[nginx] HTTP/2: length checking of Content-Type and Location hea...
Maxim Dounin
mdounin at mdounin.ru
Sat Jun 20 03:59:08 UTC 2026
details: http://freenginx.org/hg/nginx/rev/6e9770d8ff38
branches:
changeset: 9565:6e9770d8ff38
user: Maxim Dounin <mdounin at mdounin.ru>
date: Sat Jun 20 06:14:33 2026 +0300
description:
HTTP/2: length checking of Content-Type and Location headers.
When serializing response headers, HTTP/2 reserves
NGX_HTTP_V2_INT_OCTETS (4 bytes) for string lengths, and this implies
that strings up to NGX_HTTP_V2_MAX_FIELD (~2 megabytes) can be used.
Serializing a longer string results in additional bytes being used for
the string length, potentially resulting in buffer overrun (though
unlikely with reasonable buffer sizes, as it uses only 1 extra byte for
lengths up to ~256 megabytes).
Longer strings are properly rejected when serializing headers from the
r->headers_out.headers list and trailers from the
r->headers_out.trailers list, but Content-Type and Location values
weren't checked. With this change, these are checked as well.
See also:
https://github.com/freenginx/nginx/issues/28
https://github.com/nginx/nginx/commit/58a7bc3406ac8b9dc0e0afafc69ba42df56009e3
diffstat:
src/http/v2/ngx_http_v2_filter_module.c | 17 +++++++++++++++++
1 files changed, 17 insertions(+), 0 deletions(-)
diffs (34 lines):
diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c
--- a/src/http/v2/ngx_http_v2_filter_module.c
+++ b/src/http/v2/ngx_http_v2_filter_module.c
@@ -237,6 +237,15 @@ ngx_http_v2_header_filter(ngx_http_reque
}
if (r->headers_out.content_type.len) {
+
+ if (r->headers_out.content_type.len > NGX_HTTP_V2_MAX_FIELD) {
+ ngx_log_error(NGX_LOG_CRIT, fc->log, 0,
+ "too long response header value: "
+ "\"Content-Type: %*s...\"",
+ 256, r->headers_out.content_type.data);
+ return NGX_ERROR;
+ }
+
len += 1 + NGX_HTTP_V2_INT_OCTETS + r->headers_out.content_type.len;
if (r->headers_out.content_type_len == r->headers_out.content_type.len
@@ -333,6 +342,14 @@ ngx_http_v2_header_filter(ngx_http_reque
r->headers_out.location->hash = 0;
+ if (r->headers_out.location->value.len > NGX_HTTP_V2_MAX_FIELD) {
+ ngx_log_error(NGX_LOG_CRIT, fc->log, 0,
+ "too long response header value: "
+ "\"Location: %*s...\"",
+ 256, r->headers_out.location->value.data);
+ return NGX_ERROR;
+ }
+
len += 1 + NGX_HTTP_V2_INT_OCTETS + r->headers_out.location->value.len;
}
More information about the nginx-devel
mailing list