There is no explicit test on the number of headers when a HEADERS frame is
received. It is implicitely limited by the size of the header list. But it
is twice the configured limit to be sure to decode the frame.
So now, a check is performed after the HTX message was created. This way, we
are sure to not exceed the configured limit after the decoding stage. If
there are too many headers, a parsing error is reported.
Note the same is performed on the trailers.
This patch should patially address the issue #2685. It should be backported
to all stable versions.
goto fail;
}
+ /* Check the number of blocks agains "tune.http.maxhdr" value before adding EOH block */
+ if (htx_nbblks(htx) > global.tune.max_http_hdr)
+ goto fail;
+
/* now send the end of headers marker */
if (!htx_add_endof(htx, HTX_BLK_EOH))
goto fail;
*/
}
+ /* Check the number of blocks agains "tune.http.maxhdr" value before adding EOH block */
+ if (htx_nbblks(htx) > global.tune.max_http_hdr)
+ goto fail;
+
/* now send the end of headers marker */
if (!htx_add_endof(htx, HTX_BLK_EOH))
goto fail;
goto fail;
}
+ /* Check the number of blocks agains "tune.http.maxhdr" value before adding EOT block */
+ if (htx_nbblks(htx) > global.tune.max_http_hdr)
+ goto fail;
+
if (!htx_add_endof(htx, HTX_BLK_EOT))
goto fail;
/* Trailers terminate a DATA sequence */
if (h2_make_htx_trailers(list, htx) <= 0) {
TRACE_STATE("failed to append HTX trailers into rxbuf", H2_EV_RX_FRAME|H2_EV_RX_HDR|H2_EV_H2S_ERR, h2c->conn);
+ htx->flags |= HTX_FL_PARSING_ERROR;
goto fail;
}
*flags |= H2_SF_ES_RCVD;
projects / thirdparty / haproxy.git / commitdiff
