Check payload length when submitting GOAWAY and ALTSVC
This commit is contained in:
parent
f785e56dba
commit
f5ead55f0e
|
@ -2452,6 +2452,8 @@ int nghttp2_submit_ping(nghttp2_session *session, uint8_t flags,
|
|||
*
|
||||
* :enum:`NGHTTP2_ERR_NOMEM`
|
||||
* Out of memory.
|
||||
* NGHTTP2_ERR_INVALID_ARGUMENT
|
||||
* The |opaque_data_len| is too large.
|
||||
*/
|
||||
int nghttp2_submit_goaway(nghttp2_session *session, uint8_t flags,
|
||||
nghttp2_error_code error_code,
|
||||
|
@ -2520,6 +2522,9 @@ int nghttp2_submit_window_update(nghttp2_session *session, uint8_t flags,
|
|||
* :enum:`NGHTTP2_ERR_INVALID_STATE`
|
||||
* The function is invoked with |session| which was initialized as
|
||||
* client.
|
||||
* NGHTTP2_ERR_INVALID_ARGUMENT
|
||||
* The combined length of |protocol_id_len|, |host_len| and
|
||||
* |origin_len| is is too large.
|
||||
*/
|
||||
int nghttp2_submit_altsvc(nghttp2_session *session, uint8_t flags,
|
||||
int32_t stream_id,
|
||||
|
|
|
@ -5237,7 +5237,7 @@ int nghttp2_session_add_goaway(nghttp2_session *session,
|
|||
nghttp2_frame *frame;
|
||||
uint8_t *opaque_data_copy = NULL;
|
||||
if(opaque_data_len) {
|
||||
if(opaque_data_len > UINT16_MAX - 8) {
|
||||
if(opaque_data_len + 8 > NGHTTP2_MAX_PAYLOADLEN) {
|
||||
return NGHTTP2_ERR_INVALID_ARGUMENT;
|
||||
}
|
||||
opaque_data_copy = malloc(opaque_data_len);
|
||||
|
|
|
@ -283,6 +283,8 @@ int nghttp2_session_add_ping(nghttp2_session *session, uint8_t flags,
|
|||
*
|
||||
* NGHTTP2_ERR_NOMEM
|
||||
* Out of memory.
|
||||
* NGHTTP2_ERR_INVALID_ARGUMENT
|
||||
* The |opaque_data_len| is too large.
|
||||
*/
|
||||
int nghttp2_session_add_goaway(nghttp2_session *session,
|
||||
int32_t last_stream_id,
|
||||
|
|
|
@ -335,6 +335,11 @@ int nghttp2_submit_altsvc(nghttp2_session *session, uint8_t flags,
|
|||
|
||||
varlen = protocol_id_len + host_len + origin_len;
|
||||
|
||||
/* 9 = fixed part 8 bytes + HOST_LEN 1 byte */
|
||||
if(varlen + 9 > NGHTTP2_MAX_PAYLOADLEN) {
|
||||
return NGHTTP2_ERR_INVALID_ARGUMENT;
|
||||
}
|
||||
|
||||
if(varlen == 0) {
|
||||
var = NULL;
|
||||
copy_protocol_id = NULL;
|
||||
|
|
Loading…
Reference in New Issue