mirror
/
nginx
mirror of https://github.com/nginx/nginx
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

HTTP/3: fixed potential type overflow in string literal parser. 

This might happen for Huffman encoded string literals as the result
of length expansion.  Notably, the maximum length of string literals
is already limited with the "large_client_header_buffers" directive,
so this was only possible with nonsensically large configured limits.
This commit is contained in:
Sergey Kandaurov 2024-09-05 19:35:43 +04:00 committed by pluknet
parent c52c5698cd
commit 3739fe94d1
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/http/v3/ngx_http_v3_parse.c
View File

@ -623,6 +623,12 @@ ngx_http_v3_parse_literal(ngx_connection_t *c, ngx_http_v3_parse_literal_t *st,
}
if (st->huffman) {
if (n > NGX_MAX_INT_T_VALUE / 8) {
ngx_log_error(NGX_LOG_INFO, c->log, 0,
"client sent too large field line");
return NGX_HTTP_V3_ERR_EXCESSIVE_LOAD;
}
n = n * 8 / 5;
st->huffstate = 0;
}