From bd4b251bbc626744953a61799cc17368c4bc6088 Mon Sep 17 00:00:00 2001 From: Sergey Kandaurov Date: Thu, 5 Sep 2024 19:35:43 +0400 Subject: [PATCH] HTTP/3: limited prefixed integers encoded length. Similar to ngx_http_v2_module, the implementation limit is now set to 4 bytes length, see NGX_HTTP_V2_INT_OCTETS in ngx_http_v2_parse_int(). For example, this limits a maximum integer value encoded with a 7-bit prefix to 2097278, with similar limits using other prefixes. --- src/http/v3/ngx_http_v3_parse.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/http/v3/ngx_http_v3_parse.c b/src/http/v3/ngx_http_v3_parse.c index 436765c8a..a0dc5de4e 100644 --- a/src/http/v3/ngx_http_v3_parse.c +++ b/src/http/v3/ngx_http_v3_parse.c @@ -217,9 +217,7 @@ ngx_http_v3_parse_prefix_int(ngx_connection_t *c, st->value += (uint64_t) (ch & 0x7f) << st->shift; - if (st->shift == 56 - && ((ch & 0x80) || (st->value & 0xc000000000000000))) - { + if (st->shift == 21) { ngx_log_error(NGX_LOG_INFO, c->log, 0, "client exceeded integer size limit"); return NGX_HTTP_V3_ERR_EXCESSIVE_LOAD;