diff options
author | Daniel Stenberg <daniel@haxx.se> | 2022-06-05 11:41:49 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2022-06-06 11:53:49 +0200 |
commit | 21ea13cfe1c036bb9de048c443aea438bcf185e3 (patch) | |
tree | 40d29ff0b7772074bcbcc7738d99d6b2425b42ea /lib/http2.c | |
parent | 9dbce9b3d0e7aeb2253d3e11f0ac2511dd13af9e (diff) | |
download | curl-21ea13cfe1c036bb9de048c443aea438bcf185e3.tar.gz |
http2: reject overly many push-promise headers
Getting more than a thousand of them is rather a sign of some kind of
attack.
Reported-by: Harry Sintonen
Bug: https://hackerone.com/reports/1589847
Closes #8962
Diffstat (limited to 'lib/http2.c')
-rw-r--r-- | lib/http2.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/lib/http2.c b/lib/http2.c index cb17fe3ad..0fd91a920 100644 --- a/lib/http2.c +++ b/lib/http2.c @@ -1050,6 +1050,12 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame, else if(stream->push_headers_used == stream->push_headers_alloc) { char **headp; + if(stream->push_headers_alloc > 1000) { + /* this is beyond crazy many headers, bail out */ + failf(data_s, "Too many PUSH_PROMISE headers"); + Curl_safefree(stream->push_headers); + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } stream->push_headers_alloc *= 2; headp = Curl_saferealloc(stream->push_headers, stream->push_headers_alloc * sizeof(char *)); |