Skip to content

Commit

Permalink
RESET stream after 100 failed incoming headers
Browse files Browse the repository at this point in the history
  • Loading branch information
icing committed Apr 3, 2024
1 parent abc6e25 commit 134e28a
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 3 deletions.
10 changes: 7 additions & 3 deletions mod_http2/h2_session.c
Original file line number Diff line number Diff line change
Expand Up @@ -319,9 +319,13 @@ static int on_header_cb(nghttp2_session *ngh2, const nghttp2_frame *frame,

status = h2_stream_add_header(stream, (const char *)name, namelen,
(const char *)value, valuelen);
if (status != APR_SUCCESS
&& (!stream->rtmp
|| stream->rtmp->http_status == H2_HTTP_STATUS_UNSET)) {
if (status != APR_SUCCESS &&
(!stream->rtmp ||
stream->rtmp->http_status == H2_HTTP_STATUS_UNSET ||
/* We accept a certain amount of failures in order to reply
* with an informative HTTP error response like 413. But of the
* client is too wrong, we fail the request an RESET the stream */
stream->request_headers_failed > 100)) {
return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
}
return 0;
Expand Down
1 change: 1 addition & 0 deletions mod_http2/h2_stream.c
Original file line number Diff line number Diff line change
Expand Up @@ -813,6 +813,7 @@ apr_status_t h2_stream_add_header(h2_stream *stream,

cleanup:
if (error) {
++stream->request_headers_failed;
set_error_response(stream, error);
return APR_EINVAL;
}
Expand Down
1 change: 1 addition & 0 deletions mod_http2/h2_stream.h
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,7 @@ struct h2_stream {
struct h2_request *rtmp; /* request being assembled */
apr_table_t *trailers_in; /* optional, incoming trailers */
int request_headers_added; /* number of request headers added */
int request_headers_failed; /* number of request headers failed to add */

#if AP_HAS_RESPONSE_BUCKETS
ap_bucket_response *response; /* the final, non-interim response or NULL */
Expand Down

0 comments on commit 134e28a

Please sign in to comment.