HTTP/2: reject self-dependent streams.

Per RFC7540, a stream cannot depend on itself. Previously, this requirement was enforced on PRIORITY frames, but not on HEADERS frames and due to the implementation details nginx worker would crash (stack overflow) while opening self-dependent stream. Found with afl-fuzz. Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2025-01-19 01:42:58 +08:00 · 2015-10-01 20:25:55 -07:00 · 2015-10-01 20:25:55 -07:00 · 71a6b600c2
commit 71a6b600c2
parent 79a03b3ff6
1 changed files with 16 additions and 0 deletions
--- a/src/http/v2/ngx_http_v2.c
+++ b/src/http/v2/ngx_http_v2.c
@ -1133,6 +1133,22 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos,

    h2c->last_sid = h2c->state.sid;

+    if (depend == h2c->state.sid) {
+        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+                      "client sent HEADERS frame for stream %ui "
+                      "with incorrect dependency", h2c->state.sid);
+
+        if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid,
+                                        NGX_HTTP_V2_PROTOCOL_ERROR)
+            != NGX_OK)
+        {
+            return ngx_http_v2_connection_error(h2c,
+                                                NGX_HTTP_V2_INTERNAL_ERROR);
+        }
+
+        return ngx_http_v2_state_skip_headers(h2c, pos, end);
+    }
+
    h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx,
                                         ngx_http_v2_module);