[nginx] HTTP/3: fixed potential type overflow in string literal parser.
noreply at nginx.com
noreply at nginx.com
Thu Jul 24 17:28:51 UTC 2025
details: https://github.com/nginx/nginx/commit/3739fe94d1c3c844708b219776f1921bff16b56f
branches: master
commit: 3739fe94d1c3c844708b219776f1921bff16b56f
user: Sergey Kandaurov <pluknet at nginx.com>
date: Thu, 5 Sep 2024 19:35:43 +0400
description:
HTTP/3: fixed potential type overflow in string literal parser.
This might happen for Huffman encoded string literals as the result
of length expansion. Notably, the maximum length of string literals
is already limited with the "large_client_header_buffers" directive,
so this was only possible with nonsensically large configured limits.
---
src/http/v3/ngx_http_v3_parse.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/http/v3/ngx_http_v3_parse.c b/src/http/v3/ngx_http_v3_parse.c
index 436765c8a..bcbf0dbe1 100644
--- a/src/http/v3/ngx_http_v3_parse.c
+++ b/src/http/v3/ngx_http_v3_parse.c
@@ -623,6 +623,12 @@ ngx_http_v3_parse_literal(ngx_connection_t *c, ngx_http_v3_parse_literal_t *st,
}
if (st->huffman) {
+ if (n > NGX_MAX_INT_T_VALUE / 8) {
+ ngx_log_error(NGX_LOG_INFO, c->log, 0,
+ "client sent too large field line");
+ return NGX_HTTP_V3_ERR_EXCESSIVE_LOAD;
+ }
+
n = n * 8 / 5;
st->huffstate = 0;
}
More information about the nginx-devel
mailing list