diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/http/v3/ngx_http_v3_parse.c | 6 | ||||
| -rw-r--r-- | src/http/v3/ngx_http_v3_request.c | 13 |
2 files changed, 14 insertions, 5 deletions
diff --git a/src/http/v3/ngx_http_v3_parse.c b/src/http/v3/ngx_http_v3_parse.c index 436765c8a..bcbf0dbe1 100644 --- a/src/http/v3/ngx_http_v3_parse.c +++ b/src/http/v3/ngx_http_v3_parse.c @@ -623,6 +623,12 @@ ngx_http_v3_parse_literal(ngx_connection_t *c, ngx_http_v3_parse_literal_t *st, } if (st->huffman) { + if (n > NGX_MAX_INT_T_VALUE / 8) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent too large field line"); + return NGX_HTTP_V3_ERR_EXCESSIVE_LOAD; + } + n = n * 8 / 5; st->huffstate = 0; } diff --git a/src/http/v3/ngx_http_v3_request.c b/src/http/v3/ngx_http_v3_request.c index e41ad50a8..32b11b598 100644 --- a/src/http/v3/ngx_http_v3_request.c +++ b/src/http/v3/ngx_http_v3_request.c @@ -1003,6 +1003,7 @@ ngx_http_v3_process_request_header(ngx_http_request_t *r) { ssize_t n; ngx_buf_t *b; + ngx_str_t host; ngx_connection_t *c; ngx_http_v3_session_t *h3c; ngx_http_v3_srv_conf_t *h3scf; @@ -1034,11 +1035,13 @@ ngx_http_v3_process_request_header(ngx_http_request_t *r) goto failed; } - if (r->headers_in.host) { - if (r->headers_in.host->value.len != r->headers_in.server.len - || ngx_memcmp(r->headers_in.host->value.data, - r->headers_in.server.data, - r->headers_in.server.len) + if (r->headers_in.host && r->host_end) { + + host.len = r->host_end - r->host_start; + host.data = r->host_start; + + if (r->headers_in.host->value.len != host.len + || ngx_memcmp(r->headers_in.host->value.data, host.data, host.len) != 0) { ngx_log_error(NGX_LOG_INFO, c->log, 0, |