BUG/MEDIUM: mux-h2: Check the number of headers in HEADERS frame after decoding

capflam · capflam · commit 63d2760dfa67 · 2024-11-20T17:44:22.000+01:00
There is no explicit test on the number of headers when a HEADERS frame is
received. It is implicitely limited by the size of the header list. But it
is twice the configured limit to be sure to decode the frame.

So now, a check is performed after the HTX message was created. This way, we
are sure to not exceed the configured limit after the decoding stage. If
there are too many headers, a parsing error is reported.

Note the same is performed on the trailers.

This patch should patially address the issue #2685. It should be backported
to all stable versions.
diff --git a/src/h2.c b/src/h2.c
@@ -494,6 +494,10 @@ int h2_make_htx_request(struct http_hdr *list, struct htx *htx, unsigned int *ms
 			goto fail;
 	}
 
+	/* Check the number of blocks agains "tune.http.maxhdr" value before adding EOH block */
+	if (htx_nbblks(htx) > global.tune.max_http_hdr)
+		goto fail;
+
 	/* now send the end of headers marker */
 	if (!htx_add_endof(htx, HTX_BLK_EOH))
 		goto fail;
@@ -745,6 +749,10 @@ int h2_make_htx_response(struct http_hdr *list, struct htx *htx, unsigned int *m
 		 */
 	}
 
+	/* Check the number of blocks agains "tune.http.maxhdr" value before adding EOH block */
+	if (htx_nbblks(htx) > global.tune.max_http_hdr)
+		goto fail;
+
 	/* now send the end of headers marker */
 	if (!htx_add_endof(htx, HTX_BLK_EOH))
 		goto fail;
@@ -812,6 +820,10 @@ int h2_make_htx_trailers(struct http_hdr *list, struct htx *htx)
 			goto fail;
 	}
 
+	/* Check the number of blocks agains "tune.http.maxhdr" value before adding EOT block */
+	if (htx_nbblks(htx) > global.tune.max_http_hdr)
+		goto fail;
+
 	if (!htx_add_endof(htx, HTX_BLK_EOT))
 		goto fail;
 
diff --git a/src/mux_h2.c b/src/mux_h2.c
@@ -5979,6 +5979,7 @@ static int h2c_dec_hdrs(struct h2c *h2c, struct buffer *rxbuf, uint32_t *flags,
 	/* Trailers terminate a DATA sequence */
 	if (h2_make_htx_trailers(list, htx) <= 0) {
 		TRACE_STATE("failed to append HTX trailers into rxbuf", H2_EV_RX_FRAME|H2_EV_RX_HDR|H2_EV_H2S_ERR, h2c->conn);
+		htx->flags |= HTX_FL_PARSING_ERROR;
 		goto fail;
 	}
 	*flags |= H2_SF_ES_RCVD;

Original file line number	Diff line number	Diff line change
`@@ -5979,6 +5979,7 @@ static int h2c_dec_hdrs(struct h2c h2c, struct buffer rxbuf, uint32_t *flags,`
`5979`	`5979`	`/* Trailers terminate a DATA sequence */`
`5980`	`5980`	`if (h2_make_htx_trailers(list, htx) <= 0) {`
`5981`	`5981`	`TRACE_STATE("failed to append HTX trailers into rxbuf", H2_EV_RX_FRAME\|H2_EV_RX_HDR\|H2_EV_H2S_ERR, h2c->conn);`
	`5982`	`+ htx->flags \|= HTX_FL_PARSING_ERROR;`
`5982`	`5983`	`goto fail;`
`5983`	`5984`	`}`
`5984`	`5985`	`*flags \|= H2_SF_ES_RCVD;`