http2: reject overly many push-promise headers

Getting more than a thousand of them is rather a sign of some kind of attack. Reported-by: Harry Sintonen Bug: https://hackerone.com/reports/1589847 Closes #8962
author: Daniel Stenberg <daniel@haxx.se> 2022-06-05 11:41:49 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2022-06-06 11:53:49 +0200
commit: 21ea13cfe1c036bb9de048c443aea438bcf185e3 (patch)
tree: 40d29ff0b7772074bcbcc7738d99d6b2425b42ea /lib/http2.c
parent: 9dbce9b3d0e7aeb2253d3e11f0ac2511dd13af9e (diff)
download: curl-21ea13cfe1c036bb9de048c443aea438bcf185e3.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/lib/http2.c b/lib/http2.c
index cb17fe3ad..0fd91a920 100644
--- a/lib/http2.c
+++ b/lib/http2.c
@@ -1050,6 +1050,12 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
     else if(stream->push_headers_used ==
             stream->push_headers_alloc) {
       char **headp;
+      if(stream->push_headers_alloc > 1000) {
+        /* this is beyond crazy many headers, bail out */
+        failf(data_s, "Too many PUSH_PROMISE headers");
+        Curl_safefree(stream->push_headers);
+        return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+      }
       stream->push_headers_alloc *= 2;
       headp = Curl_saferealloc(stream->push_headers,
                                stream->push_headers_alloc * sizeof(char *));
author	Daniel Stenberg <daniel@haxx.se>	2022-06-05 11:41:49 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2022-06-06 11:53:49 +0200
commit	21ea13cfe1c036bb9de048c443aea438bcf185e3 (patch)
tree	40d29ff0b7772074bcbcc7738d99d6b2425b42ea /lib/http2.c
parent	9dbce9b3d0e7aeb2253d3e11f0ac2511dd13af9e (diff)
download	curl-21ea13cfe1c036bb9de048c443aea438bcf185e3.tar.gz