Check payload length when submitting GOAWAY and ALTSVC

This commit is contained in:
Tatsuhiro Tsujikawa 2014-04-01 21:55:29 +09:00
parent f785e56dba
commit f5ead55f0e
4 changed files with 13 additions and 1 deletions

View File

@ -2452,6 +2452,8 @@ int nghttp2_submit_ping(nghttp2_session *session, uint8_t flags,
*
* :enum:`NGHTTP2_ERR_NOMEM`
* Out of memory.
* NGHTTP2_ERR_INVALID_ARGUMENT
* The |opaque_data_len| is too large.
*/
int nghttp2_submit_goaway(nghttp2_session *session, uint8_t flags,
nghttp2_error_code error_code,
@ -2520,6 +2522,9 @@ int nghttp2_submit_window_update(nghttp2_session *session, uint8_t flags,
* :enum:`NGHTTP2_ERR_INVALID_STATE`
* The function is invoked with |session| which was initialized as
* client.
* NGHTTP2_ERR_INVALID_ARGUMENT
* The combined length of |protocol_id_len|, |host_len| and
* |origin_len| is is too large.
*/
int nghttp2_submit_altsvc(nghttp2_session *session, uint8_t flags,
int32_t stream_id,

View File

@ -5237,7 +5237,7 @@ int nghttp2_session_add_goaway(nghttp2_session *session,
nghttp2_frame *frame;
uint8_t *opaque_data_copy = NULL;
if(opaque_data_len) {
if(opaque_data_len > UINT16_MAX - 8) {
if(opaque_data_len + 8 > NGHTTP2_MAX_PAYLOADLEN) {
return NGHTTP2_ERR_INVALID_ARGUMENT;
}
opaque_data_copy = malloc(opaque_data_len);

View File

@ -283,6 +283,8 @@ int nghttp2_session_add_ping(nghttp2_session *session, uint8_t flags,
*
* NGHTTP2_ERR_NOMEM
* Out of memory.
* NGHTTP2_ERR_INVALID_ARGUMENT
* The |opaque_data_len| is too large.
*/
int nghttp2_session_add_goaway(nghttp2_session *session,
int32_t last_stream_id,

View File

@ -335,6 +335,11 @@ int nghttp2_submit_altsvc(nghttp2_session *session, uint8_t flags,
varlen = protocol_id_len + host_len + origin_len;
/* 9 = fixed part 8 bytes + HOST_LEN 1 byte */
if(varlen + 9 > NGHTTP2_MAX_PAYLOADLEN) {
return NGHTTP2_ERR_INVALID_ARGUMENT;
}
if(varlen == 0) {
var = NULL;
copy_protocol_id = NULL;