1From 5fe782778f535ae68508fb7979df1cbfbdf4d6de Mon Sep 17 00:00:00 2001 2From: sunsuwan <sunsuwan3@huawei.com> 3Date: Mon, 4 Sep 2023 21:45:49 +0800 4Subject: [PATCH] CVE-2023-33953 add header limit 5 6Signed-off-by: zhouyihang <zhouyihang3@h-partners.com> 7Signed-off-by: sunsuwan <sunsuwan3@huawei.com> 8--- 9 .../ext/transport/chttp2/transport/hpack_parser.cc | 12 ++++++++++++ 10 1 file changed, 12 insertions(+) 11 12diff --git a/src/core/ext/transport/chttp2/transport/hpack_parser.cc b/src/core/ext/transport/chttp2/transport/hpack_parser.cc 13index 09681fa..6b191a7 100644 14--- a/src/core/ext/transport/chttp2/transport/hpack_parser.cc 15+++ b/src/core/ext/transport/chttp2/transport/hpack_parser.cc 16@@ -1372,6 +1372,18 @@ grpc_error_handle grpc_chttp2_header_parser_parse(void* hpack_parser, 17 auto* parser = static_cast<grpc_core::HPackParser*>(hpack_parser); 18 if (s != nullptr) { 19 s->stats.incoming.header_bytes += GRPC_SLICE_LENGTH(slice); 20+ if (s->stats.incoming.header_bytes > t->settings[GRPC_ACKED_SETTINGS] 21+ [GRPC_CHTTP2_SETTINGS_MAX_HEADER_LIST_SIZE]) { 22+ grpc_chttp2_cancel_stream( 23+ t, s, 24+ grpc_error_set_int(GRPC_ERROR_CREATE_FROM_STATIC_STRING( 25+ "received header size exceeds limit"), 26+ GRPC_ERROR_INT_GRPC_STATUS, 27+ GRPC_STATUS_RESOURCE_EXHAUSTED)); 28+ grpc_chttp2_parsing_become_skip_parser(t); 29+ s->seen_error = true; 30+ return GRPC_ERROR_NONE; 31+ } 32 } 33 grpc_error_handle error = parser->Parse(slice, is_last != 0); 34 if (error != GRPC_ERROR_NONE) { 35-- 362.33.0 37 38