details: http://hg.nginx.org/nginx/rev/1c6b6163c039
branches: stable-1.14
changeset: 7385:1c6b6163c039
user: Ruslan Ermilov <ru@nginx.com>
date: Tue Nov 06 16:29:35 2018 +0300
description:
HTTP/2: flood detection.

Fixed uncontrolled memory growth in case peer is flooding us with
some frames (e.g., SETTINGS and PING) and doesn't read data. Fix
is to limit the number of allocated control frames.

diffstat:

src/http/v2/ngx_http_v2.c | 12 +++++++++++-
src/http/v2/ngx_http_v2.h | 1 +
2 files changed, 12 insertions(+), 1 deletions(-)

diffs (47 lines):

diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
--- a/src/http/v2/ngx_http_v2.c
+++ b/src/http/v2/ngx_http_v2.c
@@ -664,6 +664,7 @@ ngx_http_v2_handle_connection(ngx_http_v

h2c->pool = NULL;
h2c->free_frames = NULL;
+ h2c->frames = 0;
h2c->free_fake_connections = NULL;

#if (NGX_HTTP_SSL)
@@ -2895,7 +2896,7 @@ ngx_http_v2_get_frame(ngx_http_v2_connec

frame->blocked = 0;

- } else {
+ } else if (h2c->frames < 10000) {
pool = h2c->pool ? h2c->pool : h2c->connection->pool;

frame = ngx_pcalloc(pool, sizeof(ngx_http_v2_out_frame_t));
@@ -2919,6 +2920,15 @@ ngx_http_v2_get_frame(ngx_http_v2_connec
frame->last = frame->first;

frame->handler = ngx_http_v2_frame_handler;
+
+ h2c->frames++;
+
+ } else {
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+ "http2 flood detected");
+
+ h2c->connection->error = 1;
+ return NULL;
}

#if (NGX_DEBUG)
diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
--- a/src/http/v2/ngx_http_v2.h
+++ b/src/http/v2/ngx_http_v2.h
@@ -120,6 +120,7 @@ struct ngx_http_v2_connection_s {
ngx_http_connection_t *http_connection;

ngx_uint_t processing;
+ ngx_uint_t frames;

ngx_uint_t pushing;
ngx_uint_t concurrent_pushes;
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel