From: Roman Arutyunyan Date: Tue, 2 Jun 2026 15:37:17 +0000 (+0400) Subject: Upstream: limit header length for HTTP/2 and gRPC X-Git-Tag: release-1.30.3~2 X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/postgres_fdw.c?a=commitdiff_plain;h=131be8514da8985b15b74150521afedbf9cc4ea3;p=nginx.git Upstream: limit header length for HTTP/2 and gRPC The change applies the HTTP/2 header length limits to avoid buffer overflow. See 58a7bc3406ac for details. Reported by Mufeed VH of Winfunc Research. --- diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c index cc3aebe59..1895ef31b 100644 --- a/src/http/modules/ngx_http_grpc_module.c +++ b/src/http/modules/ngx_http_grpc_module.c @@ -749,6 +749,12 @@ ngx_http_grpc_create_request(ngx_http_request_t *r) tmp_len = 0; } else { + if (r->method_name.len > NGX_HTTP_V2_MAX_FIELD) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "too long http2 method: \"%V\"", &r->method_name); + return NGX_ERROR; + } + len += 1 + NGX_HTTP_V2_INT_OCTETS + r->method_name.len; tmp_len = r->method_name.len; } @@ -769,6 +775,12 @@ ngx_http_grpc_create_request(ngx_http_request_t *r) uri_len = r->uri.len + escape + sizeof("?") - 1 + r->args.len; } + if (uri_len > NGX_HTTP_V2_MAX_FIELD) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "too long http2 URI"); + return NGX_ERROR; + } + len += 1 + NGX_HTTP_V2_INT_OCTETS + uri_len; if (tmp_len < uri_len) { @@ -778,6 +790,12 @@ ngx_http_grpc_create_request(ngx_http_request_t *r) /* :authority header */ if (!glcf->host_set) { + if (ctx->host.len > NGX_HTTP_V2_MAX_FIELD) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "too long http2 host: \"%V\"", &ctx->host); + return NGX_ERROR; + } + len += 1 + NGX_HTTP_V2_INT_OCTETS + ctx->host.len; if (tmp_len < ctx->host.len) { @@ -808,6 +826,18 @@ ngx_http_grpc_create_request(ngx_http_request_t *r) continue; } + if (key_len > NGX_HTTP_V2_MAX_FIELD) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "too long http2 header name"); + return NGX_ERROR; + } + + if (val_len > NGX_HTTP_V2_MAX_FIELD) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "too long http2 header value"); + return NGX_ERROR; + } + len += 1 + NGX_HTTP_V2_INT_OCTETS + key_len + NGX_HTTP_V2_INT_OCTETS + val_len; @@ -842,6 +872,20 @@ ngx_http_grpc_create_request(ngx_http_request_t *r) continue; } + if (header[i].key.len > NGX_HTTP_V2_MAX_FIELD) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "too long http2 header name: \"%V\"", + &header[i].key); + return NGX_ERROR; + } + + if (header[i].value.len > NGX_HTTP_V2_MAX_FIELD) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "too long http2 header value: \"%V: %V\"", + &header[i].key, &header[i].value); + return NGX_ERROR; + } + len += 1 + NGX_HTTP_V2_INT_OCTETS + header[i].key.len + NGX_HTTP_V2_INT_OCTETS + header[i].value.len; diff --git a/src/http/modules/ngx_http_proxy_v2_module.c b/src/http/modules/ngx_http_proxy_v2_module.c index 0be5691aa..010c02a86 100644 --- a/src/http/modules/ngx_http_proxy_v2_module.c +++ b/src/http/modules/ngx_http_proxy_v2_module.c @@ -379,6 +379,12 @@ ngx_http_proxy_v2_create_request(ngx_http_request_t *r) tmp_len = 0; } else { + if (method.len > NGX_HTTP_V2_MAX_FIELD) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "too long http2 method: \"%V\"", &method); + return NGX_ERROR; + } + len += 1 + NGX_HTTP_V2_INT_OCTETS + method.len; tmp_len = method.len; } @@ -419,6 +425,12 @@ ngx_http_proxy_v2_create_request(ngx_http_request_t *r) return NGX_ERROR; } + if (uri_len > NGX_HTTP_V2_MAX_FIELD) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "too long http2 URI"); + return NGX_ERROR; + } + len += 1 + NGX_HTTP_V2_INT_OCTETS + uri_len; if (tmp_len < uri_len) { @@ -430,6 +442,12 @@ ngx_http_proxy_v2_create_request(ngx_http_request_t *r) host = &ctx->ctx.vars.host_header; if (!plcf->host_set) { + if (host->len > NGX_HTTP_V2_MAX_FIELD) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "too long http2 host: \"%V\"", host); + return NGX_ERROR; + } + len += 1 + NGX_HTTP_V2_INT_OCTETS + host->len; if (tmp_len < host->len) { @@ -483,6 +501,18 @@ ngx_http_proxy_v2_create_request(ngx_http_request_t *r) continue; } + if (key_len > NGX_HTTP_V2_MAX_FIELD) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "too long http2 header name"); + return NGX_ERROR; + } + + if (val_len > NGX_HTTP_V2_MAX_FIELD) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "too long http2 header value"); + return NGX_ERROR; + } + len += 1 + NGX_HTTP_V2_INT_OCTETS + key_len + NGX_HTTP_V2_INT_OCTETS + val_len; @@ -517,6 +547,20 @@ ngx_http_proxy_v2_create_request(ngx_http_request_t *r) continue; } + if (header[i].key.len > NGX_HTTP_V2_MAX_FIELD) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "too long http2 header name: \"%V\"", + &header[i].key); + return NGX_ERROR; + } + + if (header[i].value.len > NGX_HTTP_V2_MAX_FIELD) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "too long http2 header value: \"%V: %V\"", + &header[i].key, &header[i].value); + return NGX_ERROR; + } + len += 1 + NGX_HTTP_V2_INT_OCTETS + header[i].key.len + NGX_HTTP_V2_INT_OCTETS + header[i].value.len;