[PATCH 3 of 7] HTTP/3: fixed dynamic table overflow

Fri May 31 00:58:28 UTC 2024

# HG changeset patch
# User Roman Arutyunyan <arut at nginx.com>
# Date 1716902330 -14400
#      Tue May 28 17:18:50 2024 +0400
# Node ID 352360116e2c2fef891a91284083fb1d6c36c72d
# Parent  f9bd4667574b1e6b36a04eb0769c510235df5488
HTTP/3: fixed dynamic table overflow.

While inserting a new entry into the dynamic table, first the entry is added,
and then older entries are evicted until table size is within capacity.  After
the first step, the number of entries may temporarily exceed the maximum
calculated from capacity by one entry, which previously caused table overflow.

The easiest way to trigger the issue is to keep adding entries with empty names
and values until first eviction.

The issue was introduced by 987bee4363d1.

diff --git a/src/http/v3/ngx_http_v3_table.c b/src/http/v3/ngx_http_v3_table.c
--- a/src/http/v3/ngx_http_v3_table.c
+++ b/src/http/v3/ngx_http_v3_table.c
@@ -308,7 +308,7 @@ ngx_http_v3_set_capacity(ngx_connection_
     prev_max = dt->capacity / 32;
 
     if (max > prev_max) {
-        elts = ngx_alloc(max * sizeof(void *), c->log);
+        elts = ngx_alloc((max + 1) * sizeof(void *), c->log);
         if (elts == NULL) {
             return NGX_ERROR;
         }


