[PATCH 2 of 3] HTTP/2: length checking of Content-Type and Location headers

Maxim Dounin mdounin at mdounin.ru
Sat Jun 13 10:41:27 UTC 2026


# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1781347019 -10800
#      Sat Jun 13 13:36:59 2026 +0300
# Node ID 95c3ef836da866dcdd63c611732e2abccd9fc935
# Parent  e83db11197c688c132055e5ff0fef582890a848e
HTTP/2: length checking of Content-Type and Location headers.

When serializing response headers, HTTP/2 reserves
NGX_HTTP_V2_INT_OCTETS (4 bytes) for string lengths, and this implies
that strings up to NGX_HTTP_V2_MAX_FIELD (~2 megabytes) can be used.
Serializing a longer string results in additional bytes being used for
the string length, potentially resulting in buffer overrun (though
unlikely with reasonable buffer sizes, as it uses only 1 extra byte for
lengths up to ~256 megabytes).

Longer strings are properly rejected when serializing headers from the
r->headers_out.headers list and trailers from the
r->headers_out.trailers list, but Content-Type and Location values
weren't checked.  With this change, these are checked as well.

See also:
https://github.com/freenginx/nginx/issues/28
https://github.com/nginx/nginx/commit/58a7bc3406ac8b9dc0e0afafc69ba42df56009e3

diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c
--- a/src/http/v2/ngx_http_v2_filter_module.c
+++ b/src/http/v2/ngx_http_v2_filter_module.c
@@ -237,6 +237,15 @@ ngx_http_v2_header_filter(ngx_http_reque
     }
 
     if (r->headers_out.content_type.len) {
+
+        if (r->headers_out.content_type.len > NGX_HTTP_V2_MAX_FIELD) {
+            ngx_log_error(NGX_LOG_CRIT, fc->log, 0,
+                          "too long response header value: "
+                          "\"Content-Type: %*s...\"",
+                          256, r->headers_out.content_type.data);
+            return NGX_ERROR;
+        }
+
         len += 1 + NGX_HTTP_V2_INT_OCTETS + r->headers_out.content_type.len;
 
         if (r->headers_out.content_type_len == r->headers_out.content_type.len
@@ -333,6 +342,14 @@ ngx_http_v2_header_filter(ngx_http_reque
 
         r->headers_out.location->hash = 0;
 
+        if (r->headers_out.location->value.len > NGX_HTTP_V2_MAX_FIELD) {
+            ngx_log_error(NGX_LOG_CRIT, fc->log, 0,
+                          "too long response header value: "
+                          "\"Location: %*s...\"",
+                          256, r->headers_out.location->value.data);
+            return NGX_ERROR;
+        }
+
         len += 1 + NGX_HTTP_V2_INT_OCTETS + r->headers_out.location->value.len;
     }
 



More information about the nginx-devel mailing list