Fix: infinite loop in parse_header_data() when HTTP/3 header length exceeds 65535 #69
Conversation
Reproduction StepsUse the http_client from lsquic to send a custom request header that exceeds 65535 bytes. The specific steps are as follows:
Reproduction Results
|
|
Thanks. just curious, why the screen shot shows that nginx has 100% CPU? nginx is patched to use ls-qpack? |
|
Yes, we try to integrate lsquic and ls-qpack into Nginx. |
Interesting. :-) |
|
Yes, the QUIC implementation in Nginx is currently not fully mature, as it only supports the Reno congestion control algorithm. Additionally, LSQUIC supports both GQUIC and IETF QUIC. |
Issue Description
When using QPACK for encoding and decoding in HTTP/3, lsquic encounters infinite loop during the process of decoding client request headers.
Loop Description
Infinite loop occurs in
parse_header_data(). Loop is as follows:get_dst(): Unable to store Huffman decoding results due to insufficient buffer space.lsqpack_huff_decode(): Returns status code HUFF_DEC_END_DST, indicating the buffer is full.header_out_grow_buf(): Attempts to calculate the required buffer growth size but restricts it to a maximum limit.h1h_prepare_decode(): Fails to grow the buffer because the size remains unchanged.get_dst(): Unable to store Huffman decoding results due to insufficient buffer space....... loop continues.
Loop Reason
During the decoding of HTTP/3 request header, if the buffer space is insufficient, a buffer expansion is triggered. However, even if the required expansion size exceeds 65535 bytes, the
header_out_grow_buf()restricts the buffer size to 65535 bytes, resulting in no additional space being allocated. This causes the decoding process to enter a infinite loop.