nghttpd: Limit request header buffer

b0227d40 · Tatsuhiro Tsujikawa · 28b643e5 · b0227d40 · b0227d40
Commit b0227d40 authored Feb 04, 2016 by Tatsuhiro Tsujikawa
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 0 deletions

src/HttpServer.cc src/HttpServer.cc +8 -0

src/HttpServer.h src/HttpServer.h +3 -0

No files found.
--- a/src/HttpServer.cc
+++ b/src/HttpServer.cc
@@ -447,6 +447,7 @@ Stream::Stream(Http2Handler *handler, int32_t stream_id)
      file_ent(nullptr),
      body_length(0),
      body_offset(0),
+      header_buffer_size(0),
      stream_id(stream_id),
      echo_upload(false) {
  auto config = handler->get_config();
@@ -1389,6 +1390,13 @@ int on_header_callback(nghttp2_session *session, const nghttp2_frame *frame,
    return 0;
  }

+  if (stream->header_buffer_size + namelen + valuelen > 64_k) {
+    hd->submit_rst_stream(stream, NGHTTP2_INTERNAL_ERROR);
+    return 0;
+  }
+
+  stream->header_buffer_size += namelen + valuelen;
+
  auto token = http2::lookup_token(name, namelen);

  http2::index_header(stream->hdidx, token, stream->headers.size());

--- a/src/HttpServer.h
+++ b/src/HttpServer.h
@@ -119,6 +119,9 @@ struct Stream {
  ev_timer wtimer;
  int64_t body_length;
  int64_t body_offset;
+  // Total amount of bytes (sum of name and value length) used in
+  // headers.
+  size_t header_buffer_size;
  int32_t stream_id;
  http2::HeaderIndex hdidx;
  bool echo_upload;