Mercurial > hg > nginx
comparison src/http/v2/ngx_http_v2.c @ 7547:4f4b83f00cf1
HTTP/2: reject zero length headers with PROTOCOL_ERROR.
Fixed uncontrolled memory growth if peer sends a stream of
headers with a 0-length header name and 0-length header value.
Fix is to reject headers with zero name length.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 13 Aug 2019 15:43:32 +0300 |
parents | e7f19d268c72 |
children | 99257b06b0bd |
comparison
equal
deleted
inserted
replaced
7546:fcd92ad76b7b | 7547:4f4b83f00cf1 |
---|---|
1544 h2c->state.parse_name = 0; | 1544 h2c->state.parse_name = 0; |
1545 | 1545 |
1546 header->name.len = h2c->state.field_end - h2c->state.field_start; | 1546 header->name.len = h2c->state.field_end - h2c->state.field_start; |
1547 header->name.data = h2c->state.field_start; | 1547 header->name.data = h2c->state.field_start; |
1548 | 1548 |
1549 if (header->name.len == 0) { | |
1550 ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, | |
1551 "client sent zero header name length"); | |
1552 | |
1553 return ngx_http_v2_connection_error(h2c, | |
1554 NGX_HTTP_V2_PROTOCOL_ERROR); | |
1555 } | |
1556 | |
1549 return ngx_http_v2_state_field_len(h2c, pos, end); | 1557 return ngx_http_v2_state_field_len(h2c, pos, end); |
1550 } | 1558 } |
1551 | 1559 |
1552 if (h2c->state.parse_value) { | 1560 if (h2c->state.parse_value) { |
1553 h2c->state.parse_value = 0; | 1561 h2c->state.parse_value = 0; |
3246 ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header) | 3254 ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header) |
3247 { | 3255 { |
3248 u_char ch; | 3256 u_char ch; |
3249 ngx_uint_t i; | 3257 ngx_uint_t i; |
3250 ngx_http_core_srv_conf_t *cscf; | 3258 ngx_http_core_srv_conf_t *cscf; |
3251 | |
3252 if (header->name.len == 0) { | |
3253 return NGX_ERROR; | |
3254 } | |
3255 | 3259 |
3256 r->invalid_header = 0; | 3260 r->invalid_header = 0; |
3257 | 3261 |
3258 cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); | 3262 cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); |
3259 | 3263 |