QUIC: added missing checks for limits in stream frames parsing.

author: Vladimir Homutov <vl@nginx.com> 2021-04-19 09:46:37 +0300
committer: Vladimir Homutov <vl@nginx.com> 2021-04-19 09:46:37 +0300
commit: f184bc0a0af74ec160399451a655eac9fb71c490 (patch)
tree: d387b967471970615e25bf0ce258ab68b6d1d405 /src
parent: db4c8fe45f8c609a85b52547891d6ba992c30b4e (diff)
download: nginx-f184bc0a0af74ec160399451a655eac9fb71c490.tar.gz
nginx-f184bc0a0af74ec160399451a655eac9fb71c490.tar.bz2
1 files changed, 8 insertions, 0 deletions
diff --git a/src/event/quic/ngx_event_quic_transport.c b/src/event/quic/ngx_event_quic_transport.c
index ad4758c60..0d84546eb 100644
--- a/src/event/quic/ngx_event_quic_transport.c
+++ b/src/event/quic/ngx_event_quic_transport.c
@@ -1003,6 +1003,10 @@ ngx_quic_parse_frame(ngx_quic_header_t *pkt, u_char *start, u_char *end,
             goto error;
         }
 
+        if (f->u.streams_blocked.limit > 0x1000000000000000) {
+            goto error;
+        }
+
         f->u.streams_blocked.bidi =
                               (f->type == NGX_QUIC_FT_STREAMS_BLOCKED) ? 1 : 0;
         break;
@@ -1015,6 +1019,10 @@ ngx_quic_parse_frame(ngx_quic_header_t *pkt, u_char *start, u_char *end,
             goto error;
         }
 
+        if (f->u.max_streams.limit > 0x1000000000000000) {
+            goto error;
+        }
+
         f->u.max_streams.bidi = (f->type == NGX_QUIC_FT_MAX_STREAMS) ? 1 : 0;
 
         break;
author	Vladimir Homutov <vl@nginx.com>	2021-04-19 09:46:37 +0300
committer	Vladimir Homutov <vl@nginx.com>	2021-04-19 09:46:37 +0300
commit	f184bc0a0af74ec160399451a655eac9fb71c490 (patch)
tree	d387b967471970615e25bf0ce258ab68b6d1d405 /src
parent	db4c8fe45f8c609a85b52547891d6ba992c30b4e (diff)
download	nginx-f184bc0a0af74ec160399451a655eac9fb71c490.tar.gz nginx-f184bc0a0af74ec160399451a655eac9fb71c490.tar.bz2