From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 5 Jun 2022 09:41:49 +0000 (+0200)
Subject: http2: reject overly many push-promise headers
X-Git-Tag: curl-7_84_0~86
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=21ea13cfe1c036bb9de048c443aea438bcf185e3;p=thirdparty%2Fcurl.git

http2: reject overly many push-promise headers

Getting more than a thousand of them is rather a sign of some kind of
attack.

Reported-by: Harry Sintonen
Bug: https://hackerone.com/reports/1589847
Closes #8962
---

diff --git a/lib/http2.c b/lib/http2.c
index cb17fe3ad6..0fd91a920f 100644
--- a/lib/http2.c
+++ b/lib/http2.c
@@ -1050,6 +1050,12 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
     else if(stream->push_headers_used ==
             stream->push_headers_alloc) {
       char **headp;
+      if(stream->push_headers_alloc > 1000) {
+        /* this is beyond crazy many headers, bail out */
+        failf(data_s, "Too many PUSH_PROMISE headers");
+        Curl_safefree(stream->push_headers);
+        return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+      }
       stream->push_headers_alloc *= 2;
       headp = Curl_saferealloc(stream->push_headers,
                                stream->push_headers_alloc * sizeof(char *));