x/net/http2: limits on header block size

[abursavich]

The spec provides a way to enforce limits on header block size. Without this feature, clients may cause a server to buffer arbitrarily large headers in memory before servicing the request. Through careful but simple crafting of HPACK encoded cookie headers, a malicious client is able to achieve an over 4000x amplification from bytes on the wire to server memory used with quadratic string garbage generation.

I would expect the http2 server to advertise a reasonable SETTINGS_MAX_HEADER_LIST_SIZE by default (possibly lifting the MaxHeaderBytes field from the http.Server) and enforce it. Potentially, although maybe deserving a separate tracking issue, the cookie header should not use string concatenation as it would still remain a target for massive garbage generation with the existing defaults.

[gopherbot]

CL https://golang.org/cl/15601 mentions this issue.

[gopherbot]

CL https://golang.org/cl/15751 mentions this issue.

[bradfitz]

Re-opening per review comments.

[gopherbot]

CL https://golang.org/cl/15732 mentions this issue.

[gopherbot]

CL https://golang.org/cl/15733 mentions this issue.