|
 |
502b04 |
diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
|
|
|
502b04 |
index 55db58e..429d06a 100644
|
|
|
502b04 |
--- a/src/http/v2/ngx_http_v2.c
|
|
|
502b04 |
+++ b/src/http/v2/ngx_http_v2.c
|
|
|
502b04 |
@@ -654,6 +654,7 @@ ngx_http_v2_handle_connection(ngx_http_v2_connection_t *h2c)
|
|
|
502b04 |
|
|
|
502b04 |
h2c->pool = NULL;
|
|
|
502b04 |
h2c->free_frames = NULL;
|
|
|
502b04 |
+ h2c->frames = 0;
|
|
|
502b04 |
h2c->free_fake_connections = NULL;
|
|
|
502b04 |
|
|
|
502b04 |
#if (NGX_HTTP_SSL)
|
|
|
502b04 |
@@ -2640,7 +2641,7 @@ ngx_http_v2_get_frame(ngx_http_v2_connection_t *h2c, size_t length,
|
|
|
502b04 |
|
|
|
502b04 |
frame->blocked = 0;
|
|
|
502b04 |
|
|
|
502b04 |
- } else {
|
|
|
502b04 |
+ } else if (h2c->frames < 10000) {
|
|
|
502b04 |
pool = h2c->pool ? h2c->pool : h2c->connection->pool;
|
|
|
502b04 |
|
|
|
502b04 |
frame = ngx_pcalloc(pool, sizeof(ngx_http_v2_out_frame_t));
|
|
|
502b04 |
@@ -2664,6 +2665,15 @@ ngx_http_v2_get_frame(ngx_http_v2_connection_t *h2c, size_t length,
|
|
|
502b04 |
frame->last = frame->first;
|
|
|
502b04 |
|
|
|
502b04 |
frame->handler = ngx_http_v2_frame_handler;
|
|
|
502b04 |
+
|
|
|
502b04 |
+ h2c->frames++;
|
|
|
502b04 |
+
|
|
|
502b04 |
+ } else {
|
|
|
502b04 |
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
|
|
|
502b04 |
+ "http2 flood detected");
|
|
|
502b04 |
+
|
|
|
502b04 |
+ h2c->connection->error = 1;
|
|
|
502b04 |
+ return NULL;
|
|
|
502b04 |
}
|
|
|
502b04 |
|
|
|
502b04 |
#if (NGX_DEBUG)
|
|
|
502b04 |
diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
|
|
|
502b04 |
index 7d2a2ea..49398b9 100644
|
|
|
502b04 |
--- a/src/http/v2/ngx_http_v2.h
|
|
|
502b04 |
+++ b/src/http/v2/ngx_http_v2.h
|
|
|
502b04 |
@@ -115,6 +115,7 @@ struct ngx_http_v2_connection_s {
|
|
|
502b04 |
ngx_http_connection_t *http_connection;
|
|
|
502b04 |
|
|
|
502b04 |
ngx_uint_t processing;
|
|
|
502b04 |
+ ngx_uint_t frames;
|
|
|
502b04 |
|
|
|
502b04 |
size_t send_window;
|
|
|
502b04 |
size_t recv_window;
|