]> git.kaiwu.me - nginx.git/commit
Proxy: fix large body with proxy_set_body and HTTP/2
authorRoman Arutyunyan <arut@nginx.com>
Mon, 4 May 2026 14:43:17 +0000 (18:43 +0400)
committerSergey Kandaurov <s.kandaurov@f5.com>
Wed, 13 May 2026 17:19:47 +0000 (21:19 +0400)
commitc24fb259d11252623e64e787fa22288496c93773
treeb34690af3ba85889f42c9b5e5c81913e2cc278c0
parent2046b45aa0c6e712c216b9075886f3f26e9b4ca9
Proxy: fix large body with proxy_set_body and HTTP/2

Previously, if proxy_set_body was used with HTTP/2, and body size exceeded
16M, then an overflow happened in the 24-bit DATA frame size, which resulted
in sending unframed bytes, potentially allowing for an injection.

Also, DATA frame size could exceed NGX_HTTP_V2_DEFAULT_FRAME_SIZE (16K) and
available send window.

Reported by Mufeed VH of Winfunc Research.
src/http/modules/ngx_http_proxy_v2_module.c