[PATCH 2 of 3] HTTP/2: length checking of Content-Type and Location headers
Maxim Dounin
mdounin at mdounin.ru
Sat Jun 13 10:41:27 UTC 2026
# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1781347019 -10800
# Sat Jun 13 13:36:59 2026 +0300
# Node ID 95c3ef836da866dcdd63c611732e2abccd9fc935
# Parent e83db11197c688c132055e5ff0fef582890a848e
HTTP/2: length checking of Content-Type and Location headers.
When serializing response headers, HTTP/2 reserves
NGX_HTTP_V2_INT_OCTETS (4 bytes) for string lengths, and this implies
that strings up to NGX_HTTP_V2_MAX_FIELD (~2 megabytes) can be used.
Serializing a longer string results in additional bytes being used for
the string length, potentially resulting in buffer overrun (though
unlikely with reasonable buffer sizes, as it uses only 1 extra byte for
lengths up to ~256 megabytes).
Longer strings are properly rejected when serializing headers from the
r->headers_out.headers list and trailers from the
r->headers_out.trailers list, but Content-Type and Location values
weren't checked. With this change, these are checked as well.
See also:
https://github.com/freenginx/nginx/issues/28
https://github.com/nginx/nginx/commit/58a7bc3406ac8b9dc0e0afafc69ba42df56009e3
diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c
--- a/src/http/v2/ngx_http_v2_filter_module.c
+++ b/src/http/v2/ngx_http_v2_filter_module.c
@@ -237,6 +237,15 @@ ngx_http_v2_header_filter(ngx_http_reque
}
if (r->headers_out.content_type.len) {
+
+ if (r->headers_out.content_type.len > NGX_HTTP_V2_MAX_FIELD) {
+ ngx_log_error(NGX_LOG_CRIT, fc->log, 0,
+ "too long response header value: "
+ "\"Content-Type: %*s...\"",
+ 256, r->headers_out.content_type.data);
+ return NGX_ERROR;
+ }
+
len += 1 + NGX_HTTP_V2_INT_OCTETS + r->headers_out.content_type.len;
if (r->headers_out.content_type_len == r->headers_out.content_type.len
@@ -333,6 +342,14 @@ ngx_http_v2_header_filter(ngx_http_reque
r->headers_out.location->hash = 0;
+ if (r->headers_out.location->value.len > NGX_HTTP_V2_MAX_FIELD) {
+ ngx_log_error(NGX_LOG_CRIT, fc->log, 0,
+ "too long response header value: "
+ "\"Location: %*s...\"",
+ 256, r->headers_out.location->value.data);
+ return NGX_ERROR;
+ }
+
len += 1 + NGX_HTTP_V2_INT_OCTETS + r->headers_out.location->value.len;
}
More information about the nginx-devel
mailing list