HTTP/2: reject zero length headers with PROTOCOL_ERROR.
Fixed uncontrolled memory growth if peer sends a stream of
headers with a 0-length header name and 0-length header value.
Fix is to reject headers with zero name length.
Sergey Kandaurov
2 years ago
| 1545 | 1545 | header->name.len = h2c->state.field_end - h2c->state.field_start; |
| 1546 | 1546 | header->name.data = h2c->state.field_start; |
| 1547 | 1547 | |
| 1548 | if (header->name.len == 0) { | |
| 1549 | ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, | |
| 1550 | "client sent zero header name length"); | |
| 1551 | ||
| 1552 | return ngx_http_v2_connection_error(h2c, | |
| 1553 | NGX_HTTP_V2_PROTOCOL_ERROR); | |
| 1554 | } | |
| 1555 | ||
| 1548 | 1556 | return ngx_http_v2_state_field_len(h2c, pos, end); |
| 1549 | 1557 | } |
| 1550 | 1558 | |
| 3247 | 3255 | u_char ch; |
| 3248 | 3256 | ngx_uint_t i; |
| 3249 | 3257 | ngx_http_core_srv_conf_t *cscf; |
| 3250 | ||
| 3251 | if (header->name.len == 0) { | |
| 3252 | return NGX_ERROR; | |
| 3253 | } | |
| 3254 | 3258 | |
| 3255 | 3259 | r->invalid_header = 0; |
| 3256 | 3260 | |