commit c29b39005eca335858dee3d0cf74613e8a1af048
author dschinazi <dschinazi@google.com> Mon Oct 04 13:09:26 2021 -0700
committer Copybara-Service <copybara-worker@google.com> Mon Oct 04 13:10:16 2021 -0700
tree c2560653f34f1d4269582a1f7227a4ea2eef8b01
parent af960357cc5a874b2c379989379593a6151a02f5

Don't buffer arbitrary amounts of capsule data

Capsule code is not enabled on our servers so this change does not require flag protection.

PiperOrigin-RevId: 400796488

quic/core/http/capsule.cc

diff --git a/quic/core/http/capsule.cc b/quic/core/http/capsule.cc
index 607393e..c811bb8 100644
--- a/quic/core/http/capsule.cc
+++ b/quic/core/http/capsule.cc
@@ -504,6 +504,12 @@
     }
     buffered_data_.erase(0, buffered_data_read);
   }
+  static constexpr size_t kMaxCapsuleBufferSize = 1024 * 1024;
+  if (buffered_data_.size() > kMaxCapsuleBufferSize) {
+    buffered_data_.clear();
+    ReportParseFailure("Refusing to buffer too much capsule data");
+    return false;
+  }
   return true;
 }
 

quic/core/http/capsule_test.cc

diff --git a/quic/core/http/capsule_test.cc b/quic/core/http/capsule_test.cc
index 3833e1f..66cb3d0 100644
--- a/quic/core/http/capsule_test.cc
+++ b/quic/core/http/capsule_test.cc
@@ -314,6 +314,17 @@
   }
 }
 
+TEST_F(CapsuleTest, RejectOverlyLongCapsule) {
+  std::string capsule_fragment = absl::HexStringToBytes(
+                                     "33"        // unknown capsule type of 0x33
+                                     "80123456"  // capsule length
+                                     ) +
+                                 std::string(1111111, '?');
+  EXPECT_CALL(visitor_, OnCapsuleParseFailure(
+                            "Refusing to buffer too much capsule data"));
+  EXPECT_FALSE(capsule_parser_.IngestCapsuleFragment(capsule_fragment));
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace quic