Add tests CONTINUATION flood and adjust limits

Signed-off-by: Yan Avlasov <yavlasov@google.com>
yanavlasov · Apr 12, 2024 · 4849ff3 · 4849ff3
1 parent 34bb97c
commit 4849ff3
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 2 deletions.
diff --git a/source/common/http/http2/codec_impl.cc b/source/common/http/http2/codec_impl.cc
@@ -2122,9 +2122,9 @@ ConnectionImpl::Http2Options::Http2Options(
   nghttp2_option_set_max_outbound_ack(options_, 10000);
 
   // nghttp2 REQUIRES setting max number of CONTINUATION frames.
-  // 1024 is chosen to accommodate Envoy's 8Mb max limit of max_request_headers_kb
+  // 512 is chosen to accommodate Envoy's 8Mb max limit of max_request_headers_kb
   // in both headers and trailers
-  nghttp2_option_set_max_continuations(options_, 1024);
+  nghttp2_option_set_max_continuations(options_, 512);
 }
 
 ConnectionImpl::Http2Options::~Http2Options() { nghttp2_option_del(options_); }

diff --git a/test/integration/http2_flood_integration_test.cc b/test/integration/http2_flood_integration_test.cc
@@ -1638,4 +1638,45 @@ TEST_P(Http2FloodMitigationTest, GoAwayAfterRequestReset) {
 }
 #endif
 
+TEST_P(Http2FloodMitigationTest, HeadersContinuationObservesLimit) {
+  useAccessLog("%RESPONSE_FLAGS% %RESPONSE_CODE_DETAILS%");
+  beginSession();
+
+  const uint32_t request_stream_id = Http2Frame::makeClientStreamId(0);
+  auto request = Http2Frame::makeEmptyHeadersFrame(request_stream_id);
+  request.appendStaticHeader(Http2Frame::StaticHeaderIndex::MethodGet);
+  request.appendStaticHeader(Http2Frame::StaticHeaderIndex::SchemeHttps);
+  request.appendStaticHeader(Http2Frame::StaticHeaderIndex::Path);
+  request.appendHeaderWithoutIndexing(Http2Frame::StaticHeaderIndex::Authority, "www.example.com");
+  request.appendHeaderWithoutIndexing(Http2Frame::Header("foo", "bar"));
+  request.adjustPayloadSize();
+  sendFrame(request);
+
+  for (int i = 0; i < 20; i++) {
+    request = Http2Frame::makeEmptyContinuationFrame(request_stream_id);
+    for (int h = 0; h < 50; h++) {
+      request.appendHeaderWithoutIndexing(
+          Http2Frame::Header(absl::StrCat("baz", i, "-", h), "bats"));
+    }
+    request.adjustPayloadSize();
+    sendFrame(request);
+  }
+
+  // Expect request to be reset due to violation of the default limit of 100 headers
+  auto response = readFrame();
+  EXPECT_EQ(Http2Frame::Type::RstStream, response.type());
+
+  // Continue pumping frames and expect Envoy to close the connection.
+  for (int i = 0; i < 512; i++) {
+    request = Http2Frame::makeEmptyContinuationFrame(request_stream_id);
+    request.appendHeaderWithoutIndexing(Http2Frame::Header(absl::StrCat("baz", i, "-0"), "bats"));
+    request.adjustPayloadSize();
+    sendFrame(request);
+  }
+
+  tcp_client_->waitForDisconnect();
+  EXPECT_THAT(waitForAccessLog(access_log_name_), HasSubstr("http2.too_many_headers"));
+  EXPECT_EQ(1, test_server_->counter("http2.header_overflow")->value());
+}
+
 } // namespace Envoy