Mercurial > nginx

changeset 9435:efb06290410c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
HTTP/3: fixed potential type overflow in string literal parser. This might happen for Huffman encoded string literals as the result of length expansion. Notably, the maximum length of string literals is already limited with the "large_client_header_buffers" directive, so this was only possible with nonsensically large configured limits.
author Sergey Kandaurov <pluknet@nginx.com>
date Thu, 05 Sep 2024 19:35:43 +0400
parents 13426789d655
children cd57402d2f66
files src/http/v3/ngx_http_v3_parse.c
diffstat 1 files changed, 6 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/src/http/v3/ngx_http_v3_parse.c	Thu Jul 10 16:59:05 2025 +0400
+++ b/src/http/v3/ngx_http_v3_parse.c	Thu Sep 05 19:35:43 2024 +0400
@@ -623,6 +623,12 @@
             }
 
             if (st->huffman) {
+                if (n > NGX_MAX_INT_T_VALUE / 8) {
+                    ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                                  "client sent too large field line");
+                    return NGX_HTTP_V3_ERR_EXCESSIVE_LOAD;
+                }
+
                 n = n * 8 / 5;
                 st->huffstate = 0;
             }