Limit the number of active concurrent HTTP/2 streams

The initial intent was to limit the number of concurrent streams by
the value of 100 but due to the error when reading the documentation
it was set to the maximum possible number of streams per session.

This could lead to security issues, e.g. a remote attacker could have
taken down the BIND instance by creating lots of sessions via low
number of transport connections. This commit fixes that.

diff --git a/lib/isc/netmgr/http.c b/lib/isc/netmgr/http.c
index 599dd861114121d8e4e6fae663bbd638977e6fcb..e46f2c39ff6371933d6af4c433fa73926c2a130c 100644 (file)
--- a/lib/isc/netmgr/http.c
+++ b/lib/isc/netmgr/http.c
@@ -49,7 +49,7 @@
 #define MAX_ALLOWED_DATA_IN_POST \
        (MAX_DNS_MESSAGE_SIZE + MAX_DNS_MESSAGE_SIZE / 2)
 
-#define MAX_STREAMS_PER_SESSION (NGHTTP2_INITIAL_MAX_CONCURRENT_STREAMS)
+#define MAX_STREAMS_PER_SESSION (100)
 
 #define HEADER_MATCH(header, name, namelen)   \
        (((namelen) == sizeof(header) - 1) && \