[PATCH 5 of 5] QUIC: limited the total number of frames
Roman Arutyunyan
arut at nginx.com
Thu Oct 7 11:36:18 UTC 2021
# HG changeset patch
# User Roman Arutyunyan <arut at nginx.com>
# Date 1633603050 -10800
# Thu Oct 07 13:37:30 2021 +0300
# Branch quic
# Node ID 25aeebb9432182a6246fedba6b1024f3d61e959b
# Parent e20f00b8ac9005621993ea19375b1646c9182e7b
QUIC: limited the total number of frames.
Exceeding 10000 allocated frames is considered a flood.
diff --git a/src/event/quic/ngx_event_quic_connection.h b/src/event/quic/ngx_event_quic_connection.h
--- a/src/event/quic/ngx_event_quic_connection.h
+++ b/src/event/quic/ngx_event_quic_connection.h
@@ -228,10 +228,8 @@ struct ngx_quic_connection_s {
ngx_chain_t *free_bufs;
ngx_buf_t *free_shadow_bufs;
-#ifdef NGX_QUIC_DEBUG_ALLOC
ngx_uint_t nframes;
ngx_uint_t nbufs;
-#endif
ngx_quic_streams_t streams;
ngx_quic_congestion_t congestion;
diff --git a/src/event/quic/ngx_event_quic_frames.c b/src/event/quic/ngx_event_quic_frames.c
--- a/src/event/quic/ngx_event_quic_frames.c
+++ b/src/event/quic/ngx_event_quic_frames.c
@@ -38,18 +38,22 @@ ngx_quic_alloc_frame(ngx_connection_t *c
"quic reuse frame n:%ui", qc->nframes);
#endif
- } else {
+ } else if (qc->nframes < 10000) {
frame = ngx_palloc(c->pool, sizeof(ngx_quic_frame_t));
if (frame == NULL) {
return NULL;
}
-#ifdef NGX_QUIC_DEBUG_ALLOC
++qc->nframes;
+#ifdef NGX_QUIC_DEBUG_ALLOC
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
"quic alloc frame n:%ui", qc->nframes);
#endif
+
+ } else {
+ ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic flood detected");
+ return NULL;
}
ngx_memzero(frame, sizeof(ngx_quic_frame_t));
@@ -372,9 +376,9 @@ ngx_quic_alloc_buf(ngx_connection_t *c)
cl->buf = b;
-#ifdef NGX_QUIC_DEBUG_ALLOC
++qc->nbufs;
+#ifdef NGX_QUIC_DEBUG_ALLOC
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
"quic alloc buffer n:%ui", qc->nbufs);
#endif
More information about the nginx-devel
mailing list