RepoMirrors
/
haproxy
mirror of http://git.haproxy.org/git/haproxy.git/
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

BUG/MEDIUM: mux-h2: Check the number of headers in HEADERS frame after decoding 

There is no explicit test on the number of headers when a HEADERS frame is
received. It is implicitely limited by the size of the header list. But it
is twice the configured limit to be sure to decode the frame.

So now, a check is performed after the HTX message was created. This way, we
are sure to not exceed the configured limit after the decoding stage. If
there are too many headers, a parsing error is reported.

Note the same is performed on the trailers.

This patch should patially address the issue #2685. It should be backported
to all stable versions.
This commit is contained in:
Christopher Faulet 2024-11-20 16:27:34 +01:00
parent e415e3cb7a
commit 63d2760dfa
2 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/h2.c
View File

@ -494,6 +494,10 @@ int h2_make_htx_request(struct http_hdr *list, struct htx *htx, unsigned int *ms
goto fail; goto fail;
} }
/* Check the number of blocks agains "tune.http.maxhdr" value before adding EOH block */
if (htx_nbblks(htx) > global.tune.max_http_hdr)
goto fail;
/* now send the end of headers marker */ /* now send the end of headers marker */
if (!htx_add_endof(htx, HTX_BLK_EOH)) if (!htx_add_endof(htx, HTX_BLK_EOH))
goto fail; goto fail;
@ -745,6 +749,10 @@ int h2_make_htx_response(struct http_hdr *list, struct htx *htx, unsigned int *m
*/ */
} }
/* Check the number of blocks agains "tune.http.maxhdr" value before adding EOH block */
if (htx_nbblks(htx) > global.tune.max_http_hdr)
goto fail;
/* now send the end of headers marker */ /* now send the end of headers marker */
if (!htx_add_endof(htx, HTX_BLK_EOH)) if (!htx_add_endof(htx, HTX_BLK_EOH))
goto fail; goto fail;
@ -812,6 +820,10 @@ int h2_make_htx_trailers(struct http_hdr *list, struct htx *htx)
goto fail; goto fail;
} }
/* Check the number of blocks agains "tune.http.maxhdr" value before adding EOT block */
if (htx_nbblks(htx) > global.tune.max_http_hdr)
goto fail;
if (!htx_add_endof(htx, HTX_BLK_EOT)) if (!htx_add_endof(htx, HTX_BLK_EOT))
goto fail; goto fail;

1
src/mux_h2.c
View File

@ -5979,6 +5979,7 @@ static int h2c_dec_hdrs(struct h2c *h2c, struct buffer *rxbuf, uint32_t *flags,
/* Trailers terminate a DATA sequence */ /* Trailers terminate a DATA sequence */
if (h2_make_htx_trailers(list, htx) <= 0) { if (h2_make_htx_trailers(list, htx) <= 0) {
TRACE_STATE("failed to append HTX trailers into rxbuf", H2_EV_RX_FRAME|H2_EV_RX_HDR|H2_EV_H2S_ERR, h2c->conn); TRACE_STATE("failed to append HTX trailers into rxbuf", H2_EV_RX_FRAME|H2_EV_RX_HDR|H2_EV_H2S_ERR, h2c->conn);
htx->flags |= HTX_FL_PARSING_ERROR;
goto fail; goto fail;
} }
*flags |= H2_SF_ES_RCVD; *flags |= H2_SF_ES_RCVD;