Klaus Demo nginx / 6dfbc8b
HTTP/2: reject zero length headers with PROTOCOL_ERROR. Fixed uncontrolled memory growth if peer sends a stream of headers with a 0-length header name and 0-length header value. Fix is to reject headers with zero name length. Sergey Kandaurov a month ago
1 changed file(s) with 8 addition(s) and 4 deletion(s). Raw diff Collapse all Expand all
15451545 header->name.len = h2c->state.field_end - h2c->state.field_start;
15461546 header->name.data = h2c->state.field_start;
15471547
1548 if (header->name.len == 0) {
1549 ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
1550 "client sent zero header name length");
1551
1552 return ngx_http_v2_connection_error(h2c,
1553 NGX_HTTP_V2_PROTOCOL_ERROR);
1554 }
1555
15481556 return ngx_http_v2_state_field_len(h2c, pos, end);
15491557 }
15501558
32473255 u_char ch;
32483256 ngx_uint_t i;
32493257 ngx_http_core_srv_conf_t *cscf;
3250
3251 if (header->name.len == 0) {
3252 return NGX_ERROR;
3253 }
32543258
32553259 r->invalid_header = 0;
32563260