1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
From 3f64486e0c15414dc6368139453dcaca338ddf3e Mon Sep 17 00:00:00 2001
From: Ruslan Ermilov <ru@nginx.com>
Date: Tue, 13 Aug 2019 15:43:36 +0300
Subject: [PATCH 2/3] HTTP/2: limited number of DATA frames.
Fixed excessive memory growth and CPU usage if stream windows are
manipulated in a way that results in generating many small DATA frames.
Fix is to limit the number of simultaneously allocated DATA frames.
---
src/http/v2/ngx_http_v2.c | 2 ++
src/http/v2/ngx_http_v2.h | 2 ++
src/http/v2/ngx_http_v2_filter_module.c | 22 +++++++++++++++++-----
3 files changed, 21 insertions(+), 5 deletions(-)
diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
index be2ef82b..1b01f271 100644
--- a/src/http/v2/ngx_http_v2.c
+++ b/src/http/v2/ngx_http_v2.c
@@ -4339,6 +4339,8 @@ ngx_http_v2_close_stream(ngx_http_v2_stream_t *stream, ngx_int_t rc)
*/
pool = stream->pool;
+ h2c->frames -= stream->frames;
+
ngx_http_free_request(stream->request, rc);
if (pool != h2c->state.pool) {
diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
index bec22160..715b7d30 100644
--- a/src/http/v2/ngx_http_v2.h
+++ b/src/http/v2/ngx_http_v2.h
@@ -192,6 +192,8 @@ struct ngx_http_v2_stream_s {
ngx_buf_t *preread;
+ ngx_uint_t frames;
+
ngx_http_v2_out_frame_t *free_frames;
ngx_chain_t *free_frame_headers;
ngx_chain_t *free_bufs;
diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c
index 029e8ece..c7ee5536 100644
--- a/src/http/v2/ngx_http_v2_filter_module.c
+++ b/src/http/v2/ngx_http_v2_filter_module.c
@@ -1661,22 +1661,34 @@ static ngx_http_v2_out_frame_t *
ngx_http_v2_filter_get_data_frame(ngx_http_v2_stream_t *stream,
size_t len, ngx_chain_t *first, ngx_chain_t *last)
{
- u_char flags;
- ngx_buf_t *buf;
- ngx_chain_t *cl;
- ngx_http_v2_out_frame_t *frame;
+ u_char flags;
+ ngx_buf_t *buf;
+ ngx_chain_t *cl;
+ ngx_http_v2_out_frame_t *frame;
+ ngx_http_v2_connection_t *h2c;
frame = stream->free_frames;
+ h2c = stream->connection;
if (frame) {
stream->free_frames = frame->next;
- } else {
+ } else if (h2c->frames < 10000) {
frame = ngx_palloc(stream->request->pool,
sizeof(ngx_http_v2_out_frame_t));
if (frame == NULL) {
return NULL;
}
+
+ stream->frames++;
+ h2c->frames++;
+
+ } else {
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+ "http2 flood detected");
+
+ h2c->connection->error = 1;
+ return NULL;
}
flags = last->buf->last_buf ? NGX_HTTP_V2_END_STREAM_FLAG : 0;
--
2.20.1
|
