Compare commits
No commits in common. "eab77a0da66f15bc5084a2fd0ea1514636cbfe69" and "0912e42fbf0604d5c814eec37fd9683aff28c5ca" have entirely different histories.
eab77a0da6
...
0912e42fbf
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
/nghttp2-[0-9]*.tar.xz
|
SOURCES/nghttp2-1.33.0.tar.xz
|
||||||
|
1
.nghttp2.metadata
Normal file
1
.nghttp2.metadata
Normal file
@ -0,0 +1 @@
|
|||||||
|
0a11f7de6ea8e66fbecc9fe4ddc61b6ab40af469 SOURCES/nghttp2-1.33.0.tar.xz
|
@ -1,976 +0,0 @@
|
|||||||
From 095040ff7ac242cec5075b8d4bd8c9884bc3ec30 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
|
|
||||||
Date: Sun, 1 Oct 2023 00:05:01 +0900
|
|
||||||
Subject: [PATCH] Rework session management
|
|
||||||
|
|
||||||
(cherry picked from commit 72b4af6143681f528f1d237b21a9a7aee1738832)
|
|
||||||
|
|
||||||
Signed-off-by: Jan Macku <jamacku@redhat.com>
|
|
||||||
---
|
|
||||||
CMakeLists.txt | 4 ++
|
|
||||||
cmakeconfig.h.in | 9 +++
|
|
||||||
configure.ac | 21 +++++++
|
|
||||||
doc/Makefile.am | 1 +
|
|
||||||
lib/CMakeLists.txt | 2 +
|
|
||||||
lib/Makefile.am | 4 ++
|
|
||||||
lib/includes/nghttp2/nghttp2.h | 17 ++++++
|
|
||||||
lib/nghttp2_option.c | 7 +++
|
|
||||||
lib/nghttp2_option.h | 6 ++
|
|
||||||
lib/nghttp2_ratelim.c | 75 ++++++++++++++++++++++++
|
|
||||||
lib/nghttp2_ratelim.h | 57 ++++++++++++++++++
|
|
||||||
lib/nghttp2_session.c | 34 ++++++++++-
|
|
||||||
lib/nghttp2_session.h | 12 +++-
|
|
||||||
lib/nghttp2_time.c | 62 ++++++++++++++++++++
|
|
||||||
lib/nghttp2_time.h | 38 ++++++++++++
|
|
||||||
tests/CMakeLists.txt | 1 +
|
|
||||||
tests/Makefile.am | 6 +-
|
|
||||||
tests/main.c | 7 ++-
|
|
||||||
tests/nghttp2_ratelim_test.c | 101 ++++++++++++++++++++++++++++++++
|
|
||||||
tests/nghttp2_ratelim_test.h | 35 +++++++++++
|
|
||||||
tests/nghttp2_session_test.c | 103 +++++++++++++++++++++++++++++++++
|
|
||||||
tests/nghttp2_session_test.h | 1 +
|
|
||||||
22 files changed, 598 insertions(+), 5 deletions(-)
|
|
||||||
create mode 100644 lib/nghttp2_ratelim.c
|
|
||||||
create mode 100644 lib/nghttp2_ratelim.h
|
|
||||||
create mode 100644 lib/nghttp2_time.c
|
|
||||||
create mode 100644 lib/nghttp2_time.h
|
|
||||||
create mode 100644 tests/nghttp2_ratelim_test.c
|
|
||||||
create mode 100644 tests/nghttp2_ratelim_test.h
|
|
||||||
|
|
||||||
diff --git a/CMakeLists.txt b/CMakeLists.txt
|
|
||||||
index dbac6c8..78b356d 100644
|
|
||||||
--- a/CMakeLists.txt
|
|
||||||
+++ b/CMakeLists.txt
|
|
||||||
@@ -262,6 +262,7 @@ check_include_file("netinet/in.h" HAVE_NETINET_IN_H)
|
|
||||||
check_include_file("pwd.h" HAVE_PWD_H)
|
|
||||||
check_include_file("sys/socket.h" HAVE_SYS_SOCKET_H)
|
|
||||||
check_include_file("sys/time.h" HAVE_SYS_TIME_H)
|
|
||||||
+check_include_file("sysinfoapi.h" HAVE_SYSINFOAPI_H)
|
|
||||||
check_include_file("syslog.h" HAVE_SYSLOG_H)
|
|
||||||
check_include_file("time.h" HAVE_TIME_H)
|
|
||||||
check_include_file("unistd.h" HAVE_UNISTD_H)
|
|
||||||
@@ -302,8 +303,11 @@ check_type_size("time_t" SIZEOF_TIME_T)
|
|
||||||
include(CheckFunctionExists)
|
|
||||||
check_function_exists(_Exit HAVE__EXIT)
|
|
||||||
check_function_exists(accept4 HAVE_ACCEPT4)
|
|
||||||
+check_function_exists(clock_gettime HAVE_CLOCK_GETTIME)
|
|
||||||
check_function_exists(mkostemp HAVE_MKOSTEMP)
|
|
||||||
|
|
||||||
+check_symbol_exists(GetTickCount64 sysinfoapi.h HAVE_GETTICKCOUNT64)
|
|
||||||
+
|
|
||||||
include(CheckSymbolExists)
|
|
||||||
# XXX does this correctly detect initgroups (un)availability on cygwin?
|
|
||||||
check_symbol_exists(initgroups grp.h HAVE_DECL_INITGROUPS)
|
|
||||||
diff --git a/cmakeconfig.h.in b/cmakeconfig.h.in
|
|
||||||
index d67b540..4065029 100644
|
|
||||||
--- a/cmakeconfig.h.in
|
|
||||||
+++ b/cmakeconfig.h.in
|
|
||||||
@@ -34,9 +34,15 @@
|
|
||||||
/* Define to 1 if you have the `accept4` function. */
|
|
||||||
#cmakedefine HAVE_ACCEPT4 1
|
|
||||||
|
|
||||||
+/* Define to 1 if you have the `clock_gettime` function. */
|
|
||||||
+#cmakedefine HAVE_CLOCK_GETTIME 1
|
|
||||||
+
|
|
||||||
/* Define to 1 if you have the `mkostemp` function. */
|
|
||||||
#cmakedefine HAVE_MKOSTEMP 1
|
|
||||||
|
|
||||||
+/* Define to 1 if you have the `GetTickCount64` function. */
|
|
||||||
+#cmakedefine HAVE_GETTICKCOUNT64 1
|
|
||||||
+
|
|
||||||
/* Define to 1 if you have the `initgroups` function. */
|
|
||||||
#cmakedefine01 HAVE_DECL_INITGROUPS
|
|
||||||
|
|
||||||
@@ -73,6 +79,9 @@
|
|
||||||
/* Define to 1 if you have the <sys/time.h> header file. */
|
|
||||||
#cmakedefine HAVE_SYS_TIME_H 1
|
|
||||||
|
|
||||||
+/* Define to 1 if you have the <sysinfoapi.h> header file. */
|
|
||||||
+#cmakedefine HAVE_SYSINFOAPI_H 1
|
|
||||||
+
|
|
||||||
/* Define to 1 if you have the <syslog.h> header file. */
|
|
||||||
#cmakedefine HAVE_SYSLOG_H 1
|
|
||||||
|
|
||||||
diff --git a/configure.ac b/configure.ac
|
|
||||||
index a54398e..a41492c 100644
|
|
||||||
--- a/configure.ac
|
|
||||||
+++ b/configure.ac
|
|
||||||
@@ -607,6 +607,7 @@ AC_CHECK_HEADERS([ \
|
|
||||||
string.h \
|
|
||||||
sys/socket.h \
|
|
||||||
sys/time.h \
|
|
||||||
+ sysinfoapi.h \
|
|
||||||
syslog.h \
|
|
||||||
time.h \
|
|
||||||
unistd.h \
|
|
||||||
@@ -681,6 +682,7 @@ AC_FUNC_STRNLEN
|
|
||||||
AC_CHECK_FUNCS([ \
|
|
||||||
_Exit \
|
|
||||||
accept4 \
|
|
||||||
+ clock_gettime \
|
|
||||||
dup2 \
|
|
||||||
getcwd \
|
|
||||||
getpwnam \
|
|
||||||
@@ -706,6 +708,25 @@ AC_CHECK_FUNCS([ \
|
|
||||||
AC_CHECK_FUNC([timerfd_create],
|
|
||||||
[have_timerfd_create=yes], [have_timerfd_create=no])
|
|
||||||
|
|
||||||
+AC_MSG_CHECKING([checking for GetTickCount64])
|
|
||||||
+AC_LINK_IFELSE([AC_LANG_PROGRAM(
|
|
||||||
+[[
|
|
||||||
+#include <sysinfoapi.h>
|
|
||||||
+]],
|
|
||||||
+[[
|
|
||||||
+GetTickCount64();
|
|
||||||
+]])],
|
|
||||||
+[have_gettickcount64=yes],
|
|
||||||
+[have_gettickcount64=no])
|
|
||||||
+
|
|
||||||
+if test "x${have_gettickcount64}" = "xyes"; then
|
|
||||||
+ AC_MSG_RESULT([yes])
|
|
||||||
+ AC_DEFINE([HAVE_GETTICKCOUNT64], [1],
|
|
||||||
+ [Define to 1 if you have `GetTickCount64` function.])
|
|
||||||
+else
|
|
||||||
+ AC_MSG_RESULT([no])
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
# For cygwin: we can link initgroups, so AC_CHECK_FUNCS succeeds, but
|
|
||||||
# cygwin disables initgroups due to feature test macro magic with our
|
|
||||||
# configuration. FreeBSD declares initgroups() in unistd.h.
|
|
||||||
diff --git a/doc/Makefile.am b/doc/Makefile.am
|
|
||||||
index 5a58f8e..87f6c43 100644
|
|
||||||
--- a/doc/Makefile.am
|
|
||||||
+++ b/doc/Makefile.am
|
|
||||||
@@ -69,6 +69,7 @@ APIDOCS= \
|
|
||||||
nghttp2_option_set_user_recv_extension_type.rst \
|
|
||||||
nghttp2_option_set_max_outbound_ack.rst \
|
|
||||||
nghttp2_option_set_max_settings.rst \
|
|
||||||
+ nghttp2_option_set_stream_reset_rate_limit.rst \
|
|
||||||
nghttp2_pack_settings_payload.rst \
|
|
||||||
nghttp2_priority_spec_check_default.rst \
|
|
||||||
nghttp2_priority_spec_default_init.rst \
|
|
||||||
diff --git a/lib/CMakeLists.txt b/lib/CMakeLists.txt
|
|
||||||
index 17e422b..d44de28 100644
|
|
||||||
--- a/lib/CMakeLists.txt
|
|
||||||
+++ b/lib/CMakeLists.txt
|
|
||||||
@@ -23,6 +23,8 @@ set(NGHTTP2_SOURCES
|
|
||||||
nghttp2_mem.c
|
|
||||||
nghttp2_http.c
|
|
||||||
nghttp2_rcbuf.c
|
|
||||||
+ nghttp2_ratelim.c
|
|
||||||
+ nghttp2_time.c
|
|
||||||
nghttp2_debug.c
|
|
||||||
)
|
|
||||||
|
|
||||||
diff --git a/lib/Makefile.am b/lib/Makefile.am
|
|
||||||
index 24a5bd6..595714d 100644
|
|
||||||
--- a/lib/Makefile.am
|
|
||||||
+++ b/lib/Makefile.am
|
|
||||||
@@ -49,6 +49,8 @@ OBJECTS = nghttp2_pq.c nghttp2_map.c nghttp2_queue.c \
|
|
||||||
nghttp2_mem.c \
|
|
||||||
nghttp2_http.c \
|
|
||||||
nghttp2_rcbuf.c \
|
|
||||||
+ nghttp2_ratelim.c \
|
|
||||||
+ nghttp2_time.c \
|
|
||||||
nghttp2_debug.c
|
|
||||||
|
|
||||||
HFILES = nghttp2_pq.h nghttp2_int.h nghttp2_map.h nghttp2_queue.h \
|
|
||||||
@@ -65,6 +67,8 @@ HFILES = nghttp2_pq.h nghttp2_int.h nghttp2_map.h nghttp2_queue.h \
|
|
||||||
nghttp2_mem.h \
|
|
||||||
nghttp2_http.h \
|
|
||||||
nghttp2_rcbuf.h \
|
|
||||||
+ nghttp2_ratelim.h \
|
|
||||||
+ nghttp2_time.h \
|
|
||||||
nghttp2_debug.h
|
|
||||||
|
|
||||||
libnghttp2_la_SOURCES = $(HFILES) $(OBJECTS)
|
|
||||||
diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h
|
|
||||||
index b0ff6c5..9eb764c 100644
|
|
||||||
--- a/lib/includes/nghttp2/nghttp2.h
|
|
||||||
+++ b/lib/includes/nghttp2/nghttp2.h
|
|
||||||
@@ -2671,6 +2671,23 @@ NGHTTP2_EXTERN void nghttp2_option_set_max_outbound_ack(nghttp2_option *option,
|
|
||||||
NGHTTP2_EXTERN void nghttp2_option_set_max_settings(nghttp2_option *option,
|
|
||||||
size_t val);
|
|
||||||
|
|
||||||
+/**
|
|
||||||
+ * @function
|
|
||||||
+ *
|
|
||||||
+ * This function sets the rate limit for the incoming stream reset
|
|
||||||
+ * (RST_STREAM frame). It is server use only. It is a token-bucket
|
|
||||||
+ * based rate limiter. |burst| specifies the number of tokens that is
|
|
||||||
+ * initially available. The maximum number of tokens is capped to
|
|
||||||
+ * this value. |rate| specifies the number of tokens that are
|
|
||||||
+ * regenerated per second. An incoming RST_STREAM consumes one token.
|
|
||||||
+ * If there is no token available, GOAWAY is sent to tear down the
|
|
||||||
+ * connection. |burst| and |rate| default to 1000 and 33
|
|
||||||
+ * respectively.
|
|
||||||
+ */
|
|
||||||
+NGHTTP2_EXTERN void
|
|
||||||
+nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
|
|
||||||
+ uint64_t burst, uint64_t rate);
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* @function
|
|
||||||
*
|
|
||||||
diff --git a/lib/nghttp2_option.c b/lib/nghttp2_option.c
|
|
||||||
index 34348e6..0d9a404 100644
|
|
||||||
--- a/lib/nghttp2_option.c
|
|
||||||
+++ b/lib/nghttp2_option.c
|
|
||||||
@@ -126,3 +126,10 @@ void nghttp2_option_set_max_settings(nghttp2_option *option, size_t val) {
|
|
||||||
option->opt_set_mask |= NGHTTP2_OPT_MAX_SETTINGS;
|
|
||||||
option->max_settings = val;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
|
|
||||||
+ uint64_t burst, uint64_t rate) {
|
|
||||||
+ option->opt_set_mask |= NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT;
|
|
||||||
+ option->stream_reset_burst = burst;
|
|
||||||
+ option->stream_reset_rate = rate;
|
|
||||||
+}
|
|
||||||
diff --git a/lib/nghttp2_option.h b/lib/nghttp2_option.h
|
|
||||||
index 939729f..e6ba910 100644
|
|
||||||
--- a/lib/nghttp2_option.h
|
|
||||||
+++ b/lib/nghttp2_option.h
|
|
||||||
@@ -68,12 +68,18 @@ typedef enum {
|
|
||||||
NGHTTP2_OPT_NO_CLOSED_STREAMS = 1 << 10,
|
|
||||||
NGHTTP2_OPT_MAX_OUTBOUND_ACK = 1 << 11,
|
|
||||||
NGHTTP2_OPT_MAX_SETTINGS = 1 << 12,
|
|
||||||
+ NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15,
|
|
||||||
} nghttp2_option_flag;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Struct to store option values for nghttp2_session.
|
|
||||||
*/
|
|
||||||
struct nghttp2_option {
|
|
||||||
+ /**
|
|
||||||
+ * NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT
|
|
||||||
+ */
|
|
||||||
+ uint64_t stream_reset_burst;
|
|
||||||
+ uint64_t stream_reset_rate;
|
|
||||||
/**
|
|
||||||
* NGHTTP2_OPT_MAX_SEND_HEADER_BLOCK_LENGTH
|
|
||||||
*/
|
|
||||||
diff --git a/lib/nghttp2_ratelim.c b/lib/nghttp2_ratelim.c
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..7011655
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/lib/nghttp2_ratelim.c
|
|
||||||
@@ -0,0 +1,75 @@
|
|
||||||
+/*
|
|
||||||
+ * nghttp2 - HTTP/2 C Library
|
|
||||||
+ *
|
|
||||||
+ * Copyright (c) 2023 nghttp2 contributors
|
|
||||||
+ *
|
|
||||||
+ * Permission is hereby granted, free of charge, to any person obtaining
|
|
||||||
+ * a copy of this software and associated documentation files (the
|
|
||||||
+ * "Software"), to deal in the Software without restriction, including
|
|
||||||
+ * without limitation the rights to use, copy, modify, merge, publish,
|
|
||||||
+ * distribute, sublicense, and/or sell copies of the Software, and to
|
|
||||||
+ * permit persons to whom the Software is furnished to do so, subject to
|
|
||||||
+ * the following conditions:
|
|
||||||
+ *
|
|
||||||
+ * The above copyright notice and this permission notice shall be
|
|
||||||
+ * included in all copies or substantial portions of the Software.
|
|
||||||
+ *
|
|
||||||
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
||||||
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
||||||
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
||||||
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
||||||
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
||||||
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
||||||
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
||||||
+ */
|
|
||||||
+#include "nghttp2_ratelim.h"
|
|
||||||
+#include "nghttp2_helper.h"
|
|
||||||
+
|
|
||||||
+void nghttp2_ratelim_init(nghttp2_ratelim *rl, uint64_t burst, uint64_t rate) {
|
|
||||||
+ rl->val = rl->burst = burst;
|
|
||||||
+ rl->rate = rate;
|
|
||||||
+ rl->tstamp = 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void nghttp2_ratelim_update(nghttp2_ratelim *rl, uint64_t tstamp) {
|
|
||||||
+ uint64_t d, gain;
|
|
||||||
+
|
|
||||||
+ if (tstamp == rl->tstamp) {
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (tstamp > rl->tstamp) {
|
|
||||||
+ d = tstamp - rl->tstamp;
|
|
||||||
+ } else {
|
|
||||||
+ d = 1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rl->tstamp = tstamp;
|
|
||||||
+
|
|
||||||
+ if (UINT64_MAX / d < rl->rate) {
|
|
||||||
+ rl->val = rl->burst;
|
|
||||||
+
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ gain = rl->rate * d;
|
|
||||||
+
|
|
||||||
+ if (UINT64_MAX - gain < rl->val) {
|
|
||||||
+ rl->val = rl->burst;
|
|
||||||
+
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rl->val += gain;
|
|
||||||
+ rl->val = nghttp2_min(rl->val, rl->burst);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int nghttp2_ratelim_drain(nghttp2_ratelim *rl, uint64_t n) {
|
|
||||||
+ if (rl->val < n) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rl->val -= n;
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
diff --git a/lib/nghttp2_ratelim.h b/lib/nghttp2_ratelim.h
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..866ed3f
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/lib/nghttp2_ratelim.h
|
|
||||||
@@ -0,0 +1,57 @@
|
|
||||||
+/*
|
|
||||||
+ * nghttp2 - HTTP/2 C Library
|
|
||||||
+ *
|
|
||||||
+ * Copyright (c) 2023 nghttp2 contributors
|
|
||||||
+ *
|
|
||||||
+ * Permission is hereby granted, free of charge, to any person obtaining
|
|
||||||
+ * a copy of this software and associated documentation files (the
|
|
||||||
+ * "Software"), to deal in the Software without restriction, including
|
|
||||||
+ * without limitation the rights to use, copy, modify, merge, publish,
|
|
||||||
+ * distribute, sublicense, and/or sell copies of the Software, and to
|
|
||||||
+ * permit persons to whom the Software is furnished to do so, subject to
|
|
||||||
+ * the following conditions:
|
|
||||||
+ *
|
|
||||||
+ * The above copyright notice and this permission notice shall be
|
|
||||||
+ * included in all copies or substantial portions of the Software.
|
|
||||||
+ *
|
|
||||||
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
||||||
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
||||||
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
||||||
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
||||||
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
||||||
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
||||||
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
||||||
+ */
|
|
||||||
+#ifndef NGHTTP2_RATELIM_H
|
|
||||||
+#define NGHTTP2_RATELIM_H
|
|
||||||
+
|
|
||||||
+#ifdef HAVE_CONFIG_H
|
|
||||||
+# include <config.h>
|
|
||||||
+#endif /* HAVE_CONFIG_H */
|
|
||||||
+
|
|
||||||
+#include <nghttp2/nghttp2.h>
|
|
||||||
+
|
|
||||||
+typedef struct nghttp2_ratelim {
|
|
||||||
+ /* burst is the maximum value of val. */
|
|
||||||
+ uint64_t burst;
|
|
||||||
+ /* rate is the amount of value that is regenerated per 1 tstamp. */
|
|
||||||
+ uint64_t rate;
|
|
||||||
+ /* val is the amount of value available to drain. */
|
|
||||||
+ uint64_t val;
|
|
||||||
+ /* tstamp is the last timestamp in second resolution that is known
|
|
||||||
+ to this object. */
|
|
||||||
+ uint64_t tstamp;
|
|
||||||
+} nghttp2_ratelim;
|
|
||||||
+
|
|
||||||
+/* nghttp2_ratelim_init initializes |rl| with the given parameters. */
|
|
||||||
+void nghttp2_ratelim_init(nghttp2_ratelim *rl, uint64_t burst, uint64_t rate);
|
|
||||||
+
|
|
||||||
+/* nghttp2_ratelim_update updates rl->val with the current |tstamp|
|
|
||||||
+ given in second resolution. */
|
|
||||||
+void nghttp2_ratelim_update(nghttp2_ratelim *rl, uint64_t tstamp);
|
|
||||||
+
|
|
||||||
+/* nghttp2_ratelim_drain drains |n| from rl->val. It returns 0 if it
|
|
||||||
+ succeeds, or -1. */
|
|
||||||
+int nghttp2_ratelim_drain(nghttp2_ratelim *rl, uint64_t n);
|
|
||||||
+
|
|
||||||
+#endif /* NGHTTP2_RATELIM_H */
|
|
||||||
diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
|
|
||||||
index 8271198..5ee08df 100644
|
|
||||||
--- a/lib/nghttp2_session.c
|
|
||||||
+++ b/lib/nghttp2_session.c
|
|
||||||
@@ -36,6 +36,7 @@
|
|
||||||
#include "nghttp2_option.h"
|
|
||||||
#include "nghttp2_http.h"
|
|
||||||
#include "nghttp2_pq.h"
|
|
||||||
+#include "nghttp2_time.h"
|
|
||||||
#include "nghttp2_debug.h"
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -443,6 +444,10 @@ static int session_new(nghttp2_session **session_ptr,
|
|
||||||
NGHTTP2_DEFAULT_MAX_CONCURRENT_STREAMS;
|
|
||||||
(*session_ptr)->pending_enable_push = 1;
|
|
||||||
|
|
||||||
+ nghttp2_ratelim_init(&(*session_ptr)->stream_reset_ratelim,
|
|
||||||
+ NGHTTP2_DEFAULT_STREAM_RESET_BURST,
|
|
||||||
+ NGHTTP2_DEFAULT_STREAM_RESET_RATE);
|
|
||||||
+
|
|
||||||
if (server) {
|
|
||||||
(*session_ptr)->server = 1;
|
|
||||||
}
|
|
||||||
@@ -527,6 +532,12 @@ static int session_new(nghttp2_session **session_ptr,
|
|
||||||
option->max_settings) {
|
|
||||||
(*session_ptr)->max_settings = option->max_settings;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ if (option->opt_set_mask & NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT) {
|
|
||||||
+ nghttp2_ratelim_init(&(*session_ptr)->stream_reset_ratelim,
|
|
||||||
+ option->stream_reset_burst,
|
|
||||||
+ option->stream_reset_rate);
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
|
|
||||||
@@ -4144,6 +4155,23 @@ static int session_process_priority_frame(nghttp2_session *session) {
|
|
||||||
return nghttp2_session_on_priority_received(session, frame);
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int session_update_stream_reset_ratelim(nghttp2_session *session) {
|
|
||||||
+ if (!session->server || (session->goaway_flags & NGHTTP2_GOAWAY_SUBMITTED)) {
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ nghttp2_ratelim_update(&session->stream_reset_ratelim,
|
|
||||||
+ nghttp2_time_now_sec());
|
|
||||||
+
|
|
||||||
+ if (nghttp2_ratelim_drain(&session->stream_reset_ratelim, 1) == 0) {
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return nghttp2_session_add_goaway(session, session->last_recv_stream_id,
|
|
||||||
+ NGHTTP2_INTERNAL_ERROR, NULL, 0,
|
|
||||||
+ NGHTTP2_GOAWAY_AUX_NONE);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int nghttp2_session_on_rst_stream_received(nghttp2_session *session,
|
|
||||||
nghttp2_frame *frame) {
|
|
||||||
int rv;
|
|
||||||
@@ -4173,7 +4201,8 @@ int nghttp2_session_on_rst_stream_received(nghttp2_session *session,
|
|
||||||
if (nghttp2_is_fatal(rv)) {
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
- return 0;
|
|
||||||
+
|
|
||||||
+ return session_update_stream_reset_ratelim(session);
|
|
||||||
}
|
|
||||||
|
|
||||||
static int session_process_rst_stream_frame(nghttp2_session *session) {
|
|
||||||
@@ -6941,6 +6970,9 @@ int nghttp2_session_add_goaway(nghttp2_session *session, int32_t last_stream_id,
|
|
||||||
nghttp2_mem_free(mem, item);
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ session->goaway_flags |= NGHTTP2_GOAWAY_SUBMITTED;
|
|
||||||
+
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/lib/nghttp2_session.h b/lib/nghttp2_session.h
|
|
||||||
index e62a3bb..03f8bee 100644
|
|
||||||
--- a/lib/nghttp2_session.h
|
|
||||||
+++ b/lib/nghttp2_session.h
|
|
||||||
@@ -39,6 +39,7 @@
|
|
||||||
#include "nghttp2_buf.h"
|
|
||||||
#include "nghttp2_callbacks.h"
|
|
||||||
#include "nghttp2_mem.h"
|
|
||||||
+#include "nghttp2_ratelim.h"
|
|
||||||
|
|
||||||
/* The global variable for tests where we want to disable strict
|
|
||||||
preface handling. */
|
|
||||||
@@ -102,6 +103,10 @@ typedef struct {
|
|
||||||
/* The default value of maximum number of concurrent streams. */
|
|
||||||
#define NGHTTP2_DEFAULT_MAX_CONCURRENT_STREAMS 0xffffffffu
|
|
||||||
|
|
||||||
+/* The default values for stream reset rate limiter. */
|
|
||||||
+#define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
|
|
||||||
+#define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
|
|
||||||
+
|
|
||||||
/* Internal state when receiving incoming frame */
|
|
||||||
typedef enum {
|
|
||||||
/* Receiving frame header */
|
|
||||||
@@ -175,7 +180,9 @@ typedef enum {
|
|
||||||
/* Flag means GOAWAY was sent */
|
|
||||||
NGHTTP2_GOAWAY_SENT = 0x4,
|
|
||||||
/* Flag means GOAWAY was received */
|
|
||||||
- NGHTTP2_GOAWAY_RECV = 0x8
|
|
||||||
+ NGHTTP2_GOAWAY_RECV = 0x8,
|
|
||||||
+ /* Flag means GOAWAY has been submitted at least once */
|
|
||||||
+ NGHTTP2_GOAWAY_SUBMITTED = 0x10
|
|
||||||
} nghttp2_goaway_flag;
|
|
||||||
|
|
||||||
/* nghttp2_inflight_settings stores the SETTINGS entries which local
|
|
||||||
@@ -229,6 +236,9 @@ struct nghttp2_session {
|
|
||||||
/* Queue of In-flight SETTINGS values. SETTINGS bearing ACK is not
|
|
||||||
considered as in-flight. */
|
|
||||||
nghttp2_inflight_settings *inflight_settings_head;
|
|
||||||
+ /* Stream reset rate limiter. If receiving excessive amount of
|
|
||||||
+ stream resets, GOAWAY will be sent. */
|
|
||||||
+ nghttp2_ratelim stream_reset_ratelim;
|
|
||||||
/* The number of outgoing streams. This will be capped by
|
|
||||||
remote_settings.max_concurrent_streams. */
|
|
||||||
size_t num_outgoing_streams;
|
|
||||||
diff --git a/lib/nghttp2_time.c b/lib/nghttp2_time.c
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..2a5f1a6
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/lib/nghttp2_time.c
|
|
||||||
@@ -0,0 +1,62 @@
|
|
||||||
+/*
|
|
||||||
+ * nghttp2 - HTTP/2 C Library
|
|
||||||
+ *
|
|
||||||
+ * Copyright (c) 2023 nghttp2 contributors
|
|
||||||
+ *
|
|
||||||
+ * Permission is hereby granted, free of charge, to any person obtaining
|
|
||||||
+ * a copy of this software and associated documentation files (the
|
|
||||||
+ * "Software"), to deal in the Software without restriction, including
|
|
||||||
+ * without limitation the rights to use, copy, modify, merge, publish,
|
|
||||||
+ * distribute, sublicense, and/or sell copies of the Software, and to
|
|
||||||
+ * permit persons to whom the Software is furnished to do so, subject to
|
|
||||||
+ * the following conditions:
|
|
||||||
+ *
|
|
||||||
+ * The above copyright notice and this permission notice shall be
|
|
||||||
+ * included in all copies or substantial portions of the Software.
|
|
||||||
+ *
|
|
||||||
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
||||||
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
||||||
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
||||||
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
||||||
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
||||||
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
||||||
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
||||||
+ */
|
|
||||||
+#include "nghttp2_time.h"
|
|
||||||
+
|
|
||||||
+#ifdef HAVE_TIME_H
|
|
||||||
+# include <time.h>
|
|
||||||
+#endif /* HAVE_TIME_H */
|
|
||||||
+
|
|
||||||
+#ifdef HAVE_SYSINFOAPI_H
|
|
||||||
+# include <sysinfoapi.h>
|
|
||||||
+#endif /* HAVE_SYSINFOAPI_H */
|
|
||||||
+
|
|
||||||
+#ifndef HAVE_GETTICKCOUNT64
|
|
||||||
+static uint64_t time_now_sec(void) {
|
|
||||||
+ time_t t = time(NULL);
|
|
||||||
+
|
|
||||||
+ if (t == -1) {
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return (uint64_t)t;
|
|
||||||
+}
|
|
||||||
+#endif /* HAVE_GETTICKCOUNT64 */
|
|
||||||
+
|
|
||||||
+#ifdef HAVE_CLOCK_GETTIME
|
|
||||||
+uint64_t nghttp2_time_now_sec(void) {
|
|
||||||
+ struct timespec tp;
|
|
||||||
+ int rv = clock_gettime(CLOCK_MONOTONIC, &tp);
|
|
||||||
+
|
|
||||||
+ if (rv == -1) {
|
|
||||||
+ return time_now_sec();
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return (uint64_t)tp.tv_sec;
|
|
||||||
+}
|
|
||||||
+#elif defined(HAVE_GETTICKCOUNT64)
|
|
||||||
+uint64_t nghttp2_time_now_sec(void) { return GetTickCount64() / 1000; }
|
|
||||||
+#else /* !HAVE_CLOCK_GETTIME && !HAVE_GETTICKCOUNT64 */
|
|
||||||
+uint64_t nghttp2_time_now_sec(void) { return time_now_sec(); }
|
|
||||||
+#endif /* !HAVE_CLOCK_GETTIME && !HAVE_GETTICKCOUNT64 */
|
|
||||||
diff --git a/lib/nghttp2_time.h b/lib/nghttp2_time.h
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..03c0bbe
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/lib/nghttp2_time.h
|
|
||||||
@@ -0,0 +1,38 @@
|
|
||||||
+/*
|
|
||||||
+ * nghttp2 - HTTP/2 C Library
|
|
||||||
+ *
|
|
||||||
+ * Copyright (c) 2023 nghttp2 contributors
|
|
||||||
+ *
|
|
||||||
+ * Permission is hereby granted, free of charge, to any person obtaining
|
|
||||||
+ * a copy of this software and associated documentation files (the
|
|
||||||
+ * "Software"), to deal in the Software without restriction, including
|
|
||||||
+ * without limitation the rights to use, copy, modify, merge, publish,
|
|
||||||
+ * distribute, sublicense, and/or sell copies of the Software, and to
|
|
||||||
+ * permit persons to whom the Software is furnished to do so, subject to
|
|
||||||
+ * the following conditions:
|
|
||||||
+ *
|
|
||||||
+ * The above copyright notice and this permission notice shall be
|
|
||||||
+ * included in all copies or substantial portions of the Software.
|
|
||||||
+ *
|
|
||||||
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
||||||
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
||||||
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
||||||
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
||||||
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
||||||
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
||||||
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
||||||
+ */
|
|
||||||
+#ifndef NGHTTP2_TIME_H
|
|
||||||
+#define NGHTTP2_TIME_H
|
|
||||||
+
|
|
||||||
+#ifdef HAVE_CONFIG_H
|
|
||||||
+# include <config.h>
|
|
||||||
+#endif /* HAVE_CONFIG_H */
|
|
||||||
+
|
|
||||||
+#include <nghttp2/nghttp2.h>
|
|
||||||
+
|
|
||||||
+/* nghttp2_time_now_sec returns seconds from implementation-specific
|
|
||||||
+ timepoint. If it is unable to get seconds, it returns 0. */
|
|
||||||
+uint64_t nghttp2_time_now_sec(void);
|
|
||||||
+
|
|
||||||
+#endif /* NGHTTP2_TIME_H */
|
|
||||||
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
|
|
||||||
index 4250ac3..344c542 100644
|
|
||||||
--- a/tests/CMakeLists.txt
|
|
||||||
+++ b/tests/CMakeLists.txt
|
|
||||||
@@ -21,6 +21,7 @@ if(HAVE_CUNIT)
|
|
||||||
nghttp2_npn_test.c
|
|
||||||
nghttp2_helper_test.c
|
|
||||||
nghttp2_buf_test.c
|
|
||||||
+ nghttp2_ratelim_test.c
|
|
||||||
)
|
|
||||||
|
|
||||||
add_executable(main EXCLUDE_FROM_ALL
|
|
||||||
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
|
||||||
index c3e4392..c130a00 100644
|
|
||||||
--- a/tests/Makefile.am
|
|
||||||
+++ b/tests/Makefile.am
|
|
||||||
@@ -40,14 +40,16 @@ OBJECTS = main.c nghttp2_pq_test.c nghttp2_map_test.c nghttp2_queue_test.c \
|
|
||||||
nghttp2_hd_test.c \
|
|
||||||
nghttp2_npn_test.c \
|
|
||||||
nghttp2_helper_test.c \
|
|
||||||
- nghttp2_buf_test.c
|
|
||||||
+ nghttp2_buf_test.c \
|
|
||||||
+ nghttp2_ratelim_test.c
|
|
||||||
|
|
||||||
HFILES = nghttp2_pq_test.h nghttp2_map_test.h nghttp2_queue_test.h \
|
|
||||||
nghttp2_session_test.h \
|
|
||||||
nghttp2_frame_test.h nghttp2_stream_test.h nghttp2_hd_test.h \
|
|
||||||
nghttp2_npn_test.h nghttp2_helper_test.h \
|
|
||||||
nghttp2_test_helper.h \
|
|
||||||
- nghttp2_buf_test.h
|
|
||||||
+ nghttp2_buf_test.h \
|
|
||||||
+ nghttp2_ratelim_test.h
|
|
||||||
|
|
||||||
main_SOURCES = $(HFILES) $(OBJECTS)
|
|
||||||
|
|
||||||
diff --git a/tests/main.c b/tests/main.c
|
|
||||||
index 1f795cd..334cad8 100644
|
|
||||||
--- a/tests/main.c
|
|
||||||
+++ b/tests/main.c
|
|
||||||
@@ -40,6 +40,7 @@
|
|
||||||
#include "nghttp2_npn_test.h"
|
|
||||||
#include "nghttp2_helper_test.h"
|
|
||||||
#include "nghttp2_buf_test.h"
|
|
||||||
+#include "nghttp2_ratelim_test.h"
|
|
||||||
|
|
||||||
extern int nghttp2_enable_strict_preface;
|
|
||||||
|
|
||||||
@@ -323,6 +324,8 @@ int main() {
|
|
||||||
test_nghttp2_session_no_closed_streams) ||
|
|
||||||
!CU_add_test(pSuite, "session_set_stream_user_data",
|
|
||||||
test_nghttp2_session_set_stream_user_data) ||
|
|
||||||
+ !CU_add_test(pSuite, "session_stream_reset_ratelim",
|
|
||||||
+ test_nghttp2_session_stream_reset_ratelim) ||
|
|
||||||
!CU_add_test(pSuite, "http_mandatory_headers",
|
|
||||||
test_nghttp2_http_mandatory_headers) ||
|
|
||||||
!CU_add_test(pSuite, "http_content_length",
|
|
||||||
@@ -418,7 +421,9 @@ int main() {
|
|
||||||
!CU_add_test(pSuite, "bufs_advance", test_nghttp2_bufs_advance) ||
|
|
||||||
!CU_add_test(pSuite, "bufs_next_present",
|
|
||||||
test_nghttp2_bufs_next_present) ||
|
|
||||||
- !CU_add_test(pSuite, "bufs_realloc", test_nghttp2_bufs_realloc)) {
|
|
||||||
+ !CU_add_test(pSuite, "bufs_realloc", test_nghttp2_bufs_realloc) ||
|
|
||||||
+ !CU_add_test(pSuite, "ratelim_update", test_nghttp2_ratelim_update) ||
|
|
||||||
+ !CU_add_test(pSuite, "ratelim_drain", test_nghttp2_ratelim_drain)) {
|
|
||||||
CU_cleanup_registry();
|
|
||||||
return (int)CU_get_error();
|
|
||||||
}
|
|
||||||
diff --git a/tests/nghttp2_ratelim_test.c b/tests/nghttp2_ratelim_test.c
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..6abece9
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/nghttp2_ratelim_test.c
|
|
||||||
@@ -0,0 +1,101 @@
|
|
||||||
+/*
|
|
||||||
+ * nghttp2 - HTTP/2 C Library
|
|
||||||
+ *
|
|
||||||
+ * Copyright (c) 2023 nghttp2 contributors
|
|
||||||
+ *
|
|
||||||
+ * Permission is hereby granted, free of charge, to any person obtaining
|
|
||||||
+ * a copy of this software and associated documentation files (the
|
|
||||||
+ * "Software"), to deal in the Software without restriction, including
|
|
||||||
+ * without limitation the rights to use, copy, modify, merge, publish,
|
|
||||||
+ * distribute, sublicense, and/or sell copies of the Software, and to
|
|
||||||
+ * permit persons to whom the Software is furnished to do so, subject to
|
|
||||||
+ * the following conditions:
|
|
||||||
+ *
|
|
||||||
+ * The above copyright notice and this permission notice shall be
|
|
||||||
+ * included in all copies or substantial portions of the Software.
|
|
||||||
+ *
|
|
||||||
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
||||||
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
||||||
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
||||||
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
||||||
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
||||||
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
||||||
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
||||||
+ */
|
|
||||||
+#include "nghttp2_ratelim_test.h"
|
|
||||||
+
|
|
||||||
+#include <stdio.h>
|
|
||||||
+
|
|
||||||
+#include <CUnit/CUnit.h>
|
|
||||||
+
|
|
||||||
+#include "nghttp2_ratelim.h"
|
|
||||||
+
|
|
||||||
+void test_nghttp2_ratelim_update(void) {
|
|
||||||
+ nghttp2_ratelim rl;
|
|
||||||
+
|
|
||||||
+ nghttp2_ratelim_init(&rl, 1000, 21);
|
|
||||||
+
|
|
||||||
+ CU_ASSERT(1000 == rl.val);
|
|
||||||
+ CU_ASSERT(1000 == rl.burst);
|
|
||||||
+ CU_ASSERT(21 == rl.rate);
|
|
||||||
+ CU_ASSERT(0 == rl.tstamp);
|
|
||||||
+
|
|
||||||
+ nghttp2_ratelim_update(&rl, 999);
|
|
||||||
+
|
|
||||||
+ CU_ASSERT(1000 == rl.val);
|
|
||||||
+ CU_ASSERT(999 == rl.tstamp);
|
|
||||||
+
|
|
||||||
+ nghttp2_ratelim_drain(&rl, 100);
|
|
||||||
+
|
|
||||||
+ CU_ASSERT(900 == rl.val);
|
|
||||||
+
|
|
||||||
+ nghttp2_ratelim_update(&rl, 1000);
|
|
||||||
+
|
|
||||||
+ CU_ASSERT(921 == rl.val);
|
|
||||||
+
|
|
||||||
+ nghttp2_ratelim_update(&rl, 1002);
|
|
||||||
+
|
|
||||||
+ CU_ASSERT(963 == rl.val);
|
|
||||||
+
|
|
||||||
+ nghttp2_ratelim_update(&rl, 1004);
|
|
||||||
+
|
|
||||||
+ CU_ASSERT(1000 == rl.val);
|
|
||||||
+ CU_ASSERT(1004 == rl.tstamp);
|
|
||||||
+
|
|
||||||
+ /* timer skew */
|
|
||||||
+ nghttp2_ratelim_init(&rl, 1000, 21);
|
|
||||||
+ nghttp2_ratelim_update(&rl, 1);
|
|
||||||
+
|
|
||||||
+ CU_ASSERT(1000 == rl.val);
|
|
||||||
+
|
|
||||||
+ nghttp2_ratelim_update(&rl, 0);
|
|
||||||
+
|
|
||||||
+ CU_ASSERT(1000 == rl.val);
|
|
||||||
+
|
|
||||||
+ /* rate * duration overflow */
|
|
||||||
+ nghttp2_ratelim_init(&rl, 1000, 100);
|
|
||||||
+ nghttp2_ratelim_drain(&rl, 999);
|
|
||||||
+
|
|
||||||
+ CU_ASSERT(1 == rl.val);
|
|
||||||
+
|
|
||||||
+ nghttp2_ratelim_update(&rl, UINT64_MAX);
|
|
||||||
+
|
|
||||||
+ CU_ASSERT(1000 == rl.val);
|
|
||||||
+
|
|
||||||
+ /* val + rate * duration overflow */
|
|
||||||
+ nghttp2_ratelim_init(&rl, UINT64_MAX - 1, 2);
|
|
||||||
+ nghttp2_ratelim_update(&rl, 1);
|
|
||||||
+
|
|
||||||
+ CU_ASSERT(UINT64_MAX - 1 == rl.val);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void test_nghttp2_ratelim_drain(void) {
|
|
||||||
+ nghttp2_ratelim rl;
|
|
||||||
+
|
|
||||||
+ nghttp2_ratelim_init(&rl, 100, 7);
|
|
||||||
+
|
|
||||||
+ CU_ASSERT(-1 == nghttp2_ratelim_drain(&rl, 101));
|
|
||||||
+ CU_ASSERT(0 == nghttp2_ratelim_drain(&rl, 51));
|
|
||||||
+ CU_ASSERT(0 == nghttp2_ratelim_drain(&rl, 49));
|
|
||||||
+ CU_ASSERT(-1 == nghttp2_ratelim_drain(&rl, 1));
|
|
||||||
+}
|
|
||||||
diff --git a/tests/nghttp2_ratelim_test.h b/tests/nghttp2_ratelim_test.h
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..02b2f2b
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/nghttp2_ratelim_test.h
|
|
||||||
@@ -0,0 +1,35 @@
|
|
||||||
+/*
|
|
||||||
+ * nghttp2 - HTTP/2 C Library
|
|
||||||
+ *
|
|
||||||
+ * Copyright (c) 2023 nghttp2 contributors
|
|
||||||
+ *
|
|
||||||
+ * Permission is hereby granted, free of charge, to any person obtaining
|
|
||||||
+ * a copy of this software and associated documentation files (the
|
|
||||||
+ * "Software"), to deal in the Software without restriction, including
|
|
||||||
+ * without limitation the rights to use, copy, modify, merge, publish,
|
|
||||||
+ * distribute, sublicense, and/or sell copies of the Software, and to
|
|
||||||
+ * permit persons to whom the Software is furnished to do so, subject to
|
|
||||||
+ * the following conditions:
|
|
||||||
+ *
|
|
||||||
+ * The above copyright notice and this permission notice shall be
|
|
||||||
+ * included in all copies or substantial portions of the Software.
|
|
||||||
+ *
|
|
||||||
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
||||||
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
||||||
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
||||||
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
||||||
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
||||||
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
||||||
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
||||||
+ */
|
|
||||||
+#ifndef NGHTTP2_RATELIM_TEST_H
|
|
||||||
+#define NGHTTP2_RATELIM_TEST_H
|
|
||||||
+
|
|
||||||
+#ifdef HAVE_CONFIG_H
|
|
||||||
+# include <config.h>
|
|
||||||
+#endif /* HAVE_CONFIG_H */
|
|
||||||
+
|
|
||||||
+void test_nghttp2_ratelim_update(void);
|
|
||||||
+void test_nghttp2_ratelim_drain(void);
|
|
||||||
+
|
|
||||||
+#endif /* NGHTTP2_RATELIM_TEST_H */
|
|
||||||
diff --git a/tests/nghttp2_session_test.c b/tests/nghttp2_session_test.c
|
|
||||||
index ab76ab4..dece5c1 100644
|
|
||||||
--- a/tests/nghttp2_session_test.c
|
|
||||||
+++ b/tests/nghttp2_session_test.c
|
|
||||||
@@ -10790,6 +10790,109 @@ void test_nghttp2_session_set_stream_user_data(void) {
|
|
||||||
nghttp2_session_del(session);
|
|
||||||
}
|
|
||||||
|
|
||||||
+void test_nghttp2_session_stream_reset_ratelim(void) {
|
|
||||||
+ nghttp2_session *session;
|
|
||||||
+ nghttp2_session_callbacks callbacks;
|
|
||||||
+ nghttp2_frame frame;
|
|
||||||
+ ssize_t rv;
|
|
||||||
+ nghttp2_bufs bufs;
|
|
||||||
+ nghttp2_buf *buf;
|
|
||||||
+ nghttp2_mem *mem;
|
|
||||||
+ size_t i;
|
|
||||||
+ nghttp2_hd_deflater deflater;
|
|
||||||
+ size_t nvlen;
|
|
||||||
+ nghttp2_nv *nva;
|
|
||||||
+ int32_t stream_id;
|
|
||||||
+ nghttp2_outbound_item *item;
|
|
||||||
+ nghttp2_option *option;
|
|
||||||
+
|
|
||||||
+ mem = nghttp2_mem_default();
|
|
||||||
+ frame_pack_bufs_init(&bufs);
|
|
||||||
+
|
|
||||||
+ memset(&callbacks, 0, sizeof(nghttp2_session_callbacks));
|
|
||||||
+ callbacks.send_callback = null_send_callback;
|
|
||||||
+
|
|
||||||
+ nghttp2_option_new(&option);
|
|
||||||
+ nghttp2_option_set_stream_reset_rate_limit(
|
|
||||||
+ option, NGHTTP2_DEFAULT_STREAM_RESET_BURST, 0);
|
|
||||||
+
|
|
||||||
+ nghttp2_session_server_new2(&session, &callbacks, NULL, option);
|
|
||||||
+
|
|
||||||
+ nghttp2_frame_settings_init(&frame.settings, NGHTTP2_FLAG_NONE, NULL, 0);
|
|
||||||
+ rv = nghttp2_frame_pack_settings(&bufs, &frame.settings);
|
|
||||||
+
|
|
||||||
+ CU_ASSERT(0 == rv);
|
|
||||||
+
|
|
||||||
+ nghttp2_frame_settings_free(&frame.settings, mem);
|
|
||||||
+
|
|
||||||
+ buf = &bufs.head->buf;
|
|
||||||
+ rv = nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf));
|
|
||||||
+
|
|
||||||
+ CU_ASSERT((ssize_t)nghttp2_buf_len(buf) == rv);
|
|
||||||
+
|
|
||||||
+ /* Send SETTINGS ACK */
|
|
||||||
+ rv = nghttp2_session_send(session);
|
|
||||||
+
|
|
||||||
+ CU_ASSERT(0 == rv);
|
|
||||||
+
|
|
||||||
+ nghttp2_hd_deflate_init(&deflater, mem);
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < NGHTTP2_DEFAULT_STREAM_RESET_BURST + 2; ++i) {
|
|
||||||
+ stream_id = (int32_t)(i * 2 + 1);
|
|
||||||
+
|
|
||||||
+ nghttp2_bufs_reset(&bufs);
|
|
||||||
+
|
|
||||||
+ /* HEADERS */
|
|
||||||
+ nvlen = ARRLEN(reqnv);
|
|
||||||
+ nghttp2_nv_array_copy(&nva, reqnv, nvlen, mem);
|
|
||||||
+ nghttp2_frame_headers_init(&frame.headers, NGHTTP2_FLAG_END_HEADERS,
|
|
||||||
+ stream_id, NGHTTP2_HCAT_HEADERS, NULL, nva,
|
|
||||||
+ nvlen);
|
|
||||||
+ rv = nghttp2_frame_pack_headers(&bufs, &frame.headers, &deflater);
|
|
||||||
+
|
|
||||||
+ CU_ASSERT(0 == rv);
|
|
||||||
+
|
|
||||||
+ nghttp2_frame_headers_free(&frame.headers, mem);
|
|
||||||
+
|
|
||||||
+ buf = &bufs.head->buf;
|
|
||||||
+ rv = nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf));
|
|
||||||
+
|
|
||||||
+ CU_ASSERT((ssize_t)nghttp2_buf_len(buf) == rv);
|
|
||||||
+
|
|
||||||
+ nghttp2_bufs_reset(&bufs);
|
|
||||||
+
|
|
||||||
+ /* RST_STREAM */
|
|
||||||
+ nghttp2_frame_rst_stream_init(&frame.rst_stream, stream_id,
|
|
||||||
+ NGHTTP2_NO_ERROR);
|
|
||||||
+ nghttp2_frame_pack_rst_stream(&bufs, &frame.rst_stream);
|
|
||||||
+ nghttp2_frame_rst_stream_free(&frame.rst_stream);
|
|
||||||
+
|
|
||||||
+ buf = &bufs.head->buf;
|
|
||||||
+ rv = nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf));
|
|
||||||
+
|
|
||||||
+ CU_ASSERT((ssize_t)nghttp2_buf_len(buf) == rv);
|
|
||||||
+
|
|
||||||
+ if (i < NGHTTP2_DEFAULT_STREAM_RESET_BURST) {
|
|
||||||
+ CU_ASSERT(0 == nghttp2_outbound_queue_size(&session->ob_reg));
|
|
||||||
+
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ CU_ASSERT(1 == nghttp2_outbound_queue_size(&session->ob_reg));
|
|
||||||
+
|
|
||||||
+ item = nghttp2_session_get_next_ob_item(session);
|
|
||||||
+
|
|
||||||
+ CU_ASSERT(NGHTTP2_GOAWAY == item->frame.hd.type);
|
|
||||||
+ CU_ASSERT(NGHTTP2_DEFAULT_STREAM_RESET_BURST * 2 + 1 ==
|
|
||||||
+ item->frame.goaway.last_stream_id);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ nghttp2_hd_deflate_free(&deflater);
|
|
||||||
+ nghttp2_session_del(session);
|
|
||||||
+ nghttp2_bufs_free(&bufs);
|
|
||||||
+ nghttp2_option_del(option);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static void check_nghttp2_http_recv_headers_fail(
|
|
||||||
nghttp2_session *session, nghttp2_hd_deflater *deflater, int32_t stream_id,
|
|
||||||
int stream_state, const nghttp2_nv *nva, size_t nvlen) {
|
|
||||||
diff --git a/tests/nghttp2_session_test.h b/tests/nghttp2_session_test.h
|
|
||||||
index c5095c2..2b74e88 100644
|
|
||||||
--- a/tests/nghttp2_session_test.h
|
|
||||||
+++ b/tests/nghttp2_session_test.h
|
|
||||||
@@ -160,6 +160,7 @@ void test_nghttp2_session_removed_closed_stream(void);
|
|
||||||
void test_nghttp2_session_pause_data(void);
|
|
||||||
void test_nghttp2_session_no_closed_streams(void);
|
|
||||||
void test_nghttp2_session_set_stream_user_data(void);
|
|
||||||
+void test_nghttp2_session_stream_reset_ratelim(void);
|
|
||||||
void test_nghttp2_http_mandatory_headers(void);
|
|
||||||
void test_nghttp2_http_content_length(void);
|
|
||||||
void test_nghttp2_http_content_length_mismatch(void);
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,193 +0,0 @@
|
|||||||
From 771044ffd217c5b20f1714e7e3fdd851a32d059c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
|
|
||||||
Date: Sat, 9 Mar 2024 16:26:42 +0900
|
|
||||||
Subject: [PATCH] Add nghttp2_option_set_max_continuations
|
|
||||||
|
|
||||||
(cherry picked from commit d71a4668c6bead55805d18810d633fbb98315af9)
|
|
||||||
Signed-off-by: Jan Macku <jamacku@redhat.com>
|
|
||||||
|
|
||||||
Limit CONTINUATION frames following an incoming HEADER frame
|
|
||||||
|
|
||||||
(cherry picked from commit 00201ecd8f982da3b67d4f6868af72a1b03b14e0)
|
|
||||||
Signed-off-by: Jan Macku <jamacku@redhat.com>
|
|
||||||
---
|
|
||||||
doc/Makefile.am | 1 +
|
|
||||||
lib/includes/nghttp2/nghttp2.h | 18 +++++++++++++++++-
|
|
||||||
lib/nghttp2_helper.c | 2 ++
|
|
||||||
lib/nghttp2_option.c | 5 +++++
|
|
||||||
lib/nghttp2_option.h | 5 +++++
|
|
||||||
lib/nghttp2_session.c | 11 +++++++++++
|
|
||||||
lib/nghttp2_session.h | 10 ++++++++++
|
|
||||||
7 files changed, 51 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/doc/Makefile.am b/doc/Makefile.am
|
|
||||||
index 87f6c43b..1334de63 100644
|
|
||||||
--- a/doc/Makefile.am
|
|
||||||
+++ b/doc/Makefile.am
|
|
||||||
@@ -67,6 +67,7 @@ APIDOCS= \
|
|
||||||
nghttp2_option_set_no_recv_client_magic.rst \
|
|
||||||
nghttp2_option_set_peer_max_concurrent_streams.rst \
|
|
||||||
nghttp2_option_set_user_recv_extension_type.rst \
|
|
||||||
+ nghttp2_option_set_max_continuations.rst \
|
|
||||||
nghttp2_option_set_max_outbound_ack.rst \
|
|
||||||
nghttp2_option_set_max_settings.rst \
|
|
||||||
nghttp2_option_set_stream_reset_rate_limit.rst \
|
|
||||||
diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h
|
|
||||||
index 9eb764c6..2530a061 100644
|
|
||||||
--- a/lib/includes/nghttp2/nghttp2.h
|
|
||||||
+++ b/lib/includes/nghttp2/nghttp2.h
|
|
||||||
@@ -434,7 +434,12 @@ typedef enum {
|
|
||||||
* exhaustion on server side to send these frames forever and does
|
|
||||||
* not read network.
|
|
||||||
*/
|
|
||||||
- NGHTTP2_ERR_FLOODED = -904
|
|
||||||
+ NGHTTP2_ERR_FLOODED = -904,
|
|
||||||
+ /**
|
|
||||||
+ * When a local endpoint receives too many CONTINUATION frames
|
|
||||||
+ * following a HEADER frame.
|
|
||||||
+ */
|
|
||||||
+ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
|
|
||||||
} nghttp2_error;
|
|
||||||
|
|
||||||
/**
|
|
||||||
@@ -2688,6 +2693,17 @@ NGHTTP2_EXTERN void
|
|
||||||
nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
|
|
||||||
uint64_t burst, uint64_t rate);
|
|
||||||
|
|
||||||
+/**
|
|
||||||
+ * @function
|
|
||||||
+ *
|
|
||||||
+ * This function sets the maximum number of CONTINUATION frames
|
|
||||||
+ * following an incoming HEADER frame. If more than those frames are
|
|
||||||
+ * received, the remote endpoint is considered to be misbehaving and
|
|
||||||
+ * session will be closed. The default value is 8.
|
|
||||||
+ */
|
|
||||||
+NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option,
|
|
||||||
+ size_t val);
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* @function
|
|
||||||
*
|
|
||||||
diff --git a/lib/nghttp2_helper.c b/lib/nghttp2_helper.c
|
|
||||||
index 49bbf079..562c652c 100644
|
|
||||||
--- a/lib/nghttp2_helper.c
|
|
||||||
+++ b/lib/nghttp2_helper.c
|
|
||||||
@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) {
|
|
||||||
"closed";
|
|
||||||
case NGHTTP2_ERR_TOO_MANY_SETTINGS:
|
|
||||||
return "SETTINGS frame contained more than the maximum allowed entries";
|
|
||||||
+ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
|
|
||||||
+ return "Too many CONTINUATION frames following a HEADER frame";
|
|
||||||
default:
|
|
||||||
return "Unknown error code";
|
|
||||||
}
|
|
||||||
diff --git a/lib/nghttp2_option.c b/lib/nghttp2_option.c
|
|
||||||
index 0d9a4044..f3659c18 100644
|
|
||||||
--- a/lib/nghttp2_option.c
|
|
||||||
+++ b/lib/nghttp2_option.c
|
|
||||||
@@ -133,3 +133,8 @@ void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
|
|
||||||
option->stream_reset_burst = burst;
|
|
||||||
option->stream_reset_rate = rate;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) {
|
|
||||||
+ option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS;
|
|
||||||
+ option->max_continuations = val;
|
|
||||||
+}
|
|
||||||
diff --git a/lib/nghttp2_option.h b/lib/nghttp2_option.h
|
|
||||||
index e6ba9100..c1b48c73 100644
|
|
||||||
--- a/lib/nghttp2_option.h
|
|
||||||
+++ b/lib/nghttp2_option.h
|
|
||||||
@@ -69,6 +69,7 @@ typedef enum {
|
|
||||||
NGHTTP2_OPT_MAX_OUTBOUND_ACK = 1 << 11,
|
|
||||||
NGHTTP2_OPT_MAX_SETTINGS = 1 << 12,
|
|
||||||
NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15,
|
|
||||||
+ NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16,
|
|
||||||
} nghttp2_option_flag;
|
|
||||||
|
|
||||||
/**
|
|
||||||
@@ -96,6 +97,10 @@ struct nghttp2_option {
|
|
||||||
* NGHTTP2_OPT_MAX_SETTINGS
|
|
||||||
*/
|
|
||||||
size_t max_settings;
|
|
||||||
+ /**
|
|
||||||
+ * NGHTTP2_OPT_MAX_CONTINUATIONS
|
|
||||||
+ */
|
|
||||||
+ size_t max_continuations;
|
|
||||||
/**
|
|
||||||
* Bitwise OR of nghttp2_option_flag to determine that which fields
|
|
||||||
* are specified.
|
|
||||||
diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
|
|
||||||
index 5ee08dfe..821c57ea 100644
|
|
||||||
--- a/lib/nghttp2_session.c
|
|
||||||
+++ b/lib/nghttp2_session.c
|
|
||||||
@@ -464,6 +464,7 @@ static int session_new(nghttp2_session **session_ptr,
|
|
||||||
(*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
|
|
||||||
(*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
|
|
||||||
(*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
|
|
||||||
+ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
|
|
||||||
|
|
||||||
if (option) {
|
|
||||||
if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
|
|
||||||
@@ -538,6 +539,10 @@ static int session_new(nghttp2_session **session_ptr,
|
|
||||||
option->stream_reset_burst,
|
|
||||||
option->stream_reset_rate);
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) {
|
|
||||||
+ (*session_ptr)->max_continuations = option->max_continuations;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
|
|
||||||
@@ -6289,6 +6294,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
session_inbound_frame_reset(session);
|
|
||||||
+
|
|
||||||
+ session->num_continuations = 0;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
@@ -6410,6 +6417,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
|
|
||||||
}
|
|
||||||
#endif /* DEBUGBUILD */
|
|
||||||
|
|
||||||
+ if (++session->num_continuations > session->max_continuations) {
|
|
||||||
+ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
readlen = inbound_frame_buf_read(iframe, in, last);
|
|
||||||
in += readlen;
|
|
||||||
|
|
||||||
diff --git a/lib/nghttp2_session.h b/lib/nghttp2_session.h
|
|
||||||
index 03f8bee4..72464024 100644
|
|
||||||
--- a/lib/nghttp2_session.h
|
|
||||||
+++ b/lib/nghttp2_session.h
|
|
||||||
@@ -107,6 +107,10 @@ typedef struct {
|
|
||||||
#define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
|
|
||||||
#define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
|
|
||||||
|
|
||||||
+/* The default max number of CONTINUATION frames following an incoming
|
|
||||||
+ HEADER frame. */
|
|
||||||
+#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
|
|
||||||
+
|
|
||||||
/* Internal state when receiving incoming frame */
|
|
||||||
typedef enum {
|
|
||||||
/* Receiving frame header */
|
|
||||||
@@ -281,6 +285,12 @@ struct nghttp2_session {
|
|
||||||
size_t max_send_header_block_length;
|
|
||||||
/* The maximum number of settings accepted per SETTINGS frame. */
|
|
||||||
size_t max_settings;
|
|
||||||
+ /* The maximum number of CONTINUATION frames following an incoming
|
|
||||||
+ HEADER frame. */
|
|
||||||
+ size_t max_continuations;
|
|
||||||
+ /* The number of CONTINUATION frames following an incoming HEADER
|
|
||||||
+ frame. This variable is reset when END_HEADERS flag is seen. */
|
|
||||||
+ size_t num_continuations;
|
|
||||||
/* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
|
|
||||||
uint32_t next_stream_id;
|
|
||||||
/* The last stream ID this session initiated. For client session,
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
|||||||
Summary: Experimental HTTP/2 client, server and proxy
|
Summary: Experimental HTTP/2 client, server and proxy
|
||||||
Name: nghttp2
|
Name: nghttp2
|
||||||
Version: 1.33.0
|
Version: 1.33.0
|
||||||
Release: 6%{?dist}.1
|
Release: 3%{?dist}.1
|
||||||
License: MIT
|
License: MIT
|
||||||
Group: Applications/Internet
|
Group: Applications/Internet
|
||||||
URL: https://nghttp2.org/
|
URL: https://nghttp2.org/
|
||||||
@ -13,12 +13,6 @@ Patch1: nghttp2-1.31.1-CVE-2019-9511-and-CVE-2019-9513.patch
|
|||||||
# prevent DoS caused by overly large SETTINGS frames (CVE-2020-11080)
|
# prevent DoS caused by overly large SETTINGS frames (CVE-2020-11080)
|
||||||
Patch2: nghttp2-1.33.0-CVE-2020-11080.patch
|
Patch2: nghttp2-1.33.0-CVE-2020-11080.patch
|
||||||
|
|
||||||
# fix HTTP/2 Rapid Reset (CVE-2023-44487)
|
|
||||||
Patch3: 0003-nghttp2-1.33.0-CVE-2023-44487.patch
|
|
||||||
|
|
||||||
# fix CONTINUATION frames DoS (CVE-2024-28182, CVE-2024-27316)
|
|
||||||
Patch4: 0004-nghttp2-1.33.0-CVE-2024-28182.patch
|
|
||||||
|
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: libtool
|
BuildRequires: libtool
|
||||||
|
|
||||||
@ -62,8 +56,6 @@ for building applications with libnghttp2.
|
|||||||
%setup -q
|
%setup -q
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch2 -p1
|
%patch2 -p1
|
||||||
%patch3 -p1
|
|
||||||
%patch4 -p1
|
|
||||||
autoreconf -fiv
|
autoreconf -fiv
|
||||||
|
|
||||||
# make fetch-ocsp-response use Python 3
|
# make fetch-ocsp-response use Python 3
|
||||||
@ -135,16 +127,7 @@ make %{?_smp_mflags} check
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Mon Apr 10 2024 Jan Macku <jamacku@redhat.com> - 1.33.0-6.1
|
* Tue Jun 09 2020 Kamil Dudka <kdudka@redhat.com> 1.33.0-3.el8_2.1
|
||||||
- fix CONTINUATION frames DoS (CVE-2024-27316)
|
|
||||||
|
|
||||||
* Mon Apr 08 2024 Jan Macku <jamacku@redhat.com> - 1.33.0-6
|
|
||||||
- fix CONTINUATION frames DoS (CVE-2024-28182)
|
|
||||||
|
|
||||||
* Fri Oct 13 2023 Jan Macku <jamacku@redhat.com> - 1.33.0-5
|
|
||||||
- fix HTTP/2 Rapid Reset (CVE-2023-44487)
|
|
||||||
|
|
||||||
* Tue Jun 09 2020 Kamil Dudka <kdudka@redhat.com> 1.33.0-4
|
|
||||||
- prevent DoS caused by overly large SETTINGS frames (CVE-2020-11080)
|
- prevent DoS caused by overly large SETTINGS frames (CVE-2020-11080)
|
||||||
|
|
||||||
* Wed Aug 28 2019 Kamil Dudka <kdudka@redhat.com> 1.33.0-3
|
* Wed Aug 28 2019 Kamil Dudka <kdudka@redhat.com> 1.33.0-3
|
@ -1,6 +0,0 @@
|
|||||||
--- !Policy
|
|
||||||
product_versions:
|
|
||||||
- rhel-8
|
|
||||||
decision_context: osci_compose_gate
|
|
||||||
rules:
|
|
||||||
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
|
|
1
sources
1
sources
@ -1 +0,0 @@
|
|||||||
SHA512 (nghttp2-1.33.0.tar.xz) = eeb0bf64fea115444c685c8a01c1017ce96be18adf88ffcdecad067de7012ca61c6b2b6a627b18e2572bba7bd77ec56a3ca4b1109f7a4b21220e8e28687b5b74
|
|
@ -1,69 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
# exit immediately if any command returns non-zero exit code
|
|
||||||
set -e
|
|
||||||
|
|
||||||
# print commands as they are executed by the shell interpreter
|
|
||||||
set -x
|
|
||||||
|
|
||||||
# global constants
|
|
||||||
HOST="localhost"
|
|
||||||
PORT="1234"
|
|
||||||
PKEY="./pkey.pem"
|
|
||||||
CERT="./cert.pem"
|
|
||||||
CURL_OUT="./curl.out"
|
|
||||||
CURL_ERR="./curl.err"
|
|
||||||
NGHTTP_OUT="./nghttp.out"
|
|
||||||
NGHTTP_ERR="./nghttp.err"
|
|
||||||
SELF="./runtest.sh"
|
|
||||||
URL="https://${HOST}:${PORT}/${SELF}"
|
|
||||||
|
|
||||||
# print versions of related pkgs
|
|
||||||
PKGS="$(set +x; eval echo {lib,}curl {lib,}nghttp2 openssl{,-libs})"
|
|
||||||
rpm -q $PKGS | sort -V
|
|
||||||
rpm -V $PKGS
|
|
||||||
|
|
||||||
# print full path of used commands
|
|
||||||
(set +x
|
|
||||||
for i in curl nghttp{,d} openssl; do
|
|
||||||
(set -x; command -v $i)
|
|
||||||
done
|
|
||||||
)
|
|
||||||
|
|
||||||
# make sure that $SELF exists
|
|
||||||
pwd
|
|
||||||
file -E $SELF
|
|
||||||
|
|
||||||
# create a self-signed certificate
|
|
||||||
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 \
|
|
||||||
-subj /CN=${HOST} -addext subjectAltName=DNS:${HOST} \
|
|
||||||
-nodes -keyout $PKEY -out $CERT
|
|
||||||
|
|
||||||
# run nghttpd in the background
|
|
||||||
nghttpd -d "$PWD" $PORT $PKEY $CERT &
|
|
||||||
NGHTTPD_PID=$!
|
|
||||||
|
|
||||||
# FIXME: wait for open port instead
|
|
||||||
sleep 2
|
|
||||||
|
|
||||||
# transfer the contents of this script over HTTP/2 using curl
|
|
||||||
curl --cacert $CERT --fail --silent --verbose $URL \
|
|
||||||
> $CURL_OUT 2> $CURL_ERR
|
|
||||||
|
|
||||||
# check whether the received data matches the original contents
|
|
||||||
diff $SELF $CURL_OUT
|
|
||||||
|
|
||||||
# check that we made a successful HTTP/2 request with curl
|
|
||||||
grep '^< HTTP/2 200' $CURL_ERR
|
|
||||||
|
|
||||||
# transfer the contents of this script over HTTP/2 using nghttp
|
|
||||||
nghttp $URL > $NGHTTP_OUT
|
|
||||||
|
|
||||||
# check whether the received data matches the original contents
|
|
||||||
diff $SELF $NGHTTP_OUT
|
|
||||||
|
|
||||||
# kill nghttpd running in the background
|
|
||||||
kill $NGHTTPD_PID
|
|
||||||
|
|
||||||
# wait till the background process finishes
|
|
||||||
wait
|
|
@ -1,13 +0,0 @@
|
|||||||
- hosts: localhost
|
|
||||||
roles:
|
|
||||||
- role: standard-test-basic
|
|
||||||
tags:
|
|
||||||
- classic
|
|
||||||
tests:
|
|
||||||
- client-server:
|
|
||||||
dir: client-server
|
|
||||||
run: ./runtest.sh
|
|
||||||
required_packages:
|
|
||||||
- curl
|
|
||||||
- nghttp2
|
|
||||||
- openssl
|
|
Loading…
Reference in New Issue
Block a user