Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

backport 0.3.x - fix: limit number of CONTINUATION frames allowed #759

Merged
merged 1 commit into from
Apr 3, 2024

Conversation

seanmonstar
Copy link
Member

Calculate the amount of allowed CONTINUATION frames based on other settings.

max_header_list_size / max_frame_size

That is about how many CONTINUATION frames would be needed to send headers up to the max allowed size. We then multiply by that by a small amount, to allow for implementations that don't perfectly pack into the minimum frames needed.

In practice, much more than that would be a very inefficient peer, or a peer trying to waste resources.

See https://seanmonstar.com/blog/hyper-http2-continuation-flood/ for more info.

@seanmonstar seanmonstar requested a review from Noah-Kennedy April 3, 2024 17:40
Calculate the amount of allowed CONTINUATION frames based on other
settings.

    max_header_list_size / max_frame_size

That is about how many CONTINUATION frames would be needed to send
headers up to the max allowed size. We then multiply by that by a small
amount, to allow for implementations that don't perfectly pack into the
minimum frames *needed*.

In practice, *much* more than that would be a very inefficient peer, or
a peer trying to waste resources.

See https://seanmonstar.com/blog/hyper-http2-continuation-flood/ for
more info.
@seanmonstar seanmonstar force-pushed the 0.3-sec-continuation branch from 93d9d66 to b272c2b Compare April 3, 2024 17:50
@seanmonstar seanmonstar merged commit 1a357aa into 0.3.x Apr 3, 2024
5 checks passed
@seanmonstar seanmonstar deleted the 0.3-sec-continuation branch April 3, 2024 17:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants