fix: Q/HPackDecoder limit validation after decoding#65771
Merged
DeagleGross merged 2 commits intodotnet:mainfrom Mar 13, 2026
Merged
fix: Q/HPackDecoder limit validation after decoding#65771DeagleGross merged 2 commits intodotnet:mainfrom
DeagleGross merged 2 commits intodotnet:mainfrom
Conversation
DeagleGross
added
the
area-networking
Contributor
There was a problem hiding this comment.
Pull request overview
This PR aligns HPACK (HTTP/2) and QPACK (HTTP/3) decoder behavior with Http2Limits.MaxRequestHeaderFieldSize / Http3Limits.MaxRequestHeaderFieldSize documentation by enforcing the header field size limit on decoded (uncompressed) header name/value lengths in addition to the existing encoded (compressed) length checks.
Changes:
- Add post-Huffman-decode validation to ensure decoded header name/value length does not exceed
maxHeadersLength. - Throw
HPackDecodingException/QPackDecodingExceptionwith the existingnet_http_headers_exceeded_lengthmessage when the decoded length exceeds the limit. - Add targeted regression tests for both HPACK and QPACK covering Huffman expansion exceeding the limit.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| src/Shared/runtime/Http2/Hpack/HPackDecoder.cs | Enforces maxHeadersLength after Huffman decoding for header names/values. |
| src/Shared/runtime/Http3/QPack/QPackDecoder.cs | Enforces maxHeadersLength after Huffman decoding for header names/values. |
| src/Shared/test/Shared.Tests/runtime/Http2/HPackDecoderTest.cs | Adds tests proving encoded-length pass + decoded-length fail now throws. |
| src/Shared/test/Shared.Tests/runtime/Http3/QPackDecoderTest.cs | Adds equivalent tests for QPACK Huffman expansion scenarios. |
You can also share your feedback on Copilot code review. Take the survey.
MihaZupan
reviewed
Mar 13, 2026
MihaZupan
approved these changes
Mar 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
There is a discrepancy between
Http2Limits.MaxRequestHeaderFieldSizedocumentation and actual Q/HPackDecoders behavior:aspnetcore/src/Servers/Kestrel/Core/src/Http2Limits.cs
Lines 84 to 90 in ae31b22
MaxRequestHeaderFieldSizeclearly states that limits apply to both compressed and uncompressed data, but decoders dont check uncompressed length.Current PR adds a validation check on uncompressed state and throws a corresponding exception per type.