|
 |
719b67 |
diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
|
|
|
719b67 |
index d0cd2ab..8d3eaf8 100644
|
|
|
719b67 |
--- a/src/http/v2/ngx_http_v2.c
|
|
|
719b67 |
+++ b/src/http/v2/ngx_http_v2.c
|
|
|
719b67 |
@@ -649,6 +649,7 @@ ngx_http_v2_handle_connection(ngx_http_v2_connection_t *h2c)
|
|
|
719b67 |
|
|
|
719b67 |
h2c->pool = NULL;
|
|
|
719b67 |
h2c->free_frames = NULL;
|
|
|
719b67 |
+ h2c->frames = 0;
|
|
|
719b67 |
h2c->free_fake_connections = NULL;
|
|
|
719b67 |
|
|
|
719b67 |
#if (NGX_HTTP_SSL)
|
|
|
719b67 |
@@ -2615,7 +2616,7 @@ ngx_http_v2_get_frame(ngx_http_v2_connection_t *h2c, size_t length,
|
|
|
719b67 |
|
|
|
719b67 |
frame->blocked = 0;
|
|
|
719b67 |
|
|
|
719b67 |
- } else {
|
|
|
719b67 |
+ } else if (h2c->frames < 10000) {
|
|
|
719b67 |
pool = h2c->pool ? h2c->pool : h2c->connection->pool;
|
|
|
719b67 |
|
|
|
719b67 |
frame = ngx_pcalloc(pool, sizeof(ngx_http_v2_out_frame_t));
|
|
|
719b67 |
@@ -2639,6 +2640,15 @@ ngx_http_v2_get_frame(ngx_http_v2_connection_t *h2c, size_t length,
|
|
|
719b67 |
frame->last = frame->first;
|
|
|
719b67 |
|
|
|
719b67 |
frame->handler = ngx_http_v2_frame_handler;
|
|
|
719b67 |
+
|
|
|
719b67 |
+ h2c->frames++;
|
|
|
719b67 |
+
|
|
|
719b67 |
+ } else {
|
|
|
719b67 |
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
|
|
|
719b67 |
+ "http2 flood detected");
|
|
|
719b67 |
+
|
|
|
719b67 |
+ h2c->connection->error = 1;
|
|
|
719b67 |
+ return NULL;
|
|
|
719b67 |
}
|
|
|
719b67 |
|
|
|
719b67 |
#if (NGX_DEBUG)
|
|
|
719b67 |
diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
|
|
|
719b67 |
index 9e738aa..c22d879 100644
|
|
|
719b67 |
--- a/src/http/v2/ngx_http_v2.h
|
|
|
719b67 |
+++ b/src/http/v2/ngx_http_v2.h
|
|
|
719b67 |
@@ -115,6 +115,7 @@ struct ngx_http_v2_connection_s {
|
|
|
719b67 |
ngx_http_connection_t *http_connection;
|
|
|
719b67 |
|
|
|
719b67 |
ngx_uint_t processing;
|
|
|
719b67 |
+ ngx_uint_t frames;
|
|
|
719b67 |
|
|
|
719b67 |
size_t send_window;
|
|
|
719b67 |
size_t recv_window;
|