Thanks to visit codestin.com
Credit goes to github.com

Skip to content

http3: limit size of decompressed headers #5452

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
marten-seemann merged 1 commit into from
Nov 21, 2025
Merged

http3: limit size of decompressed headers #5452

marten-seemann merged 1 commit into from
Nov 21, 2025

Conversation

@marten-seemann
Copy link
Member

@marten-seemann marten-seemann commented Nov 21, 2025
edited
Loading

Fixes #5429. Fixes #4747.

Copilot AI reviewed Nov 21, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request implements size limiting for decompressed HTTP/3 headers to prevent resource exhaustion attacks through highly compressed headers. The implementation follows RFC 9114 section 4.2.2, which specifies that field list size should be calculated based on uncompressed size with a 32-byte overhead per field.

Key changes:

  • Added decompressed header size validation in parseHeaders() that checks size limits during header field iteration
  • Updated server to send 431 status response when headers exceed limits (both compressed and decompressed)
  • Modified error handling to use ErrCodeExcessiveLoad for header size violations

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
http3/headers.go Implements decompressed header size checking in parseHeaders() function per RFC 9114 section 4.2.2
http3/server.go Adds rejectWithStatus() helper and updates error handling to send 431 responses for oversized headers
http3/stream.go Passes maxHeaderBytes limit to updateResponseFromHeaders() for client-side validation
http3/server_test.go Updates test expectations to verify 431 response and ErrCodeExcessiveLoad error code
http3/headers_test.go Updates all test calls to pass math.MaxInt as size limit parameter
http3/conn.go Adds "http3:" prefix to error message for consistency
integrationtests/self/http_test.go Adds comprehensive integration tests for both compressed and decompressed header size limits

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@marten-seemann marten-seemann force-pushed the http3-limit-decompressed-header-size branch 2 times, most recently from d555de7 to f387fc5 Compare November 21, 2025 09:26
@codecov
Copy link

codecov bot commented Nov 21, 2025
edited
Loading

❌ 2 Tests Failed:

Tests completed Failed Passed Skipped
2362 2 2360 2
View the top 3 failed test(s) by shortest run time 
github.com/quic-go/quic-go/qlogwriter::TestTraceMetadata
Stack Traces | 0.11s run time 
Failed
github.com/quic-go/quic-go/qlogwriter::TestTraceMetadata/non-connection_trace
Stack Traces | 0.11s run time 
Failed
github.com/quic-go/quic-go/integrationtests/self::TestConnDataBlocked
Stack Traces | 0.15s run time 
Failed
github.com/quic-go/quic-go/integrationtests/self::TestHandshakeCloseListener/using_ListenAddr
Stack Traces | 1.07s run time 
Failed
github.com/quic-go/quic-go/integrationtests/self::TestHandshakeCloseListener
Stack Traces | 1.19s run time 
Failed

To view more test analytics, go to the Test Analytics Dashboard
📋 Got 3 mins? Take this short survey to help us improve Test Analytics.

@marten-seemann marten-seemann force-pushed the http3-limit-decompressed-header-size branch from f387fc5 to 0bf8f07 Compare November 21, 2025 09:54
Copilot AI reviewed Nov 21, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@marten-seemann marten-seemann merged commit 5b2d212 into master Nov 21, 2025
43 checks passed
@marten-seemann marten-seemann deleted the http3-limit-decompressed-header-size branch November 21, 2025 10:12
This was referenced Nov 21, 2025
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

http3: send 431 when the HEADERS frame is too large http3: incorrect handling of MaxHeaderBytes

2 participants

@marten-seemann