Check payload length when submitting GOAWAY and ALTSVC

lib/includes/nghttp2/nghttp2.h

@@ -2452,6 +2452,8 @@ int nghttp2_submit_ping(nghttp2_session *session, uint8_t flags,
  *
  * :enum:`NGHTTP2_ERR_NOMEM`
  *     Out of memory.
+ * NGHTTP2_ERR_INVALID_ARGUMENT
+ *     The |opaque_data_len| is too large.
  */
 int nghttp2_submit_goaway(nghttp2_session *session, uint8_t flags,
                           nghttp2_error_code error_code,
@@ -2520,6 +2522,9 @@ int nghttp2_submit_window_update(nghttp2_session *session, uint8_t flags,
  * :enum:`NGHTTP2_ERR_INVALID_STATE`
  *     The function is invoked with |session| which was initialized as
  *     client.
+ * NGHTTP2_ERR_INVALID_ARGUMENT
+ *     The combined length of |protocol_id_len|, |host_len| and
+ *     |origin_len| is is too large.
  */
 int nghttp2_submit_altsvc(nghttp2_session *session, uint8_t flags,
                           int32_t stream_id,

lib/nghttp2_session.c

@@ -5237,7 +5237,7 @@ int nghttp2_session_add_goaway(nghttp2_session *session,
   nghttp2_frame *frame;
   uint8_t *opaque_data_copy = NULL;
   if(opaque_data_len) {
-    if(opaque_data_len > UINT16_MAX - 8) {
+    if(opaque_data_len + 8 > NGHTTP2_MAX_PAYLOADLEN) {
       return NGHTTP2_ERR_INVALID_ARGUMENT;
     }
     opaque_data_copy = malloc(opaque_data_len);

lib/nghttp2_session.h

@@ -283,6 +283,8 @@ int nghttp2_session_add_ping(nghttp2_session *session, uint8_t flags,
  *
  * NGHTTP2_ERR_NOMEM
  *     Out of memory.
+ * NGHTTP2_ERR_INVALID_ARGUMENT
+ *     The |opaque_data_len| is too large.
  */
 int nghttp2_session_add_goaway(nghttp2_session *session,
                                int32_t last_stream_id,

lib/nghttp2_submit.c

@@ -335,6 +335,11 @@ int nghttp2_submit_altsvc(nghttp2_session *session, uint8_t flags,
 
   varlen = protocol_id_len + host_len + origin_len;
 
+  /* 9 = fixed part 8 bytes + HOST_LEN 1 byte */
+  if(varlen + 9 > NGHTTP2_MAX_PAYLOADLEN) {
+    return NGHTTP2_ERR_INVALID_ARGUMENT;
+  }
+
   if(varlen == 0) {
     var = NULL;
     copy_protocol_id = NULL;