]> git.kaiwu.me - nginx.git/commitdiff
HTTP/3: limited client header size.
authorRoman Arutyunyan <arut@nginx.com>
Wed, 17 Feb 2021 08:58:32 +0000 (11:58 +0300)
committerRoman Arutyunyan <arut@nginx.com>
Wed, 17 Feb 2021 08:58:32 +0000 (11:58 +0300)
The limit is the size of all large client header buffers.  Client header size
is the total size of all client header names and values.

src/http/v3/ngx_http_v3.h
src/http/v3/ngx_http_v3_request.c

index 2b0693975104dd9d6674de16638eb6f9f3e3ea8b..4c5c8e66c0cef10f0c57ddb316ec0ffed2a82f57 100644 (file)
@@ -99,6 +99,7 @@ typedef struct {
 
 
 struct ngx_http_v3_parse_s {
+    size_t                        header_limit;
     ngx_http_v3_parse_headers_t   headers;
     ngx_http_v3_parse_data_t      body;
 };
index ef3053689d1e01dc308da601157a715b0463b7fb..689d9fc61d6631a66bfa03788f6415cf974b739a 100644 (file)
@@ -118,6 +118,9 @@ ngx_http_v3_init(ngx_connection_t *c)
         return;
     }
 
+    r->v3_parse->header_limit = cscf->large_client_header_buffers.size
+                                * cscf->large_client_header_buffers.num;
+
     c->data = r;
 
     rev = c->read;
@@ -261,11 +264,23 @@ static ngx_int_t
 ngx_http_v3_process_header(ngx_http_request_t *r, ngx_str_t *name,
     ngx_str_t *value)
 {
+    size_t                      len;
     ngx_table_elt_t            *h;
     ngx_http_header_t          *hh;
     ngx_http_core_srv_conf_t   *cscf;
     ngx_http_core_main_conf_t  *cmcf;
 
+    len = name->len + value->len;
+
+    if (len > r->v3_parse->header_limit) {
+        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                      "client sent too large header");
+        ngx_http_finalize_request(r, NGX_HTTP_REQUEST_HEADER_TOO_LARGE);
+        return NGX_ERROR;
+    }
+
+    r->v3_parse->header_limit -= len;
+
     if (ngx_http_v3_validate_header(r, name, value) != NGX_OK) {
         ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
         return NGX_ERROR;