]> git.kaiwu.me - nginx.git/commit
Proxy: fix large body with proxy_set_body and HTTP/2
authorRoman Arutyunyan <arut@nginx.com>
Mon, 4 May 2026 14:43:17 +0000 (18:43 +0400)
committerSergey Kandaurov <s.kandaurov@f5.com>
Wed, 13 May 2026 17:20:55 +0000 (21:20 +0400)
commita0e742944db64d8a547cc2e7a0ba4c2e85cd4b98
treea822ff5916b6ee59f3d9d4853fc035865cf92c9d
parent524977e7c534e87e5b55739fa74601c9f1102686
Proxy: fix large body with proxy_set_body and HTTP/2

Previously, if proxy_set_body was used with HTTP/2, and body size exceeded
16M, then an overflow happened in the 24-bit DATA frame size, which resulted
in sending unframed bytes, potentially allowing for an injection.

Also, DATA frame size could exceed NGX_HTTP_V2_DEFAULT_FRAME_SIZE (16K) and
available send window.

Reported by Mufeed VH of Winfunc Research.
src/http/modules/ngx_http_proxy_v2_module.c