Mercurial > hg > nginx

changeset 7385:1c6b6163c039 stable-1.14

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
HTTP/2: flood detection. Fixed uncontrolled memory growth in case peer is flooding us with some frames (e.g., SETTINGS and PING) and doesn't read data. Fix is to limit the number of allocated control frames.
author Ruslan Ermilov <ru@nginx.com>
date Tue, 06 Nov 2018 16:29:35 +0300
parents fdc19a3289c1
children 9200b41db765
files src/http/v2/ngx_http_v2.c src/http/v2/ngx_http_v2.h
diffstat 2 files changed, 12 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/src/http/v2/ngx_http_v2.c	Tue Nov 06 16:29:18 2018 +0300
+++ b/src/http/v2/ngx_http_v2.c	Tue Nov 06 16:29:35 2018 +0300
@@ -664,6 +664,7 @@
 
     h2c->pool = NULL;
     h2c->free_frames = NULL;
+    h2c->frames = 0;
     h2c->free_fake_connections = NULL;
 
 #if (NGX_HTTP_SSL)
@@ -2895,7 +2896,7 @@
 
         frame->blocked = 0;
 
-    } else {
+    } else if (h2c->frames < 10000) {
         pool = h2c->pool ? h2c->pool : h2c->connection->pool;
 
         frame = ngx_pcalloc(pool, sizeof(ngx_http_v2_out_frame_t));
@@ -2919,6 +2920,15 @@
         frame->last = frame->first;
 
         frame->handler = ngx_http_v2_frame_handler;
+
+        h2c->frames++;
+
+    } else {
+        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+                      "http2 flood detected");
+
+        h2c->connection->error = 1;
+        return NULL;
     }
 
 #if (NGX_DEBUG)
--- a/src/http/v2/ngx_http_v2.h	Tue Nov 06 16:29:18 2018 +0300
+++ b/src/http/v2/ngx_http_v2.h	Tue Nov 06 16:29:35 2018 +0300
@@ -120,6 +120,7 @@
     ngx_http_connection_t           *http_connection;
 
     ngx_uint_t                       processing;
+    ngx_uint_t                       frames;
 
     ngx_uint_t                       pushing;
     ngx_uint_t                       concurrent_pushes;