Commit Graph

58 Commits

Author SHA1 Message Date
Aurora
b6ec548300 Reading unbounded number of HTTP/2 CONTINUATION frames to cause excessive CPU usage
Signed-off-by: Aurora <liuxiyao223@huawei.com>
Change-Id: I75034195506a0704fb659cee4b26fbc9b2f99150
2024-04-10 16:32:54 +08:00
Tatsuhiro Tsujikawa
7f4c2f9ec3 Add nghttp2_check_header_value_rfc9113
Add nghttp2_check_header_value_rfc9113 which verifies the additional
rule imposed by RFC 9113, section 8.2.1, that is a field value must
not start or end with 0x20(SPC) or 0x09(HTAB).

libnghttp2 uses this new function internally.
2022-06-24 19:44:13 +09:00
Michael Kaufmann
83c063346d Stricter checks for pseudo-headers :method and :path
Check the allowed characters for ":method" (see RFC 7230, section 3.2.6) and
":path". For ":path", the space and tab characters are now forbidden, but
other special characters are still allowed for compatibility reasons.

Update genvchartbl.py so that it generates the same table as in the code.

Fixes #1611
2021-08-31 21:47:35 +02:00
James M Snell
336a98feb0
Implement max settings option 2020-05-05 11:55:32 -07:00
Tatsuhiro Tsujikawa
77f5487a58 Add nghttp2_check_authority as public API 2019-11-02 00:33:59 +09:00
Tatsuhiro Tsujikawa
a1ea1696be Make VALID_HD_NAME_CHARS and VALID_HD_VALUE_CHARS const qualified 2018-09-13 23:50:31 +09:00
Tatsuhiro Tsujikawa
43a2a70ae7 Add nghttp2_error_callback2
nghttp2_error_callback2 is an extended version of the existing
nghttp2_error_callback by adding error code parameter.  This
deprecates nghttp2_error_callback.
2017-11-19 16:51:52 +09:00
Tatsuhiro Tsujikawa
ca6f6511f2 Avoid memcpy against NULL src 2016-11-01 23:54:21 +09:00
Tatsuhiro Tsujikawa
0cf6848646 clang-format-3.9 2016-10-15 18:36:04 +09:00
Tatsuhiro Tsujikawa
62e1d1c952 Fix typo 2016-08-21 13:29:29 +09:00
Tatsuhiro Tsujikawa
204f9a3ec7 Add nghttp2_session_set_local_window_size() API function 2016-05-29 23:13:11 +09:00
Tatsuhiro Tsujikawa
a21c87d11c Add nghttp2_http2_strerror() to return HTTP/2 error code string 2016-02-29 23:10:20 +09:00
Tatsuhiro Tsujikawa
3785cf07ba Add simple HTTP/2 extension framework
Application can utilize this framework to send/receive user defined
extension frames.  These frames are expected not to change existing
protocol behaviour.
2015-10-11 17:46:23 +09:00
Tatsuhiro Tsujikawa
d22ced77c0 Return fatal error if flooding is detected to close session immediately
This change adds new return error code from nghttp2_session_mem_recv
and nghttp2_session_recv functions, namely NGHTTP2_ERR_FLOODED.  It is
fatal error, and is returned when flooding was detected.
2015-09-30 22:19:03 +09:00
Tatsuhiro Tsujikawa
ef3e2c7764 Don't send WINDOW_UPDATE with 0 increment 2015-09-27 00:22:33 +09:00
Tatsuhiro Tsujikawa
b5427d9651 Remove unused nghttp2_memdup 2015-09-26 22:44:08 +09:00
Tatsuhiro Tsujikawa
28fe3e7e89 More warning flags for --enable-werror 2015-09-23 16:49:45 +09:00
Tatsuhiro Tsujikawa
693fba3b64 Add more docs about NGHTTP2_ERR_DATA_EXIST and its condition
This commit documents NGHTTP2_ERR_DATA_EXIST also occurs if HEADERS
has been already attached to stream too.  This commit also fixes
possible assertion error, and now nghttp2_submit_headers() and
nghttp2_submit_response() may return NGHTTP2_ERR_DATA_EXIST.  But we
recommend to use nghttp2_submit_request() and
nghttp2_submit_response(), and using them will avoid this error.
2015-07-08 00:35:07 +09:00
Anders Bakken
2e8e38ec35 Fix typo 2015-06-24 13:56:50 -07:00
Tatsuhiro Tsujikawa
d0c27d5229 Send 24 bytes client magic byte string by library
Previously nghttp2_session_send() and nghttp2_session_mem_send() did
not send 24 bytes client magic byte string (MAGIC).  We made
nghttp2_session_recv() and nghttp2_session_mem_recv() process MAGIC by
default, so it is natural to make library send MAGIC as well.  This
commit makes nghttp2_session_send() and nghttp2_session_mem_send()
send MAGIC.  This commit also replace "connection preface" with
"client magic", since we call MAGIC as "connection preface" but it is
just a part of connection preface.  NGHTTP2_CLIENT_CONNECTION_PREFACE
macro was replaced with NGHTTP2_CLIENT_MAGIC.  The already deprecated
NGHTTP2_CLIENT_CONNECTION_HEADER macro was removed permanently.
nghttp2_option_set_no_recv_client_preface() was renamed as
nghttp2_option_set_no_recv_client_magic().  NGHTTP2_ERR_BAD_PREFACE
was renamed as NGHTTP2_ERR_BAD_CLIENT_MAGIC.
2015-04-05 23:15:20 +09:00
Tatsuhiro Tsujikawa
ebf214c8fc nghttp2_on_invalid_frame_recv_callback should have lib_error_code as param
nghttp2_error_code is HTTP/2 standard error code and is too coarse to
know what's going on.
2015-04-05 23:15:20 +09:00
Tatsuhiro Tsujikawa
d1793e3b5a Add missing entry to nghttp2_strerror() 2015-02-26 23:04:38 +09:00
Tatsuhiro Tsujikawa
b0078a2379 Suppress to send frames other than GOAWAY if NGHTTP2_GOAWAY_TERM_ON_SEND is set
This change makes sure that GOAWAY which terminates session is
immediately sent without blocked by other frames.
NGHTTP2_ERR_SESSION_CLOSING library error code was added to indicate
this situation to callback.
2015-01-15 22:32:29 +09:00
Tatsuhiro Tsujikawa
c0ffed7788 Support custom memory allocator
nghttp2_mem structure is introduced to hold custom memory allocator
functions and user supplied pointer.  nghttp2_mem object can be passed
to nghttp2_session_client_new3(), nghttp2_session_server_new3(),
nghttp2_hd_deflate_new2() and nghttp2_hd_inflate_new2() to replace
standard malloc(), free(), calloc() and realloc().  nghttp2_mem
structure has user supplied pointer mem_user_data which can be used as
per session/object memory pool.
2014-12-08 00:55:55 +09:00
Tatsuhiro Tsujikawa
60cb3f67f2 Refactor nghttp2_adjust_local_window_size 2014-12-01 21:49:32 +09:00
Tatsuhiro Tsujikawa
b1f807abd1 Reformat lines with clang-format-3.5 2014-11-27 23:56:30 +09:00
Tatsuhiro Tsujikawa
76800dc8e7 Remove unused functions 2014-10-30 23:31:36 +09:00
Tatsuhiro Tsujikawa
6b9382d865 Add comments to the auto-generated table 2014-10-27 21:27:03 +09:00
Tatsuhiro Tsujikawa
2c335dbc7a Add more comment about local window size adjustment 2014-10-27 21:24:41 +09:00
Tatsuhiro Tsujikawa
32ddca532a Use 256 elements table in nghttp2_downcast 2014-10-04 00:40:51 +09:00
Tatsuhiro Tsujikawa
727662257c Add missing NGHTTP2_ERR_BAD_PREFACE to nghttp2_strerror 2014-09-17 23:25:47 +09:00
Tatsuhiro Tsujikawa
2fb750f2e3 nghttp2_check_header_value: Disallow 0x00 2014-08-02 00:30:09 +09:00
Tatsuhiro Tsujikawa
ad4a4ee567 Add missing library error code to nghttp2_error() 2014-05-12 22:58:04 +09:00
Tatsuhiro Tsujikawa
ab76468971 Return NGHTTP2_ERR_BUFFER_ERROR from nghttp2_hd_{deflate,inflate}_hd
It is generally useful to know what is the cause of the error.  Since
we expose HPACK API, it is friendly to tell application the
insufficient buffer size is a culprit.
2014-05-12 22:58:04 +09:00
Tatsuhiro Tsujikawa
9228e223fa Remove NGHTTP2_ERR_GZIP error code 2014-05-06 23:42:57 +09:00
Tatsuhiro Tsujikawa
52b74144ee Fix 0 size malloc, part 2 2014-04-30 22:40:43 +09:00
Tatsuhiro Tsujikawa
ab2dc5967d Replace HTTP/2.0 with HTTP/2 2014-03-30 19:26:37 +09:00
Tatsuhiro Tsujikawa
3f56c938d8 nghttp2_hd: Use nghttp2_bufs, avoiding realloc() 2014-03-11 21:18:28 +09:00
Tatsuhiro Tsujikawa
358b4386d3 Introduce nghttp2_buf to ease buffer management 2014-03-11 01:47:38 +09:00
Tatsuhiro Tsujikawa
8be17f077a Add nghttp2_check_header_name and nghttp2_check_header_value APIs
These are promoted to public API from src/http2.h
2014-02-01 19:31:50 +09:00
Tatsuhiro Tsujikawa
707a0b4103 Move name/value validation functions to src
nghttp2 library itself now accept octet header/value pairs,
completely not restricted by HTTP/1 header name/value rule.
The applications may impose restriction about them using
validators.
2014-01-17 02:16:53 +09:00
Tatsuhiro Tsujikawa
295a01ef91 Reformat valid character table for header field name/value pair 2014-01-04 11:19:07 +09:00
Tatsuhiro Tsujikawa
888792a949 nghttp2_hd: Allow HTAB and obs-text characters for field-content 2014-01-03 22:46:40 +09:00
Tatsuhiro Tsujikawa
dfcdea894b Move header name/value pair validation to on_*_received functions 2013-12-25 23:38:55 +09:00
Tatsuhiro Tsujikawa
65e54ca7b0 Add nghttp2_free() 2013-12-14 23:49:16 +09:00
Tatsuhiro Tsujikawa
ad64f11a95 Remove code submitting WINDOW_UPDATE with negative delta
It is effectively dead code because we should have already submit
WINDOW_UPDATE before this case happens.
2013-10-30 23:43:40 +09:00
Tatsuhiro Tsujikawa
431f78f008 Rename NGHTTP2_ERR_FRAME_TOO_LARGE as NGHTTP2_ERR_FRAME_SIZE_ERROR 2013-10-27 19:35:36 +09:00
Tatsuhiro Tsujikawa
e85418f045 Fix local window size adjustments
Now shrinking local window size properly limits the amount of
WINDOW_UPDATE value so that shrinked window is honored.
2013-10-12 17:02:37 +09:00
Tatsuhiro Tsujikawa
82b9f78fc7 Check incoming header field name strictly
The validation rule is described in
http://tools.ietf.org/html/draft-ietf-httpbis-header-compression-02#section-4.1.2
2013-08-25 17:39:29 +09:00
Tatsuhiro Tsujikawa
5dd6d86d66 Code cleanup 2013-08-09 01:46:07 +09:00