deepflowio · yinjiping · May 21, 2025 · May 17, 2025 · May 20, 2025 · May 20, 2025
diff --git a/agent/src/ebpf/kernel/include/protocol_inference.h b/agent/src/ebpf/kernel/include/protocol_inference.h
@@ -426,7 +426,7 @@ static __inline enum message_type parse_http2_headers_frame(const char
 #if defined(LINUX_VER_KFUNC) || defined(LINUX_VER_5_2_PLUS)
 #define HTTPV2_LOOP_MAX 8
 #else
-#define HTTPV2_LOOP_MAX 6
+#define HTTPV2_LOOP_MAX 5
 #endif
 /*
  *  HTTPV2_FRAME_READ_SZ取值考虑以下3部分：
@@ -452,6 +452,21 @@ static __inline enum message_type parse_http2_headers_frame(const char
 	if (count < HTTPV2_FRAME_PROTO_SZ)
 		return MSG_UNKNOWN;
 
+	/*
+	 * The frame payload length (excluding the initial 9 bytes) must not
+	 * exceed the actual length of the system call.
+	 */
+	if ((__bpf_ntohl(*(__u32 *) buf_kern) >> 8) > syscall_len - HTTPV2_FRAME_PROTO_SZ)
+		return MSG_UNKNOWN;
+
+	/*
+	 * The highest bit of the 5th byte (i.e., the first byte of the Stream
+	 * Identifier) must be 0, indicating that the reserved bit (R) is 0;
+	 * otherwise, it violates the HTTP/2 specification.
+	 */
+	if (buf_kern[5] >> 7 != 0)
+		return MSG_UNKNOWN;
+
 	__u32 offset = 0;
 	__u8 flags_unset = 0, flags_padding = 0, flags_priority = 0;
 	__u8 type = 0, reserve = 0, static_table_idx, i, block_fragment_offset;