From 5fe782778f535ae68508fb7979df1cbfbdf4d6de Mon Sep 17 00:00:00 2001
From: sunsuwan <sunsuwan3@huawei.com>
Date: Mon, 4 Sep 2023 21:45:49 +0800
Subject: [PATCH] CVE-2023-33953 add header limit

Signed-off-by: zhouyihang <zhouyihang3@h-partners.com>
Signed-off-by: sunsuwan <sunsuwan3@huawei.com>
---
 .../ext/transport/chttp2/transport/hpack_parser.cc   | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/core/ext/transport/chttp2/transport/hpack_parser.cc b/src/core/ext/transport/chttp2/transport/hpack_parser.cc
index 09681fa..6b191a7 100644
--- a/src/core/ext/transport/chttp2/transport/hpack_parser.cc
+++ b/src/core/ext/transport/chttp2/transport/hpack_parser.cc
@@ -1372,6 +1372,18 @@ grpc_error_handle grpc_chttp2_header_parser_parse(void* hpack_parser,
   auto* parser = static_cast<grpc_core::HPackParser*>(hpack_parser);
   if (s != nullptr) {
     s->stats.incoming.header_bytes += GRPC_SLICE_LENGTH(slice);
+    if (s->stats.incoming.header_bytes > t->settings[GRPC_ACKED_SETTINGS]
+                                                    [GRPC_CHTTP2_SETTINGS_MAX_HEADER_LIST_SIZE]) {
+      grpc_chttp2_cancel_stream(
+      t, s,
+      grpc_error_set_int(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+                             "received header size exceeds limit"),
+                         GRPC_ERROR_INT_GRPC_STATUS,
+                         GRPC_STATUS_RESOURCE_EXHAUSTED));
+      grpc_chttp2_parsing_become_skip_parser(t);
+      s->seen_error = true;
+      return GRPC_ERROR_NONE;
+    }
   }
   grpc_error_handle error = parser->Parse(slice, is_last != 0);
   if (error != GRPC_ERROR_NONE) {
-- 
2.33.0