182744510Sopenharmony_ciFrom 5fe782778f535ae68508fb7979df1cbfbdf4d6de Mon Sep 17 00:00:00 2001 282744510Sopenharmony_ciFrom: sunsuwan <sunsuwan3@huawei.com> 382744510Sopenharmony_ciDate: Mon, 4 Sep 2023 21:45:49 +0800 482744510Sopenharmony_ciSubject: [PATCH] CVE-2023-33953 add header limit 582744510Sopenharmony_ci 682744510Sopenharmony_ciSigned-off-by: zhouyihang <zhouyihang3@h-partners.com> 782744510Sopenharmony_ciSigned-off-by: sunsuwan <sunsuwan3@huawei.com> 882744510Sopenharmony_ci--- 982744510Sopenharmony_ci .../ext/transport/chttp2/transport/hpack_parser.cc | 12 ++++++++++++ 1082744510Sopenharmony_ci 1 file changed, 12 insertions(+) 1182744510Sopenharmony_ci 1282744510Sopenharmony_cidiff --git a/src/core/ext/transport/chttp2/transport/hpack_parser.cc b/src/core/ext/transport/chttp2/transport/hpack_parser.cc 1382744510Sopenharmony_ciindex 09681fa..6b191a7 100644 1482744510Sopenharmony_ci--- a/src/core/ext/transport/chttp2/transport/hpack_parser.cc 1582744510Sopenharmony_ci+++ b/src/core/ext/transport/chttp2/transport/hpack_parser.cc 1682744510Sopenharmony_ci@@ -1372,6 +1372,18 @@ grpc_error_handle grpc_chttp2_header_parser_parse(void* hpack_parser, 1782744510Sopenharmony_ci auto* parser = static_cast<grpc_core::HPackParser*>(hpack_parser); 1882744510Sopenharmony_ci if (s != nullptr) { 1982744510Sopenharmony_ci s->stats.incoming.header_bytes += GRPC_SLICE_LENGTH(slice); 2082744510Sopenharmony_ci+ if (s->stats.incoming.header_bytes > t->settings[GRPC_ACKED_SETTINGS] 2182744510Sopenharmony_ci+ [GRPC_CHTTP2_SETTINGS_MAX_HEADER_LIST_SIZE]) { 2282744510Sopenharmony_ci+ grpc_chttp2_cancel_stream( 2382744510Sopenharmony_ci+ t, s, 2482744510Sopenharmony_ci+ grpc_error_set_int(GRPC_ERROR_CREATE_FROM_STATIC_STRING( 2582744510Sopenharmony_ci+ "received header size exceeds limit"), 2682744510Sopenharmony_ci+ GRPC_ERROR_INT_GRPC_STATUS, 2782744510Sopenharmony_ci+ GRPC_STATUS_RESOURCE_EXHAUSTED)); 2882744510Sopenharmony_ci+ grpc_chttp2_parsing_become_skip_parser(t); 2982744510Sopenharmony_ci+ s->seen_error = true; 3082744510Sopenharmony_ci+ return GRPC_ERROR_NONE; 3182744510Sopenharmony_ci+ } 3282744510Sopenharmony_ci } 3382744510Sopenharmony_ci grpc_error_handle error = parser->Parse(slice, is_last != 0); 3482744510Sopenharmony_ci if (error != GRPC_ERROR_NONE) { 3582744510Sopenharmony_ci-- 3682744510Sopenharmony_ci2.33.0 3782744510Sopenharmony_ci 38