nginx/SOURCES/nginx-1.14.1-CVE-2019-9513.patch
2023-05-24 03:55:58 +00:00

48 lines
1.8 KiB
Diff

diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
index 3b7f892..0aaea47 100644
--- a/src/http/v2/ngx_http_v2.c
+++ b/src/http/v2/ngx_http_v2.c
@@ -275,6 +275,7 @@ ngx_http_v2_init(ngx_event_t *rev)
h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module);
h2c->concurrent_pushes = h2scf->concurrent_pushes;
+ h2c->priority_limit = h2scf->concurrent_streams;
h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log);
if (h2c->pool == NULL) {
@@ -1798,6 +1799,13 @@ ngx_http_v2_state_priority(ngx_http_v2_connection_t *h2c, u_char *pos,
return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR);
}
+ if (--h2c->priority_limit == 0) {
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+ "client sent too many PRIORITY frames");
+
+ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_ENHANCE_YOUR_CALM);
+ }
+
if (end - pos < NGX_HTTP_V2_PRIORITY_SIZE) {
return ngx_http_v2_state_save(h2c, pos, end,
ngx_http_v2_state_priority);
@@ -3112,6 +3120,8 @@ ngx_http_v2_create_stream(ngx_http_v2_connection_t *h2c, ngx_uint_t push)
h2c->processing++;
}
+ h2c->priority_limit += h2scf->concurrent_streams;
+
return stream;
}
diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
index 715b7d3..69d55d1 100644
--- a/src/http/v2/ngx_http_v2.h
+++ b/src/http/v2/ngx_http_v2.h
@@ -122,6 +122,7 @@ struct ngx_http_v2_connection_s {
ngx_uint_t processing;
ngx_uint_t frames;
ngx_uint_t idle;
+ ngx_uint_t priority_limit;
ngx_uint_t pushing;
ngx_uint_t concurrent_pushes;