Merge branch 'limit-incoming-headers'

lib/includes/nghttp2/nghttp2.h

@@ -1608,6 +1608,14 @@ typedef int (*nghttp2_on_begin_headers_callback)(nghttp2_session *session,
  *
  * To set this callback to :type:`nghttp2_session_callbacks`, use
  * `nghttp2_session_callbacks_set_on_header_callback()`.
+ *
+ * .. warning::
+ *
+ *   Application should properly limit the total buffer size to store
+ *   incoming header fields.  Without it, peer may send large number
+ *   of header fields or large header fields to cause out of memory in
+ *   local endpoint.  Due to how HPACK works, peer can do this
+ *   effectively without using much memory on their own.
  */
 typedef int (*nghttp2_on_header_callback)(nghttp2_session *session,
                                           const nghttp2_frame *frame,

src/HttpServer.cc

@@ -447,6 +447,7 @@ Stream::Stream(Http2Handler *handler, int32_t stream_id)
       file_ent(nullptr),
       body_length(0),
       body_offset(0),
+      header_buffer_size(0),
       stream_id(stream_id),
       echo_upload(false) {
   auto config = handler->get_config();
@@ -1389,6 +1390,13 @@ int on_header_callback(nghttp2_session *session, const nghttp2_frame *frame,
     return 0;
   }
 
+  if (stream->header_buffer_size + namelen + valuelen > 64_k) {
+    hd->submit_rst_stream(stream, NGHTTP2_INTERNAL_ERROR);
+    return 0;
+  }
+
+  stream->header_buffer_size += namelen + valuelen;
+
   auto token = http2::lookup_token(name, namelen);
 
   http2::index_header(stream->hdidx, token, stream->headers.size());

src/HttpServer.h

@@ -119,6 +119,9 @@ struct Stream {
   ev_timer wtimer;
   int64_t body_length;
   int64_t body_offset;
+  // Total amount of bytes (sum of name and value length) used in
+  // headers.
+  size_t header_buffer_size;
   int32_t stream_id;
   http2::HeaderIndex hdidx;
   bool echo_upload;

src/asio_client_request_impl.cc

@@ -32,7 +32,7 @@ namespace nghttp2 {
 namespace asio_http2 {
 namespace client {
 
-request_impl::request_impl() : strm_(nullptr) {}
+request_impl::request_impl() : strm_(nullptr), header_buffer_size_(0) {}
 
 void request_impl::write_trailer(header_map h) {
   auto sess = strm_->session();
@@ -105,6 +105,12 @@ void request_impl::method(std::string s) { method_ = std::move(s); }
 
 const std::string &request_impl::method() const { return method_; }
 
+size_t request_impl::header_buffer_size() const { return header_buffer_size_; }
+
+void request_impl::update_header_buffer_size(size_t len) {
+  header_buffer_size_ += len;
+}
+
 } // namespace client
 } // namespace asio_http2
 } // namespace nghttp2

src/asio_client_request_impl.h

@@ -75,6 +75,9 @@ public:
   void method(std::string s);
   const std::string &method() const;
 
+  size_t header_buffer_size() const;
+  void update_header_buffer_size(size_t len);
+
 private:
   header_map header_;
   response_cb response_cb_;
@@ -84,6 +87,7 @@ private:
   class stream *strm_;
   uri_ref uri_;
   std::string method_;
+  size_t header_buffer_size_;
 };
 
 } // namespace client

src/asio_client_response_impl.cc

@@ -30,7 +30,8 @@ namespace nghttp2 {
 namespace asio_http2 {
 namespace client {
 
-response_impl::response_impl() : content_length_(-1), status_code_(0) {}
+response_impl::response_impl()
+    : content_length_(-1), header_buffer_size_(0), status_code_(0) {}
 
 void response_impl::on_data(data_cb cb) { data_cb_ = std::move(cb); }
 
@@ -52,6 +53,12 @@ header_map &response_impl::header() { return header_; }
 
 const header_map &response_impl::header() const { return header_; }
 
+size_t response_impl::header_buffer_size() const { return header_buffer_size_; }
+
+void response_impl::update_header_buffer_size(size_t len) {
+  header_buffer_size_ += len;
+}
+
 } // namespace client
 } // namespace asio_http2
 } // namespace nghttp2

src/asio_client_response_impl.h

@@ -53,12 +53,16 @@ public:
   header_map &header();
   const header_map &header() const;
 
+  size_t header_buffer_size() const;
+  void update_header_buffer_size(size_t len);
+
 private:
   data_cb data_cb_;
 
   header_map header_;
 
   int64_t content_length_;
+  size_t header_buffer_size_;
   int status_code_;
 };
 

src/asio_client_session_impl.cc

@@ -183,6 +183,12 @@ int on_header_callback(nghttp2_session *session, const nghttp2_frame *frame,
     if (token == http2::HD__STATUS) {
       res.status_code(util::parse_uint(value, valuelen));
     } else {
+      if (res.header_buffer_size() + namelen + valuelen > 64_k) {
+        nghttp2_submit_rst_stream(session, NGHTTP2_FLAG_NONE,
+                                  frame->hd.stream_id, NGHTTP2_INTERNAL_ERROR);
+        break;
+      }
+      res.update_header_buffer_size(namelen + valuelen);
 
       if (token == http2::HD_CONTENT_LENGTH) {
         res.content_length(util::parse_uint(value, valuelen));
@@ -223,6 +229,13 @@ int on_header_callback(nghttp2_session *session, const nghttp2_frame *frame,
       }
     // fall through
     default:
+      if (req.header_buffer_size() + namelen + valuelen > 64_k) {
+        nghttp2_submit_rst_stream(session, NGHTTP2_FLAG_NONE,
+                                  frame->hd.stream_id, NGHTTP2_INTERNAL_ERROR);
+        break;
+      }
+      req.update_header_buffer_size(namelen + valuelen);
+
       req.header().emplace(
           std::string(name, name + namelen),
           header_value{std::string(value, value + valuelen),

src/asio_server_http2_handler.cc

@@ -105,6 +105,13 @@ int on_header_callback(nghttp2_session *session, const nghttp2_frame *frame,
     }
   // fall through
   default:
+    if (req.header_buffer_size() + namelen + valuelen > 64_k) {
+      nghttp2_submit_rst_stream(session, NGHTTP2_FLAG_NONE, frame->hd.stream_id,
+                                NGHTTP2_INTERNAL_ERROR);
+      break;
+    }
+    req.update_header_buffer_size(namelen + valuelen);
+
     req.header().emplace(std::string(name, name + namelen),
                          header_value{std::string(value, value + valuelen),
                                       (flags & NGHTTP2_NV_FLAG_NO_INDEX) != 0});

src/asio_server_request_impl.cc

@@ -28,7 +28,7 @@ namespace nghttp2 {
 namespace asio_http2 {
 namespace server {
 
-request_impl::request_impl() : strm_(nullptr) {}
+request_impl::request_impl() : strm_(nullptr), header_buffer_size_(0) {}
 
 const header_map &request_impl::header() const { return header_; }
 
@@ -62,6 +62,12 @@ void request_impl::remote_endpoint(boost::asio::ip::tcp::endpoint ep) {
   remote_ep_ = std::move(ep);
 }
 
+size_t request_impl::header_buffer_size() const { return header_buffer_size_; }
+
+void request_impl::update_header_buffer_size(size_t len) {
+  header_buffer_size_ += len;
+}
+
 } // namespace server
 } // namespace asio_http2
 } // namespace nghttp2

src/asio_server_request_impl.h

@@ -58,6 +58,9 @@ public:
   const boost::asio::ip::tcp::endpoint &remote_endpoint() const;
   void remote_endpoint(boost::asio::ip::tcp::endpoint ep);
 
+  size_t header_buffer_size() const;
+  void update_header_buffer_size(size_t len);
+
 private:
   class stream *strm_;
   header_map header_;
@@ -65,6 +68,7 @@ private:
   uri_ref uri_;
   data_cb on_data_cb_;
   boost::asio::ip::tcp::endpoint remote_ep_;
+  size_t header_buffer_size_;
 };
 
 } // namespace server

src/nghttp.cc

@@ -155,6 +155,7 @@ Request::Request(const std::string &uri, const http_parser_url &u,
       inflater(nullptr),
       html_parser(nullptr),
       data_prd(data_prd),
+      header_buffer_size(0),
       stream_id(-1),
       status(0),
       level(level),
@@ -1736,6 +1737,14 @@ int on_header_callback(nghttp2_session *session, const nghttp2_frame *frame,
       break;
     }
 
+    if (req->header_buffer_size + namelen + valuelen > 64_k) {
+      nghttp2_submit_rst_stream(session, NGHTTP2_FLAG_NONE, frame->hd.stream_id,
+                                NGHTTP2_INTERNAL_ERROR);
+      return 0;
+    }
+
+    req->header_buffer_size += namelen + valuelen;
+
     auto token = http2::lookup_token(name, namelen);
 
     http2::index_header(req->res_hdidx, token, req->res_nva.size());
@@ -1751,6 +1760,15 @@ int on_header_callback(nghttp2_session *session, const nghttp2_frame *frame,
       break;
     }
 
+    if (req->header_buffer_size + namelen + valuelen > 64_k) {
+      nghttp2_submit_rst_stream(session, NGHTTP2_FLAG_NONE,
+                                frame->push_promise.promised_stream_id,
+                                NGHTTP2_INTERNAL_ERROR);
+      return 0;
+    }
+
+    req->header_buffer_size += namelen + valuelen;
+
     auto token = http2::lookup_token(name, namelen);
 
     http2::index_header(req->req_hdidx, token, req->req_nva.size());
@@ -1838,6 +1856,10 @@ int on_frame_recv_callback2(nghttp2_session *session,
     if (!req) {
       break;
     }
+
+    // Reset for response header field reception
+    req->header_buffer_size = 0;
+
     auto scheme = req->get_req_header(http2::HD__SCHEME);
     auto authority = req->get_req_header(http2::HD__AUTHORITY);
     auto path = req->get_req_header(http2::HD__PATH);

src/nghttp.h

@@ -150,6 +150,7 @@ struct Request {
   nghttp2_gzip *inflater;
   HtmlParser *html_parser;
   const nghttp2_data_provider *data_prd;
+  size_t header_buffer_size;
   int32_t stream_id;
   int status;
   // Recursion level: 0: first entity, 1: entity linked from first entity