mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-12 21:52:41 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

HTTP/2: reject zero length headers with PROTOCOL_ERROR.

Browse Source 
Fixed uncontrolled memory growth if peer sends a stream of
headers with a 0-length header name and 0-length header value.
Fix is to reject headers with zero name length.
This commit is contained in:
Sergey Kandaurov 2019-08-13 15:43:32 +03:00
parent abe660636c
commit 6dfbc8b1c2
1 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/http/v2/ngx_http_v2.c
View File

@ -1546,6 +1546,14 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos,
header->name.len = h2c->state.field_end - h2c->state.field_start; header->name.len = h2c->state.field_end - h2c->state.field_start;
header->name.data = h2c->state.field_start; header->name.data = h2c->state.field_start;
if (header->name.len == 0) {
ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
"client sent zero header name length");
return ngx_http_v2_connection_error(h2c,
NGX_HTTP_V2_PROTOCOL_ERROR);
}
return ngx_http_v2_state_field_len(h2c, pos, end); return ngx_http_v2_state_field_len(h2c, pos, end);
} }
@ -3249,10 +3257,6 @@ ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header)
ngx_uint_t i; ngx_uint_t i;
ngx_http_core_srv_conf_t *cscf; ngx_http_core_srv_conf_t *cscf;
if (header->name.len == 0) {
return NGX_ERROR;
}
r->invalid_header = 0; r->invalid_header = 0;
cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);