Limit the number of incoming reserved (remote) streams

RFC 7540 does not enforce any limit on the number of incoming reserved streams (in RFC 7540 terms, streams in reserved (remote) state). This only affects client side, since only server can push streams. Malicious server can push arbitrary number of streams, and make client's memory exhausted. The new option, nghttp2_set_max_reserved_remote_streams, can set the maximum number of such incoming streams to avoid possible memory exhaustion. If this option is set, and pushed streams are automatically closed on reception, without calling user provided callback, if they exceed the given limit. The default value is 200. If session is configured as server side, this option has no effect. Server can control the number of streams to push.
2025-12-08 19:18:53 +08:00 · 2015-08-23 21:22:25 +09:00
parent 647e30619f
commit 928a81885c
6 changed files with 128 additions and 6 deletions
--- a/lib/nghttp2_option.h
+++ b/lib/nghttp2_option.h
@@ -58,7 +58,8 @@ typedef enum {
   */
  NGHTTP2_OPT_PEER_MAX_CONCURRENT_STREAMS = 1 << 1,
  NGHTTP2_OPT_NO_RECV_CLIENT_MAGIC = 1 << 2,
-  NGHTTP2_OPT_NO_HTTP_MESSAGING = 1 << 3
+  NGHTTP2_OPT_NO_HTTP_MESSAGING = 1 << 3,
+  NGHTTP2_OPT_MAX_RESERVED_REMOTE_STREAMS = 1 << 4
 } nghttp2_option_flag;

 /**
@@ -74,6 +75,10 @@ struct nghttp2_option {
   * NGHTTP2_OPT_PEER_MAX_CONCURRENT_STREAMS
   */
  uint32_t peer_max_concurrent_streams;
+  /**
+   * NGHTTP2_OPT_MAX_RESERVED_REMOTE_STREAMS
+   */
+  uint32_t max_reserved_remote_streams;
  /**
   * NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE
   */