From 84af2a7a3fb48ffcf9bf0d7c468af97e098dc4aa Mon Sep 17 00:00:00 2001 From: Yong Tang Date: Mon, 1 Jun 2026 00:58:39 -0700 Subject: [PATCH] core: bound HTTP/3 request header size for DoH3 (#8135) This PR Set a conservative MaxHeaderBytes value on the DoH3 HTTP/3 server. This reduces memory exposure from large request headers before requests reach the DoH handler. Signed-off-by: Yong Tang --- core/dnsserver/server_https3.go | 3 +++ core/dnsserver/server_https3_test.go | 21 +++++++++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/core/dnsserver/server_https3.go b/core/dnsserver/server_https3.go index 597f0e529..340d83f4e 100644 --- a/core/dnsserver/server_https3.go +++ b/core/dnsserver/server_https3.go @@ -26,6 +26,8 @@ import ( const ( // DefaultHTTPS3MaxStreams is the default maximum number of concurrent QUIC streams per connection. DefaultHTTPS3MaxStreams = 256 + // DefaultHTTPS3MaxHeaderBytes limits HTTP/3 header memory before requests reach the DoH handler. + DefaultHTTPS3MaxHeaderBytes = 16 << 10 // 16 KiB ) // ServerHTTPS3 represents a DNS-over-HTTP/3 server. @@ -91,6 +93,7 @@ func NewServerHTTPS3(addr string, group []*Config) (*ServerHTTPS3, error) { TLSConfig: tlsConfig, EnableDatagrams: true, QUICConfig: qconf, + MaxHeaderBytes: DefaultHTTPS3MaxHeaderBytes, // Logger: stdlog.New(&loggerAdapter{}, "", 0), TODO: Fix it } diff --git a/core/dnsserver/server_https3_test.go b/core/dnsserver/server_https3_test.go index faf879a5c..8025c8ce1 100644 --- a/core/dnsserver/server_https3_test.go +++ b/core/dnsserver/server_https3_test.go @@ -152,6 +152,27 @@ func TestNewServerHTTPS3ZeroLimits(t *testing.T) { } } +func TestNewServerHTTPS3DefaultMaxHeaderBytes(t *testing.T) { + c := Config{ + Zone: "example.com.", + Transport: "https3", + TLSConfig: &tls.Config{}, + ListenHosts: []string{"127.0.0.1"}, + Port: "443", + } + + server, err := NewServerHTTPS3("127.0.0.1:443", []*Config{&c}) + if err != nil { + t.Fatalf("NewServerHTTPS3() failed: %v", err) + } + + if server.httpsServer.MaxHeaderBytes != DefaultHTTPS3MaxHeaderBytes { + t.Errorf("expected MaxHeaderBytes = %d, got %d", + DefaultHTTPS3MaxHeaderBytes, + server.httpsServer.MaxHeaderBytes) + } +} + func testConfigWithTSIGCheckPluginHTTPS3(t *testing.T, check func(*testing.T, error)) *Config { t.Helper()