HTTP/3: fixed potential type overflow in string literal parser.

This might happen for Huffman encoded string literals as the result of length expansion. Notably, the maximum length of string literals is already limited with the "large_client_header_buffers" directive, so this was only possible with nonsensically large configured limits.
author: Sergey Kandaurov <pluknet@nginx.com> 2024-09-05 19:35:43 +0400
committer: pluknet <pluknet@nginx.com> 2025-07-23 17:24:43 +0400
commit: 3739fe94d1c3c844708b219776f1921bff16b56f (patch)
tree: 137aefd466a188a4a90e6063a20473be3af171c6 /src/http/v3/ngx_http_v3_parse.c
parent: c52c5698cd7640621b8e4ba8a54ccfc38f5b95ff (diff)
download: nginx-3739fe94d1c3c844708b219776f1921bff16b56f.tar.gz
nginx-3739fe94d1c3c844708b219776f1921bff16b56f.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/src/http/v3/ngx_http_v3_parse.c b/src/http/v3/ngx_http_v3_parse.c
index 436765c8a..bcbf0dbe1 100644
--- a/src/http/v3/ngx_http_v3_parse.c
+++ b/src/http/v3/ngx_http_v3_parse.c
@@ -623,6 +623,12 @@ ngx_http_v3_parse_literal(ngx_connection_t *c, ngx_http_v3_parse_literal_t *st,
             }
 
             if (st->huffman) {
+                if (n > NGX_MAX_INT_T_VALUE / 8) {
+                    ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                                  "client sent too large field line");
+                    return NGX_HTTP_V3_ERR_EXCESSIVE_LOAD;
+                }
+
                 n = n * 8 / 5;
                 st->huffstate = 0;
             }
author	Sergey Kandaurov <pluknet@nginx.com>	2024-09-05 19:35:43 +0400
committer	pluknet <pluknet@nginx.com>	2025-07-23 17:24:43 +0400
commit	3739fe94d1c3c844708b219776f1921bff16b56f (patch)
tree	137aefd466a188a4a90e6063a20473be3af171c6 /src/http/v3/ngx_http_v3_parse.c
parent	c52c5698cd7640621b8e4ba8a54ccfc38f5b95ff (diff)
download	nginx-3739fe94d1c3c844708b219776f1921bff16b56f.tar.gz nginx-3739fe94d1c3c844708b219776f1921bff16b56f.zip