) { - if(header_table_size < 0 || - header_table_size > NGHTTP2_MAX_HEADER_TABLE_SIZE) { - return NGHTTP2_ERR_HEADER_COMP; - } rv = nghttp2_hd_inflate_change_table_size(&session->hd_inflater, header_table_size); if(rv != 0) { diff --git a/tests/nghttp2_frame_test.c b/tests/nghttp2_frame_test.c index 4f461f0c..0d55b2e8 100644 --- a/tests/nghttp2_frame_test.c +++ b/tests/nghttp2_frame_test.c @@ -647,4 +647,9 @@ void test_nghttp2_iv_check(void) iv[1].settings_id = 1000000009; iv[1].value = 0; CU_ASSERT(!nghttp2_iv_check(iv, 2)); + + /* Too large SETTINGS_HEADER_TABLE_SIZE */ + iv[1].settings_id = NGHTTP2_SETTINGS_HEADER_TABLE_SIZE; + iv[1].value = UINT32_MAX; + CU_ASSERT(!nghttp2_iv_check(iv, 2)); }