Commit Graph

25 Commits

Author SHA1 Message Date
Aurora
b6ec548300 Reading unbounded number of HTTP/2 CONTINUATION frames to cause excessive CPU usage
Signed-off-by: Aurora <liuxiyao223@huawei.com>
Change-Id: I75034195506a0704fb659cee4b26fbc9b2f99150
2024-04-10 16:32:54 +08:00
徐杰
92a10b73c3 漏洞补丁【CVE-2023-44487】
Signed-off-by: 徐杰 <xujie223@huawei.com>
2023-10-26 02:03:14 +00:00
Tatsuhiro Tsujikawa
eb06e33e38 Add nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation 2022-09-07 16:34:12 +09:00
Tatsuhiro Tsujikawa
8c2386c221 Add a server option to fallback to RFC 7540 priorities
Add nghttp2_option_set_server_fallback_rfc7540_priorities.  If it is
set to nonzero, and server submits SETTINGS_NO_RFC7540_PRIORITIES = 1,
but it does not receive SETTINGS_NO_RFC7540_PRIORITIES from client,
server falls back to RFC 7540 priorities.  Only minimal set of
features are enabled in this fallback case.
2022-06-14 23:47:42 +09:00
James M Snell
336a98feb0
Implement max settings option 2020-05-05 11:55:32 -07:00
Tatsuhiro Tsujikawa
0a6ce87c22 Add nghttp2_option_set_max_outbound_ack 2019-08-14 11:43:55 +09:00
Tatsuhiro Tsujikawa
880f948684 Enable IndentPPDirectives 2018-06-09 16:21:30 +09:00
Tatsuhiro Tsujikawa
f3a5a0a0ec Add nghttp2_option_no_closed_streams
nghttp2_option_no_closed_streams controls whether closed streams are
retained or not.  If nonzero is passed to that function's parameter
val, a session does not retain closed streams.  It may hurt the shape
of priority tree, but can save memory.
2017-02-13 22:33:29 +09:00
Tatsuhiro Tsujikawa
392256e542 Add nghttp2_option_set_max_deflate_dynamic_table_size() API function
nghttp2_option_set_max_deflate_dynamic_table_size function sets the
maximum dynamic table size for header block deflater.  The default
value is 4KiB.
2016-09-11 22:13:59 +09:00
Tatsuhiro Tsujikawa
c7b0e04498 Add nghttp2_option_set_max_send_header_block_length API function
This function sets the maximum length of header block (a set of header
fields per HEADERS frame) to send.  The length of given set of header
fields is calculated using nghttp2_hd_deflate_bound().  Previously,
this is hard-coded, and is 64KiB.
2016-06-15 00:05:15 +09:00
Tatsuhiro Tsujikawa
6638ca9333 altsvc: Reduce bitfield size 2016-04-09 18:23:15 +09:00
Tatsuhiro Tsujikawa
795ee8c20f altsvc: Receive ALTSVC frame 2016-04-08 23:25:56 +09:00
Tatsuhiro Tsujikawa
e453759637 Add nghttp2_option_set_no_auto_ping_ack() option
This option prevents the nghttp2 library from sending PING frame with
ACK flag set in the reply to incoming PING frame.  To allow the
application to send PING with ACK flag set, nghttp2_submit_ping() now
recognizes NGHTTP2_FLAG_PING in its flags parameter.
2016-02-29 23:39:50 +09:00
Tatsuhiro Tsujikawa
061a557839 Add nghttp2_option_set_user_recv_extension_type to opt-in incoming extension type 2015-10-15 00:17:07 +09:00
Tatsuhiro Tsujikawa
28fe3e7e89 More warning flags for --enable-werror 2015-09-23 16:49:45 +09:00
Tatsuhiro Tsujikawa
928a81885c Limit the number of incoming reserved (remote) streams
RFC 7540 does not enforce any limit on the number of incoming reserved
streams (in RFC 7540 terms, streams in reserved (remote) state).  This
only affects client side, since only server can push streams.
Malicious server can push arbitrary number of streams, and make
client's memory exhausted.  The new option,
nghttp2_set_max_reserved_remote_streams, can set the maximum number of
such incoming streams to avoid possible memory exhaustion.  If this
option is set, and pushed streams are automatically closed on
reception, without calling user provided callback, if they exceed the
given limit.  The default value is 200.  If session is configured as
server side, this option has no effect.  Server can control the number
of streams to push.
2015-08-23 21:43:41 +09:00
Tatsuhiro Tsujikawa
e63d6e490a Merge branch 'master' into v1.0.0
Conflicts:
	lib/nghttp2_option.h
	lib/nghttp2_session.h
	src/HttpServer.cc
2015-05-08 19:21:51 +09:00
Alexis La Goutte
a62778d6b0 fix comma at end of enumerator list [-Wpedantic] 2015-04-30 07:49:55 +02:00
Tatsuhiro Tsujikawa
d0c27d5229 Send 24 bytes client magic byte string by library
Previously nghttp2_session_send() and nghttp2_session_mem_send() did
not send 24 bytes client magic byte string (MAGIC).  We made
nghttp2_session_recv() and nghttp2_session_mem_recv() process MAGIC by
default, so it is natural to make library send MAGIC as well.  This
commit makes nghttp2_session_send() and nghttp2_session_mem_send()
send MAGIC.  This commit also replace "connection preface" with
"client magic", since we call MAGIC as "connection preface" but it is
just a part of connection preface.  NGHTTP2_CLIENT_CONNECTION_PREFACE
macro was replaced with NGHTTP2_CLIENT_MAGIC.  The already deprecated
NGHTTP2_CLIENT_CONNECTION_HEADER macro was removed permanently.
nghttp2_option_set_no_recv_client_preface() was renamed as
nghttp2_option_set_no_recv_client_magic().  NGHTTP2_ERR_BAD_PREFACE
was renamed as NGHTTP2_ERR_BAD_CLIENT_MAGIC.
2015-04-05 23:15:20 +09:00
Tatsuhiro Tsujikawa
250ea53e4b Deal with 24 bytes client connection preface by default
Since HTTP/2 spec requires for client to send connection preface, it
is reasonable to make this option enabled by default.  It is still a
use case to disable this, so replace this option with
nghttp2_option_set_no_recv_client_preface().
2015-04-05 23:15:20 +09:00
Tatsuhiro Tsujikawa
e45c523dc7 Add nghttp2_option_set_no_http_messaging() API function
This API function with nonzero |val| parameter disables HTTP Messaging
validation in nghttp2 library, so that application can use nghttp2
library for non-HTTP use.
2015-02-20 23:26:56 +09:00
Tatsuhiro Tsujikawa
b1f807abd1 Reformat lines with clang-format-3.5 2014-11-27 23:56:30 +09:00
Tatsuhiro Tsujikawa
901de5fbce Add nghttp2_option_set_recv_client_preface()
By default, nghttp2 library only handles HTTP/2 frames and does not
recognize first 24 bytes of client connection preface. This design
choice is done due to the fact that server may want to detect the
application protocol based on first few bytes on clear text
communication. But for simple servers which only speak HTTP/2, it is
easier for developers if nghttp2 library takes care of client
connection preface.

If this option is used with nonzero val, nghttp2 library checks first
24 bytes client connection preface. If it is not a valid one,
nghttp2_session_recv() and nghttp2_session_mem_recv() will return
error NGHTTP2_ERR_BAD_PREFACE, which is fatal error.
2014-09-13 19:50:44 +09:00
Tatsuhiro Tsujikawa
079db14d45 Add nghttp2_session_consume() API
Reworked no automatic WINDOW_UPDATE feature.  We added new API
nghttp2_session_consume() which tells the library how many bytes are
consumed by the application.  Instead of submitting WINDOW_UPDATE by
the application, the library is now responsible to submit
WINDOW_UPDATE based on consumed bytes.  This is more reliable method,
since it enables us to properly send WINDOW_UPDATE for stream and
connection individually.  The previous implementation of nghttpx had
broken connection window management.
2014-07-31 23:05:53 +09:00
Tatsuhiro Tsujikawa
d668d2448b Hide session option from public API
To make adding new option easier, we decided to make the details of
option struct private and hide it from public API.  We provide
functions to set individual option value.
2014-04-04 21:57:47 +09:00