spdy: limit header-size and header-count

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Author: dims

spdy/read.go

@@ -195,13 +195,27 @@ func (f *Framer) parseHeaderValueBlock(r io.Reader, streamId StreamId) (http.Hea
 	if err := binary.Read(r, binary.BigEndian, &numHeaders); err != nil {
 		return nil, err
 	}
+	maxHeaders := defaultMaxHeaderCount
+	if f.maxHeaderCount > 0 {
+		maxHeaders = f.maxHeaderCount
+	}
+	if numHeaders > maxHeaders {
+		return nil, &Error{InvalidControlFrame, streamId}
+	}
+	maxFieldSize := defaultMaxHeaderFieldSize
+	if f.maxHeaderFieldSize > 0 {
+		maxFieldSize = f.maxHeaderFieldSize
+	}
 	var e error
 	h := make(http.Header, int(numHeaders))
 	for i := 0; i < int(numHeaders); i++ {
 		var length uint32
 		if err := binary.Read(r, binary.BigEndian, &length); err != nil {
 			return nil, err
 		}
+		if length > maxFieldSize {
+			return nil, &Error{InvalidControlFrame, streamId}
+		}
 		nameBytes := make([]byte, length)
 		if _, err := io.ReadFull(r, nameBytes); err != nil {
 			return nil, err
@@ -217,6 +231,9 @@ func (f *Framer) parseHeaderValueBlock(r io.Reader, streamId StreamId) (http.Hea
 		if err := binary.Read(r, binary.BigEndian, &length); err != nil {
 			return nil, err
 		}
+		if length > maxFieldSize {
+			return nil, &Error{InvalidControlFrame, streamId}
+		}
 		value := make([]byte, length)
 		if _, err := io.ReadFull(r, value); err != nil {
 			return nil, err

spdy/spdy_test.go

@@ -269,6 +269,42 @@ func TestReadFrameRejectsSettingsLengthMismatch(t *testing.T) {
 	}
 }
 
+func TestParseHeaderValueBlockRejectsHeaderCountOverLimit(t *testing.T) {
+	buffer := bytes.NewBuffer([]byte{
+		0x00, 0x00, 0x00, 0x02, // numHeaders = 2
+	})
+
+	f := &Framer{maxHeaderCount: 1}
+	_, err := f.parseHeaderValueBlock(buffer, 1)
+	if err == nil {
+		t.Fatal("expected error for excessive header count")
+	}
+	spdyErr, ok := err.(*Error)
+	if !ok || spdyErr.Err != InvalidControlFrame {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}
+
+func TestParseHeaderValueBlockRejectsHeaderFieldSizeOverLimit(t *testing.T) {
+	buffer := bytes.NewBuffer([]byte{
+		0x00, 0x00, 0x00, 0x01, // numHeaders = 1
+		0x00, 0x00, 0x00, 0x02, // name length = 2
+		0x61, 0x62, // name = "ab"
+		0x00, 0x00, 0x00, 0x01, // value length = 1
+		0x63, // value = "c"
+	})
+
+	f := &Framer{maxHeaderFieldSize: 1}
+	_, err := f.parseHeaderValueBlock(buffer, 1)
+	if err == nil {
+		t.Fatal("expected error for excessive header field size")
+	}
+	spdyErr, ok := err.(*Error)
+	if !ok || spdyErr.Err != InvalidControlFrame {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}
+
 func TestCreateParsePing(t *testing.T) {
 	buffer := new(bytes.Buffer)
 	framer, err := NewFramer(buffer, buffer)

spdy/types.go

@@ -51,6 +51,11 @@ const (
 // MaxDataLength is the maximum number of bytes that can be stored in one frame.
 const MaxDataLength = 1<<24 - 1
 
+const (
+	defaultMaxHeaderFieldSize uint32 = 1 << 20
+	defaultMaxHeaderCount     uint32 = 1000
+)
+
 // headerValueSepator separates multiple header values.
 const headerValueSeparator = "\x00"
 
@@ -256,7 +261,9 @@ type Framer struct {
 	headerReader              io.LimitedReader
 	headerDecompressor        io.ReadCloser
 
-	maxFrameLength uint32 // overrides the default frame payload length limit.
+	maxFrameLength       uint32 // overrides the default frame payload length limit.
+	maxHeaderFieldSize   uint32 // overrides the default per-header name/value length limit.
+	maxHeaderCount       uint32 // overrides the default header count limit.
 }
 
 // NewFramer allocates a new Framer for a given SPDY connection, represented by