]> git.kaiwu.me - nginx.git/commitdiff
QUIC: limited the total number of frames.
authorRoman Arutyunyan <arut@nginx.com>
Wed, 13 Oct 2021 11:46:51 +0000 (14:46 +0300)
committerRoman Arutyunyan <arut@nginx.com>
Wed, 13 Oct 2021 11:46:51 +0000 (14:46 +0300)
Exceeding 10000 allocated frames is considered a flood.

src/event/quic/ngx_event_quic_connection.h
src/event/quic/ngx_event_quic_frames.c

index b58e9f5869c61ff102a1e2034c27f8cca809dfc2..9f3cb2cd0ee5ce72be34f64eeef10818a5c6d51a 100644 (file)
@@ -228,8 +228,8 @@ struct ngx_quic_connection_s {
     ngx_chain_t                      *free_bufs;
     ngx_buf_t                        *free_shadow_bufs;
 
-#ifdef NGX_QUIC_DEBUG_ALLOC
     ngx_uint_t                        nframes;
+#ifdef NGX_QUIC_DEBUG_ALLOC
     ngx_uint_t                        nbufs;
 #endif
 
index 438565858771533469062e0afd6e54087c955843..8d9fe24c22ef4a5cb02b1050c35d46e3f1fabef8 100644 (file)
@@ -38,18 +38,22 @@ ngx_quic_alloc_frame(ngx_connection_t *c)
                        "quic reuse frame n:%ui", qc->nframes);
 #endif
 
-    } else {
+    } else if (qc->nframes < 10000) {
         frame = ngx_palloc(c->pool, sizeof(ngx_quic_frame_t));
         if (frame == NULL) {
             return NULL;
         }
 
-#ifdef NGX_QUIC_DEBUG_ALLOC
         ++qc->nframes;
 
+#ifdef NGX_QUIC_DEBUG_ALLOC
         ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
                        "quic alloc frame n:%ui", qc->nframes);
 #endif
+
+    } else {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic flood detected");
+        return NULL;
     }
 
     ngx_memzero(frame, sizeof(ngx_quic_frame_t));