diff options
| author | Roman Arutyunyan <arut@nginx.com> | 2020-07-03 09:26:12 +0300 |
|---|---|---|
| committer | Roman Arutyunyan <arut@nginx.com> | 2020-07-03 09:26:12 +0300 |
| commit | 3a9874c4ab00d443c66e175502466b0105e8f3be (patch) | |
| tree | fcaab10614036e7c44427c2f75a86edc30e8222c /src | |
| parent | 3b2eabde0bedc9a1a7d1b53bdbc28bdc14773dd1 (diff) | |
| download | nginx-3a9874c4ab00d443c66e175502466b0105e8f3be.tar.gz nginx-3a9874c4ab00d443c66e175502466b0105e8f3be.zip | |
HTTP/3: limited prefixed integer size by 62 bits.
Diffstat (limited to 'src')
| -rw-r--r-- | src/http/v3/ngx_http_v3_parse.c | 104 |
1 files changed, 66 insertions, 38 deletions
diff --git a/src/http/v3/ngx_http_v3_parse.c b/src/http/v3/ngx_http_v3_parse.c index bb8d73296..8b1f745fe 100644 --- a/src/http/v3/ngx_http_v3_parse.c +++ b/src/http/v3/ngx_http_v3_parse.c @@ -119,6 +119,15 @@ ngx_http_v3_parse_prefix_int(ngx_connection_t *c, case sw_value: st->value += (uint64_t) (ch & 0x7f) << st->shift; + + if (st->shift == 56 + && ((ch & 0x80) || (st->value & 0xc000000000000000))) + { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client exceeded integer size limit"); + return NGX_HTTP_V3_ERR_EXCESSIVE_LOAD; + } + if (ch & 0x80) { st->shift += 7; break; @@ -281,8 +290,9 @@ ngx_http_v3_parse_header_block_prefix(ngx_connection_t *c, case sw_req_insert_count: - if (ngx_http_v3_parse_prefix_int(c, &st->pint, 8, ch) != NGX_DONE) { - break; + rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 8, ch); + if (rc != NGX_DONE) { + return rc; } st->insert_count = st->pint.value; @@ -298,8 +308,9 @@ ngx_http_v3_parse_header_block_prefix(ngx_connection_t *c, case sw_read_delta_base: - if (ngx_http_v3_parse_prefix_int(c, &st->pint, 7, ch) != NGX_DONE) { - break; + rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 7, ch); + if (rc != NGX_DONE) { + return rc; } st->delta_base = st->pint.value; @@ -521,8 +532,9 @@ ngx_http_v3_parse_header_ri(ngx_connection_t *c, ngx_http_v3_parse_header_t *st, case sw_index: - if (ngx_http_v3_parse_prefix_int(c, &st->pint, 6, ch) != NGX_DONE) { - break; + rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 6, ch); + if (rc != NGX_DONE) { + return rc; } st->index = st->pint.value; @@ -578,8 +590,9 @@ ngx_http_v3_parse_header_lri(ngx_connection_t *c, case sw_index: - if (ngx_http_v3_parse_prefix_int(c, &st->pint, 4, ch) != NGX_DONE) { - break; + rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 4, ch); + if (rc != NGX_DONE) { + return rc; } st->index = st->pint.value; @@ -595,8 +608,9 @@ ngx_http_v3_parse_header_lri(ngx_connection_t *c, case sw_read_value_len: - if (ngx_http_v3_parse_prefix_int(c, &st->pint, 7, ch) != NGX_DONE) { - break; + rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 7, ch); + if (rc != NGX_DONE) { + return rc; } st->literal.length = st->pint.value; @@ -673,8 +687,9 @@ ngx_http_v3_parse_header_l(ngx_connection_t *c, case sw_name_len: - if (ngx_http_v3_parse_prefix_int(c, &st->pint, 3, ch) != NGX_DONE) { - break; + rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 3, ch); + if (rc != NGX_DONE) { + return rc; } st->literal.length = st->pint.value; @@ -710,8 +725,9 @@ ngx_http_v3_parse_header_l(ngx_connection_t *c, case sw_read_value_len: - if (ngx_http_v3_parse_prefix_int(c, &st->pint, 7, ch) != NGX_DONE) { - break; + rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 7, ch); + if (rc != NGX_DONE) { + return rc; } st->literal.length = st->pint.value; @@ -773,8 +789,9 @@ ngx_http_v3_parse_header_pbi(ngx_connection_t *c, case sw_index: - if (ngx_http_v3_parse_prefix_int(c, &st->pint, 4, ch) != NGX_DONE) { - break; + rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 4, ch); + if (rc != NGX_DONE) { + return rc; } st->index = st->pint.value; @@ -825,8 +842,9 @@ ngx_http_v3_parse_header_lpbi(ngx_connection_t *c, case sw_index: - if (ngx_http_v3_parse_prefix_int(c, &st->pint, 3, ch) != NGX_DONE) { - break; + rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 3, ch); + if (rc != NGX_DONE) { + return rc; } st->index = st->pint.value; @@ -842,8 +860,9 @@ ngx_http_v3_parse_header_lpbi(ngx_connection_t *c, case sw_read_value_len: - if (ngx_http_v3_parse_prefix_int(c, &st->pint, 7, ch) != NGX_DONE) { - break; + rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 7, ch); + if (rc != NGX_DONE) { + return rc; } st->literal.length = st->pint.value; @@ -1188,8 +1207,9 @@ ngx_http_v3_parse_encoder(ngx_connection_t *c, void *data, u_char ch) case sw_capacity: - if (ngx_http_v3_parse_prefix_int(c, &st->pint, 5, ch) != NGX_DONE) { - break; + rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 5, ch); + if (rc != NGX_DONE) { + return rc; } rc = ngx_http_v3_set_capacity(c, st->pint.value); @@ -1201,8 +1221,9 @@ ngx_http_v3_parse_encoder(ngx_connection_t *c, void *data, u_char ch) case sw_duplicate: - if (ngx_http_v3_parse_prefix_int(c, &st->pint, 5, ch) != NGX_DONE) { - break; + rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 5, ch); + if (rc != NGX_DONE) { + return rc; } rc = ngx_http_v3_duplicate(c, st->pint.value); @@ -1251,8 +1272,9 @@ ngx_http_v3_parse_header_inr(ngx_connection_t *c, case sw_name_index: - if (ngx_http_v3_parse_prefix_int(c, &st->pint, 6, ch) != NGX_DONE) { - break; + rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 6, ch); + if (rc != NGX_DONE) { + return rc; } st->index = st->pint.value; @@ -1268,8 +1290,9 @@ ngx_http_v3_parse_header_inr(ngx_connection_t *c, case sw_read_value_len: - if (ngx_http_v3_parse_prefix_int(c, &st->pint, 7, ch) != NGX_DONE) { - break; + rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 7, ch); + if (rc != NGX_DONE) { + return rc; } st->literal.length = st->pint.value; @@ -1343,8 +1366,9 @@ ngx_http_v3_parse_header_iwnr(ngx_connection_t *c, case sw_name_len: - if (ngx_http_v3_parse_prefix_int(c, &st->pint, 5, ch) != NGX_DONE) { - break; + rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 5, ch); + if (rc != NGX_DONE) { + return rc; } st->literal.length = st->pint.value; @@ -1380,8 +1404,9 @@ ngx_http_v3_parse_header_iwnr(ngx_connection_t *c, case sw_read_value_len: - if (ngx_http_v3_parse_prefix_int(c, &st->pint, 7, ch) != NGX_DONE) { - break; + rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 7, ch); + if (rc != NGX_DONE) { + return rc; } st->literal.length = st->pint.value; @@ -1465,8 +1490,9 @@ ngx_http_v3_parse_decoder(ngx_connection_t *c, void *data, u_char ch) case sw_ack_header: - if (ngx_http_v3_parse_prefix_int(c, &st->pint, 7, ch) != NGX_DONE) { - break; + rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 7, ch); + if (rc != NGX_DONE) { + return rc; } rc = ngx_http_v3_ack_header(c, st->pint.value); @@ -1478,8 +1504,9 @@ ngx_http_v3_parse_decoder(ngx_connection_t *c, void *data, u_char ch) case sw_cancel_stream: - if (ngx_http_v3_parse_prefix_int(c, &st->pint, 6, ch) != NGX_DONE) { - break; + rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 6, ch); + if (rc != NGX_DONE) { + return rc; } rc = ngx_http_v3_cancel_stream(c, st->pint.value); @@ -1491,8 +1518,9 @@ ngx_http_v3_parse_decoder(ngx_connection_t *c, void *data, u_char ch) case sw_inc_insert_count: - if (ngx_http_v3_parse_prefix_int(c, &st->pint, 6, ch) != NGX_DONE) { - break; + rc = ngx_http_v3_parse_prefix_int(c, &st->pint, 6, ch); + if (rc != NGX_DONE) { + return rc; } rc = ngx_http_v3_inc_insert_count(c, st->pint.value); |