Thanks to Gal Bar Nahum for exposing the possibility of infinite
reads on the session.
+29 August 2025: Yorgos
+ - Limit the number of consecutive reads on an HTTP/2 session.
+ Thanks to Gal Bar Nahum for exposing the possibility of infinite
+ reads on the session.
+
28 August 2025: Wouter
- Fix setup_listen_sslctx warning for nettle compile.
log_assert(h2_session->c->type == comm_http);
log_assert(h2_session->c->h2_session);
+ if(++h2_session->reads_count > h2_session->c->http2_max_streams) {
+ /* We are somewhat arbitrarily capping the amount of
+ * consecutive reads on the HTTP2 session to the number of max
+ * allowed streams.
+ * When we reach the cap, error out with NGHTTP2_ERR_WOULDBLOCK
+ * to signal nghttp2_session_recv() to stop reading for now. */
+ h2_session->reads_count = 0;
+ return NGHTTP2_ERR_WOULDBLOCK;
+ }
#ifdef HAVE_SSL
if(h2_session->c->ssl) {
/** comm point containing buffer used to build answer in worker or
* module */
struct comm_point* c;
+ /** count the number of consecutive reads on the session */
+ uint32_t reads_count;
/** session is instructed to get dropped (comm port will be closed) */
int is_drop;
/** postpone dropping the session, can be used to prevent dropping
projects / thirdparty / unbound.git / commitdiff
