Mercurial > hg > nginx-quic
changeset 7554:b19cd299f37c stable-1.16
HTTP/2: reject zero length headers with PROTOCOL_ERROR.
Fixed uncontrolled memory growth if peer sends a stream of
headers with a 0-length header name and 0-length header value.
Fix is to reject headers with zero name length.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 13 Aug 2019 15:43:32 +0300 |
parents | 9544d6ed9017 |
children | 99b6733876c4 |
files | src/http/v2/ngx_http_v2.c |
diffstat | 1 files changed, 8 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c @@ -1546,6 +1546,14 @@ ngx_http_v2_state_process_header(ngx_htt header->name.len = h2c->state.field_end - h2c->state.field_start; header->name.data = h2c->state.field_start; + if (header->name.len == 0) { + ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, + "client sent zero header name length"); + + return ngx_http_v2_connection_error(h2c, + NGX_HTTP_V2_PROTOCOL_ERROR); + } + return ngx_http_v2_state_field_len(h2c, pos, end); } @@ -3249,10 +3257,6 @@ ngx_http_v2_validate_header(ngx_http_req ngx_uint_t i; ngx_http_core_srv_conf_t *cscf; - if (header->name.len == 0) { - return NGX_ERROR; - } - r->invalid_header = 0; cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);