Merge commit from fork

uint32

Author: thaJeztah

connection.go

@@ -224,7 +224,13 @@ type Connection struct {
 // NewConnection creates a new spdy connection from an existing
 // network connection.
 func NewConnection(conn net.Conn, server bool) (*Connection, error) {
-	framer, framerErr := spdy.NewFramer(conn, conn)
+	return NewConnectionWithOptions(conn, server)
+}
+
+// NewConnectionWithOptions creates a new spdy connection and applies frame
+// parsing limits via options.
+func NewConnectionWithOptions(conn net.Conn, server bool, opts ...spdy.FramerOption) (*Connection, error) {
+	framer, framerErr := spdy.NewFramerWithOptions(conn, conn, opts...)
 	if framerErr != nil {
 		return nil, framerErr
 	}
@@ -350,6 +356,9 @@ Loop:
 			} else {
 				debugMessage("(%p) EOF received", s)
 			}
+			if spdyErr, ok := err.(*spdy.Error); ok && spdyErr.Err == spdy.InvalidControlFrame {
+				_ = s.conn.Close()
+			}
 			break
 		}
 		var priority uint8

spdy/options.go

@@ -0,0 +1,25 @@
+package spdy
+
+// FramerOption allows callers to customize frame parsing limits.
+type FramerOption func(*Framer)
+
+// WithMaxControlFramePayloadSize sets the control-frame payload limit.
+func WithMaxControlFramePayloadSize(size uint32) FramerOption {
+	return func(f *Framer) {
+		f.maxFrameLength = size
+	}
+}
+
+// WithMaxHeaderFieldSize sets the per-header name/value size limit.
+func WithMaxHeaderFieldSize(size uint32) FramerOption {
+	return func(f *Framer) {
+		f.maxHeaderFieldSize = size
+	}
+}
+
+// WithMaxHeaderCount sets the maximum number of headers in a frame.
+func WithMaxHeaderCount(count uint32) FramerOption {
+	return func(f *Framer) {
+		f.maxHeaderCount = count
+	}
+}

spdy/options_test.go

@@ -0,0 +1,33 @@
+package spdy
+
+import (
+	"net"
+	"testing"
+)
+
+func TestNewFramerWithOptions(t *testing.T) {
+	serverConn, clientConn := net.Pipe()
+	defer func() {
+		_ = clientConn.Close()
+		_ = serverConn.Close()
+	}()
+
+	framer, err := NewFramerWithOptions(clientConn, clientConn,
+		WithMaxControlFramePayloadSize(1024),
+		WithMaxHeaderFieldSize(128),
+		WithMaxHeaderCount(16),
+	)
+	if err != nil {
+		t.Fatalf("Error creating spdy connection with options: %s", err)
+	}
+
+	if got := framer.maxFrameLength; got != 1024 {
+		t.Fatalf("Unexpected MaxControlFramePayloadSize: %d", got)
+	}
+	if got := framer.maxHeaderFieldSize; got != 128 {
+		t.Fatalf("Unexpected MaxHeaderFieldSize: %d", got)
+	}
+	if got := framer.maxHeaderCount; got != 16 {
+		t.Fatalf("Unexpected MaxHeaderCount: %d", got)
+	}
+}

spdy/read.go

@@ -43,6 +43,11 @@ func (frame *SettingsFrame) read(h ControlFrameHeader, f *Framer) error {
 	if err := binary.Read(f.r, binary.BigEndian, &numSettings); err != nil {
 		return err
 	}
+	// Each setting is 8 bytes (4-byte id + 4-byte value).
+	// Payload is 4 bytes for numSettings + numSettings*8.
+	if h.length < 4 || numSettings > (h.length-4)/8 {
+		return &Error{InvalidControlFrame, 0}
+	}
 	frame.FlagIdValues = make([]SettingsFlagIdValue, numSettings)
 	for i := uint32(0); i < numSettings; i++ {
 		if err := binary.Read(f.r, binary.BigEndian, &frame.FlagIdValues[i].Id); err != nil {
@@ -161,8 +166,19 @@ func (f *Framer) parseControlFrame(version uint16, frameType ControlFrameType) (
 	if err := binary.Read(f.r, binary.BigEndian, &length); err != nil {
 		return nil, err
 	}
+	maxControlFramePayload := uint32(MaxDataLength)
+	if f.maxFrameLength > 0 {
+		maxControlFramePayload = f.maxFrameLength
+	}
+
 	flags := ControlFlags((length & 0xff000000) >> 24)
 	length &= 0xffffff
+	if length > maxControlFramePayload {
+		if _, err := io.CopyN(io.Discard, f.r, int64(length)); err != nil {
+			return nil, err
+		}
+		return nil, &Error{InvalidControlFrame, 0}
+	}
 	header := ControlFrameHeader{version, frameType, flags, length}
 	cframe, err := newControlFrame(frameType)
 	if err != nil {
@@ -174,18 +190,32 @@ func (f *Framer) parseControlFrame(version uint16, frameType ControlFrameType) (
 	return cframe, nil
 }
 
-func parseHeaderValueBlock(r io.Reader, streamId StreamId) (http.Header, error) {
+func (f *Framer) parseHeaderValueBlock(r io.Reader, streamId StreamId) (http.Header, error) {
 	var numHeaders uint32
 	if err := binary.Read(r, binary.BigEndian, &numHeaders); err != nil {
 		return nil, err
 	}
+	maxHeaders := defaultMaxHeaderCount
+	if f.maxHeaderCount > 0 {
+		maxHeaders = f.maxHeaderCount
+	}
+	if numHeaders > maxHeaders {
+		return nil, &Error{InvalidControlFrame, streamId}
+	}
+	maxFieldSize := defaultMaxHeaderFieldSize
+	if f.maxHeaderFieldSize > 0 {
+		maxFieldSize = f.maxHeaderFieldSize
+	}
 	var e error
 	h := make(http.Header, int(numHeaders))
 	for i := 0; i < int(numHeaders); i++ {
 		var length uint32
 		if err := binary.Read(r, binary.BigEndian, &length); err != nil {
 			return nil, err
 		}
+		if length > maxFieldSize {
+			return nil, &Error{InvalidControlFrame, streamId}
+		}
 		nameBytes := make([]byte, length)
 		if _, err := io.ReadFull(r, nameBytes); err != nil {
 			return nil, err
@@ -201,6 +231,9 @@ func parseHeaderValueBlock(r io.Reader, streamId StreamId) (http.Header, error)
 		if err := binary.Read(r, binary.BigEndian, &length); err != nil {
 			return nil, err
 		}
+		if length > maxFieldSize {
+			return nil, &Error{InvalidControlFrame, streamId}
+		}
 		value := make([]byte, length)
 		if _, err := io.ReadFull(r, value); err != nil {
 			return nil, err
@@ -240,7 +273,7 @@ func (f *Framer) readSynStreamFrame(h ControlFrameHeader, frame *SynStreamFrame)
 		}
 		reader = f.headerDecompressor
 	}
-	frame.Headers, err = parseHeaderValueBlock(reader, frame.StreamId)
+	frame.Headers, err = f.parseHeaderValueBlock(reader, frame.StreamId)
 	if !f.headerCompressionDisabled && (err == io.EOF && f.headerReader.N == 0 || f.headerReader.N != 0) {
 		err = &Error{WrongCompressedPayloadSize, 0}
 	}
@@ -272,7 +305,7 @@ func (f *Framer) readSynReplyFrame(h ControlFrameHeader, frame *SynReplyFrame) e
 		}
 		reader = f.headerDecompressor
 	}
-	frame.Headers, err = parseHeaderValueBlock(reader, frame.StreamId)
+	frame.Headers, err = f.parseHeaderValueBlock(reader, frame.StreamId)
 	if !f.headerCompressionDisabled && (err == io.EOF && f.headerReader.N == 0 || f.headerReader.N != 0) {
 		err = &Error{WrongCompressedPayloadSize, 0}
 	}
@@ -304,7 +337,7 @@ func (f *Framer) readHeadersFrame(h ControlFrameHeader, frame *HeadersFrame) err
 		}
 		reader = f.headerDecompressor
 	}
-	frame.Headers, err = parseHeaderValueBlock(reader, frame.StreamId)
+	frame.Headers, err = f.parseHeaderValueBlock(reader, frame.StreamId)
 	if !f.headerCompressionDisabled && (err == io.EOF && f.headerReader.N == 0 || f.headerReader.N != 0) {
 		err = &Error{WrongCompressedPayloadSize, 0}
 	}

spdy/spdy_test.go

@@ -27,7 +27,8 @@ func TestHeaderParsing(t *testing.T) {
 	var headerValueBlockBuf bytes.Buffer
 	writeHeaderValueBlock(&headerValueBlockBuf, HeadersFixture)
 	const bogusStreamId = 1
-	newHeaders, err := parseHeaderValueBlock(&headerValueBlockBuf, bogusStreamId)
+	f := &Framer{}
+	newHeaders, err := f.parseHeaderValueBlock(&headerValueBlockBuf, bogusStreamId)
 	if err != nil {
 		t.Fatal("parseHeaderValueBlock:", err)
 	}
@@ -223,6 +224,87 @@ func TestCreateParseSettings(t *testing.T) {
 	}
 }
 
+func TestReadFrameRejectsOversizedControlFrame(t *testing.T) {
+	buffer := new(bytes.Buffer)
+	framer, err := NewFramer(buffer, buffer)
+	if err != nil {
+		t.Fatal("Failed to create new framer:", err)
+	}
+	framer.maxFrameLength = 1
+
+	// Control frame header (version 3, SETTINGS, length = 2)
+	_, _ = buffer.Write([]byte{
+		0x80, 0x03, // control frame + version
+		0x00, 0x04, // SETTINGS
+		0x00,             // flags
+		0x00, 0x00, 0x02, // length = 2
+		0x00, 0x01, // payload (2 bytes)
+	})
+
+	_, err = framer.ReadFrame()
+	if err == nil {
+		t.Fatal("expected error for oversized control frame")
+	}
+}
+
+func TestReadFrameRejectsSettingsLengthMismatch(t *testing.T) {
+	buffer := new(bytes.Buffer)
+	framer, err := NewFramer(buffer, buffer)
+	if err != nil {
+		t.Fatal("Failed to create new framer:", err)
+	}
+
+	// SETTINGS frame with declared payload length 0, but includes numSettings.
+	_, _ = buffer.Write([]byte{
+		0x80, 0x03, // control frame + version
+		0x00, 0x04, // SETTINGS
+		0x00,             // flags
+		0x00, 0x00, 0x00, // length = 0
+		0x00, 0x00, 0x00, 0x01, // numSettings = 1
+	})
+
+	_, err = framer.ReadFrame()
+	if err == nil {
+		t.Fatal("expected error for SETTINGS length mismatch")
+	}
+}
+
+func TestParseHeaderValueBlockRejectsHeaderCountOverLimit(t *testing.T) {
+	buffer := bytes.NewBuffer([]byte{
+		0x00, 0x00, 0x00, 0x02, // numHeaders = 2
+	})
+
+	f := &Framer{maxHeaderCount: 1}
+	_, err := f.parseHeaderValueBlock(buffer, 1)
+	if err == nil {
+		t.Fatal("expected error for excessive header count")
+	}
+	spdyErr, ok := err.(*Error)
+	if !ok || spdyErr.Err != InvalidControlFrame {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}
+
+func TestParseHeaderValueBlockRejectsHeaderFieldSizeOverLimit(t *testing.T) {
+	buffer := bytes.NewBuffer([]byte{
+		0x00, 0x00, 0x00, 0x01, // numHeaders = 1
+		0x00, 0x00, 0x00, 0x02, // name length = 2
+		0x61, 0x62, // name = "ab"
+		0x00, 0x00, 0x00, 0x01, // value length = 1
+		0x63, // value = "c"
+	})
+
+	f := &Framer{maxHeaderFieldSize: 1}
+	_, err := f.parseHeaderValueBlock(buffer, 1)
+	if err == nil {
+		t.Fatal("expected error for excessive header field size")
+	}
+	spdyErr, ok := err.(*Error)
+	if !ok || spdyErr.Err != InvalidControlFrame {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}
+
 func TestCreateParsePing(t *testing.T) {
 	buffer := new(bytes.Buffer)
 	framer, err := NewFramer(buffer, buffer)

spdy/types.go

@@ -49,8 +49,20 @@ const (
 )
 
 // MaxDataLength is the maximum number of bytes that can be stored in one frame.
+//
+// SPDY frame headers encode the payload length using a 24-bit field,
+// so the maximum representable size for both data and control frames
+// is 2^24-1 bytes.
+//
+// See the SPDY/3 specification, "Frame Format":
+// https://www.chromium.org/spdy/spdy-protocol/spdy-protocol-draft3-1/
 const MaxDataLength = 1<<24 - 1
 
+const (
+	defaultMaxHeaderFieldSize uint32 = 1 << 20
+	defaultMaxHeaderCount     uint32 = 1000
+)
+
 // headerValueSepator separates multiple header values.
 const headerValueSeparator = "\x00"
 
@@ -255,13 +267,27 @@ type Framer struct {
 	r                         io.Reader
 	headerReader              io.LimitedReader
 	headerDecompressor        io.ReadCloser
+
+	maxFrameLength       uint32 // overrides the default frame payload length limit.
+	maxHeaderFieldSize   uint32 // overrides the default per-header name/value length limit.
+	maxHeaderCount       uint32 // overrides the default header count limit.
 }
 
 // NewFramer allocates a new Framer for a given SPDY connection, represented by
 // a io.Writer and io.Reader. Note that Framer will read and write individual fields
 // from/to the Reader and Writer, so the caller should pass in an appropriately
 // buffered implementation to optimize performance.
 func NewFramer(w io.Writer, r io.Reader) (*Framer, error) {
+	return newFramer(w, r)
+}
+
+// NewFramerWithOptions allocates a new Framer for a given SPDY connection and
+// applies frame parsing limits via options.
+func NewFramerWithOptions(w io.Writer, r io.Reader, opts ...FramerOption) (*Framer, error) {
+	return newFramer(w, r, opts...)
+}
+
+func newFramer(w io.Writer, r io.Reader, opts ...FramerOption) (*Framer, error) {
 	compressBuf := new(bytes.Buffer)
 	compressor, err := zlib.NewWriterLevelDict(compressBuf, zlib.BestCompression, []byte(headerDictionary))
 	if err != nil {
@@ -273,5 +299,10 @@ func NewFramer(w io.Writer, r io.Reader) (*Framer, error) {
 		headerCompressor: compressor,
 		r:                r,
 	}
+	for _, opt := range opts {
+		if opt != nil {
+			opt(framer)
+		}
+	}
 	return framer, nil
 }