[nginx] HTTP/2: length checking of Content-Type and Location hea...

Maxim Dounin mdounin at mdounin.ru
Sat Jun 20 03:59:08 UTC 2026


details:   http://freenginx.org/hg/nginx/rev/6e9770d8ff38
branches:  
changeset: 9565:6e9770d8ff38
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Sat Jun 20 06:14:33 2026 +0300
description:
HTTP/2: length checking of Content-Type and Location headers.

When serializing response headers, HTTP/2 reserves
NGX_HTTP_V2_INT_OCTETS (4 bytes) for string lengths, and this implies
that strings up to NGX_HTTP_V2_MAX_FIELD (~2 megabytes) can be used.
Serializing a longer string results in additional bytes being used for
the string length, potentially resulting in buffer overrun (though
unlikely with reasonable buffer sizes, as it uses only 1 extra byte for
lengths up to ~256 megabytes).

Longer strings are properly rejected when serializing headers from the
r->headers_out.headers list and trailers from the
r->headers_out.trailers list, but Content-Type and Location values
weren't checked.  With this change, these are checked as well.

See also:
https://github.com/freenginx/nginx/issues/28
https://github.com/nginx/nginx/commit/58a7bc3406ac8b9dc0e0afafc69ba42df56009e3

diffstat:

 src/http/v2/ngx_http_v2_filter_module.c |  17 +++++++++++++++++
 1 files changed, 17 insertions(+), 0 deletions(-)

diffs (34 lines):

diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c
--- a/src/http/v2/ngx_http_v2_filter_module.c
+++ b/src/http/v2/ngx_http_v2_filter_module.c
@@ -237,6 +237,15 @@ ngx_http_v2_header_filter(ngx_http_reque
     }
 
     if (r->headers_out.content_type.len) {
+
+        if (r->headers_out.content_type.len > NGX_HTTP_V2_MAX_FIELD) {
+            ngx_log_error(NGX_LOG_CRIT, fc->log, 0,
+                          "too long response header value: "
+                          "\"Content-Type: %*s...\"",
+                          256, r->headers_out.content_type.data);
+            return NGX_ERROR;
+        }
+
         len += 1 + NGX_HTTP_V2_INT_OCTETS + r->headers_out.content_type.len;
 
         if (r->headers_out.content_type_len == r->headers_out.content_type.len
@@ -333,6 +342,14 @@ ngx_http_v2_header_filter(ngx_http_reque
 
         r->headers_out.location->hash = 0;
 
+        if (r->headers_out.location->value.len > NGX_HTTP_V2_MAX_FIELD) {
+            ngx_log_error(NGX_LOG_CRIT, fc->log, 0,
+                          "too long response header value: "
+                          "\"Location: %*s...\"",
+                          256, r->headers_out.location->value.data);
+            return NGX_ERROR;
+        }
+
         len += 1 + NGX_HTTP_V2_INT_OCTETS + r->headers_out.location->value.len;
     }
 


More information about the nginx-devel mailing list