Mercurial > hg > nginx

comparison src/http/v2/ngx_http_v2.c @ 7547:4f4b83f00cf1

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
HTTP/2: reject zero length headers with PROTOCOL_ERROR. Fixed uncontrolled memory growth if peer sends a stream of headers with a 0-length header name and 0-length header value. Fix is to reject headers with zero name length.
author Sergey Kandaurov <pluknet@nginx.com>
date Tue, 13 Aug 2019 15:43:32 +0300
parents e7f19d268c72
children 99257b06b0bd
comparison
equal deleted inserted replaced
7546:fcd92ad76b7b 7547:4f4b83f00cf1
1544 h2c->state.parse_name = 0; 1544 h2c->state.parse_name = 0;
1545 1545
1546 header->name.len = h2c->state.field_end - h2c->state.field_start; 1546 header->name.len = h2c->state.field_end - h2c->state.field_start;
1547 header->name.data = h2c->state.field_start; 1547 header->name.data = h2c->state.field_start;
1548 1548
1549 if (header->name.len == 0) {
1550 ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
1551 "client sent zero header name length");
1552
1553 return ngx_http_v2_connection_error(h2c,
1554 NGX_HTTP_V2_PROTOCOL_ERROR);
1555 }
1556
1549 return ngx_http_v2_state_field_len(h2c, pos, end); 1557 return ngx_http_v2_state_field_len(h2c, pos, end);
1550 } 1558 }
1551 1559
1552 if (h2c->state.parse_value) { 1560 if (h2c->state.parse_value) {
1553 h2c->state.parse_value = 0; 1561 h2c->state.parse_value = 0;
3246 ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header) 3254 ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header)
3247 { 3255 {
3248 u_char ch; 3256 u_char ch;
3249 ngx_uint_t i; 3257 ngx_uint_t i;
3250 ngx_http_core_srv_conf_t *cscf; 3258 ngx_http_core_srv_conf_t *cscf;
3251
3252 if (header->name.len == 0) {
3253 return NGX_ERROR;
3254 }
3255 3259
3256 r->invalid_header = 0; 3260 r->invalid_header = 0;
3257 3261
3258 cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); 3262 cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
3259 3263