andy at warmcat.com
Sat Jul 9 01:36:54 CEST 2016
On July 9, 2016 5:33:05 AM GMT+08:00, Roger Light <roger at atchoo.org> wrote:
> short max_http_header_data;
> /**< CONTEXT: The max amount of header payload that can be handled
> * in an http request (unrecognized header payload is dropped) */
>It's not completely clear to me, does this mean the total header
>payload data or the payload data for each individual header entry?
It's the total content of all recognized headers
for one http connection... they are all processed at once in an ah (allocated headers struct) and then made available in callbacks like ESTABLISHED and then destroyed afterwards. Unrecognized header content is just dropped.
Http headers have an intentional, standardized quirk that the same header appearing multiple times is defined to append to a single logical header, not be n instances of the header. So to avoid header fragmentation attacks, lws apis for header access automatically combine originally fragmented headers and return them as one; to do that they need all the headers at once.
It used to make sense to keep this number low by default, because every http connection would malloc an ah including this buffer, if a lot came at once it could blow up the memory usage unpredictably, briefly. But the change to having an ah pool, where the user can control both the max_http_header_data (currently defaults to 1024) and the number of pool members (currently defaults to 16), means the default should probably be bigger now since it seems people are bumping into it.
>Libwebsockets mailing list
>Libwebsockets at ml.libwebsockets.org
More information about the Libwebsockets