The spec specifically allows accepting HPACK literals with indexing when
the HPACK literal is greater than the max table size. In this case, the
literal is not inserted in the table.
Fixes#243
This, uh, grew into something far bigger than expected, but it turns out, all of it was needed to eventually support this correctly.
- Adds configuration to client and server to set [SETTINGS_MAX_HEADER_LIST_SIZE](http://httpwg.org/specs/rfc7540.html#SETTINGS_MAX_HEADER_LIST_SIZE)
- If not set, a "sane default" of 16 MB is used (taken from golang's http2)
- Decoding header blocks now happens as they are received, instead of buffering up possibly forever until the last continuation frame is parsed.
- As each field is decoded, it's undecoded size is added to the total. Whenever a header block goes over the maximum size, the `frame` will be marked as such.
- Whenever a header block is deemed over max limit, decoding will still continue, but new fields will not be appended to `HeaderMap`. This is also can save wasted hashing.
- To protect against enormous string literals, such that they span multiple continuation frames, a check is made that the combined encoded bytes is less than the max allowed size. While technically not exactly what the spec suggests (counting decoded size instead), this should hopefully only happen when someone is indeed malicious. If found, a `GOAWAY` of `COMPRESSION_ERROR` is sent, and the connection shut down.
- After an oversize header block frame is finished decoding, the streams state machine will notice it is oversize, and handle that.
- If the local peer is a server, a 431 response is sent, as suggested by the spec.
- A `REFUSED_STREAM` reset is sent, since we cannot actually give the stream to the user.
- In order to be able to send both the 431 headers frame, and a reset frame afterwards, the scheduled `Canceled` machinery was made more general to a `Scheduled(Reason)` state instead.
Closes#18Closes#191
This updates `peek_u8` in hpack decoder to internally perform bound
checking. This ensures it cannot access bytes out of range once
reaching the end of the buffer.
This change adds a .rustfmt.toml that includes ALL supported settings,
12 of which we have overridden to attempt to cater to our own
proclivities.
rustfmt is checked in the rust-nightly CI job.
* comments
* wip
* wip
* Sketch out pingpong and keepalive stack modules
PingPong responds to ping requests with acknowledgements.
KeepAlive issues ping requests on idle connections.
* remove keepalive for now
* commentary
* prettify ping_pong's poll
* test ping pong and passthrough
* add buffering test
* Use a fixed-size slice for ping payloads
* Improve pong dispatch
pong messages should be buffered until Stream::poll returns
Async::NotReady or Async::Ready(None) (i.e. such that it is not expected
to be polled again). pong messages are now dispatched when no more data
may be polled or the Sink half is activated.
* revert name change
* touchup
* wip
* Simplify Stream::poll
Now PingPong only holds at most one pending pong and the stream will not
produce additional frames unti the ping has been sent.
Furthermore, we shouldn't have to call inner.poll_complete quite so
frequently.
* avoid Bytes::split_to
* only use buf internally to Ping::load
