Don't buffer arbitrary amounts of capsule data
Capsule code is not enabled on our servers so this change does not require flag protection.
PiperOrigin-RevId: 400796488
diff --git a/quic/core/http/capsule.cc b/quic/core/http/capsule.cc
index 607393e..c811bb8 100644
--- a/quic/core/http/capsule.cc
+++ b/quic/core/http/capsule.cc
@@ -504,6 +504,12 @@
}
buffered_data_.erase(0, buffered_data_read);
}
+ static constexpr size_t kMaxCapsuleBufferSize = 1024 * 1024;
+ if (buffered_data_.size() > kMaxCapsuleBufferSize) {
+ buffered_data_.clear();
+ ReportParseFailure("Refusing to buffer too much capsule data");
+ return false;
+ }
return true;
}
diff --git a/quic/core/http/capsule_test.cc b/quic/core/http/capsule_test.cc
index 3833e1f..66cb3d0 100644
--- a/quic/core/http/capsule_test.cc
+++ b/quic/core/http/capsule_test.cc
@@ -314,6 +314,17 @@
}
}
+TEST_F(CapsuleTest, RejectOverlyLongCapsule) {
+ std::string capsule_fragment = absl::HexStringToBytes(
+ "33" // unknown capsule type of 0x33
+ "80123456" // capsule length
+ ) +
+ std::string(1111111, '?');
+ EXPECT_CALL(visitor_, OnCapsuleParseFailure(
+ "Refusing to buffer too much capsule data"));
+ EXPECT_FALSE(capsule_parser_.IngestCapsuleFragment(capsule_fragment));
+}
+
} // namespace
} // namespace test
} // namespace quic