Update contrib/libs/nghttp2 to 1.61.0

c8173cbc05a2b3d63ed112bca0c19bfcd3fec2b1

11 files changed, 94 insertions, 29 deletions

diff --git a/contrib/libs/nghttp2/AUTHORS b/contrib/libs/nghttp2/AUTHORS
index 178db1b96e..de4be6d76f 100644
--- a/contrib/libs/nghttp2/AUTHORS
+++ b/contrib/libs/nghttp2/AUTHORS
@@ -72,6 +72,8 @@ Jay Satiro
 Jeff 'Raid' Baitis
 Jianqing Wang
 Jim Morrison
+Jiwoo Park
+Jonas Kvinge
 Josh Braegger
 José F. Calcerrada
 Kamil Dudka
diff --git a/contrib/libs/nghttp2/README.rst b/contrib/libs/nghttp2/README.rst
index 69dc1ae543..fc81c03979 100644
--- a/contrib/libs/nghttp2/README.rst
+++ b/contrib/libs/nghttp2/README.rst
@@ -127,8 +127,8 @@ following libraries are required:
   <https://github.com/quictls/openssl/tree/OpenSSL_1_1_1w+quic>`_; or
   LibreSSL (does not support 0RTT); or aws-lc; or
   `BoringSSL <https://boringssl.googlesource.com/boringssl/>`_ (commit
-  8e6a26d128484b886e6dcbfa558b993d38950bb5)
-* `ngtcp2 <https://github.com/ngtcp2/ngtcp2>`_ >= 1.0.0
+  fae0964b3d44e94ca2a2d21f86e61dabe683d130)
+* `ngtcp2 <https://github.com/ngtcp2/ngtcp2>`_ >= 1.4.0
 * `nghttp3 <https://github.com/ngtcp2/nghttp3>`_ >= 1.1.0
 
 Use ``--enable-http3`` configure option to enable HTTP/3 feature for
@@ -341,7 +341,7 @@ Build aws-lc:
 
 .. code-block:: text
 
-   $ git clone --depth 1 -b v1.21.0 https://github.com/aws/aws-lc
+   $ git clone --depth 1 -b v1.23.0 https://github.com/aws/aws-lc
    $ cd aws-lc
    $ cmake -B build -DDISABLE_GO=ON --install-prefix=$PWD/opt
    $ make -j$(nproc) -C build
@@ -365,7 +365,7 @@ Build ngtcp2:
 
 .. code-block:: text
 
-   $ git clone --depth 1 -b v1.3.0 https://github.com/ngtcp2/ngtcp2
+   $ git clone --depth 1 -b v1.4.0 https://github.com/ngtcp2/ngtcp2
    $ cd ngtcp2
    $ git submodule update --init --depth 1
    $ autoreconf -i
diff --git a/contrib/libs/nghttp2/config-linux.h b/contrib/libs/nghttp2/config-linux.h
index ab5107873e..a779148e82 100644
--- a/contrib/libs/nghttp2/config-linux.h
+++ b/contrib/libs/nghttp2/config-linux.h
@@ -263,7 +263,7 @@
 #define PACKAGE_NAME "nghttp2"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "nghttp2 1.60.0"
+#define PACKAGE_STRING "nghttp2 1.61.0"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "nghttp2"
@@ -272,7 +272,7 @@
 #define PACKAGE_URL ""
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "1.60.0"
+#define PACKAGE_VERSION "1.61.0"
 
 /* Define to 1 if all of the C90 standard headers exist (not just the ones
    required in a freestanding environment). This macro is provided for
@@ -371,7 +371,7 @@
 
 
 /* Version number of package */
-#define VERSION "1.60.0"
+#define VERSION "1.61.0"
 
 /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
    significant byte first (like Motorola and SPARC, unlike Intel). */
diff --git a/contrib/libs/nghttp2/lib/includes/nghttp2/nghttp2.h b/contrib/libs/nghttp2/lib/includes/nghttp2/nghttp2.h
index a99382e8e4..922ab784d8 100644
--- a/contrib/libs/nghttp2/lib/includes/nghttp2/nghttp2.h
+++ b/contrib/libs/nghttp2/lib/includes/nghttp2/nghttp2.h
@@ -471,7 +471,12 @@ typedef enum {
    * exhaustion on server side to send these frames forever and does
    * not read network.
    */
-  NGHTTP2_ERR_FLOODED = -904
+  NGHTTP2_ERR_FLOODED = -904,
+  /**
+   * When a local endpoint receives too many CONTINUATION frames
+   * following a HEADER frame.
+   */
+  NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
 } nghttp2_error;
 
 /**
@@ -3213,6 +3218,17 @@ nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
 /**
  * @function
  *
+ * This function sets the maximum number of CONTINUATION frames
+ * following an incoming HEADER frame.  If more than those frames are
+ * received, the remote endpoint is considered to be misbehaving and
+ * session will be closed.  The default value is 8.
+ */
+NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option,
+                                                         size_t val);
+
+/**
+ * @function
+ *
  * Initializes |*session_ptr| for client use.  The all members of
  * |callbacks| are copied to |*session_ptr|.  Therefore |*session_ptr|
  * does not store |callbacks|.  The |user_data| is an arbitrary user
diff --git a/contrib/libs/nghttp2/lib/includes/nghttp2/nghttp2ver.h b/contrib/libs/nghttp2/lib/includes/nghttp2/nghttp2ver.h
index d38b89adc6..a21d6a1605 100644
--- a/contrib/libs/nghttp2/lib/includes/nghttp2/nghttp2ver.h
+++ b/contrib/libs/nghttp2/lib/includes/nghttp2/nghttp2ver.h
@@ -29,7 +29,7 @@
  * @macro
  * Version number of the nghttp2 library release
  */
-#define NGHTTP2_VERSION "1.60.0"
+#define NGHTTP2_VERSION "1.61.0"
 
 /**
  * @macro
@@ -37,6 +37,6 @@
  * release. This is a 24 bit number with 8 bits for major number, 8 bits
  * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
  */
-#define NGHTTP2_VERSION_NUM 0x013c00
+#define NGHTTP2_VERSION_NUM 0x013d00
 
 #endif /* NGHTTP2VER_H */
diff --git a/contrib/libs/nghttp2/lib/nghttp2_helper.c b/contrib/libs/nghttp2/lib/nghttp2_helper.c
index 93dd4754b7..b3563d98e0 100644
--- a/contrib/libs/nghttp2/lib/nghttp2_helper.c
+++ b/contrib/libs/nghttp2/lib/nghttp2_helper.c
@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) {
            "closed";
   case NGHTTP2_ERR_TOO_MANY_SETTINGS:
     return "SETTINGS frame contained more than the maximum allowed entries";
+  case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
+    return "Too many CONTINUATION frames following a HEADER frame";
   default:
     return "Unknown error code";
   }
diff --git a/contrib/libs/nghttp2/lib/nghttp2_option.c b/contrib/libs/nghttp2/lib/nghttp2_option.c
index 43d4e95229..53144b9b75 100644
--- a/contrib/libs/nghttp2/lib/nghttp2_option.c
+++ b/contrib/libs/nghttp2/lib/nghttp2_option.c
@@ -150,3 +150,8 @@ void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
   option->stream_reset_burst = burst;
   option->stream_reset_rate = rate;
 }
+
+void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) {
+  option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS;
+  option->max_continuations = val;
+}
diff --git a/contrib/libs/nghttp2/lib/nghttp2_option.h b/contrib/libs/nghttp2/lib/nghttp2_option.h
index 2259e1849d..c89cb97f8b 100644
--- a/contrib/libs/nghttp2/lib/nghttp2_option.h
+++ b/contrib/libs/nghttp2/lib/nghttp2_option.h
@@ -71,6 +71,7 @@ typedef enum {
   NGHTTP2_OPT_SERVER_FALLBACK_RFC7540_PRIORITIES = 1 << 13,
   NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION = 1 << 14,
   NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15,
+  NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16,
 } nghttp2_option_flag;
 
 /**
@@ -99,6 +100,10 @@ struct nghttp2_option {
    */
   size_t max_settings;
   /**
+   * NGHTTP2_OPT_MAX_CONTINUATIONS
+   */
+  size_t max_continuations;
+  /**
    * Bitwise OR of nghttp2_option_flag to determine that which fields
    * are specified.
    */
diff --git a/contrib/libs/nghttp2/lib/nghttp2_session.c b/contrib/libs/nghttp2/lib/nghttp2_session.c
index 226cdd59e8..004a4dffaa 100644
--- a/contrib/libs/nghttp2/lib/nghttp2_session.c
+++ b/contrib/libs/nghttp2/lib/nghttp2_session.c
@@ -497,6 +497,7 @@ static int session_new(nghttp2_session **session_ptr,
   (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
   (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
   (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
+  (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
 
   if (option) {
     if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
@@ -585,6 +586,10 @@ static int session_new(nghttp2_session **session_ptr,
                            option->stream_reset_burst,
                            option->stream_reset_rate);
     }
+
+    if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) {
+      (*session_ptr)->max_continuations = option->max_continuations;
+    }
   }
 
   rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
@@ -979,7 +984,14 @@ static int session_attach_stream_item(nghttp2_session *session,
     return 0;
   }
 
-  return session_ob_data_push(session, stream);
+  rv = session_ob_data_push(session, stream);
+  if (rv != 0) {
+    nghttp2_stream_detach_item(stream);
+
+    return rv;
+  }
+
+  return 0;
 }
 
 static void session_detach_stream_item(nghttp2_session *session,
@@ -1309,9 +1321,11 @@ nghttp2_stream *nghttp2_session_open_stream(nghttp2_session *session,
     assert((stream->flags & NGHTTP2_STREAM_FLAG_NO_RFC7540_PRIORITIES) ||
            nghttp2_stream_in_dep_tree(stream));
 
+    nghttp2_session_detach_idle_stream(session, stream);
+
     if (nghttp2_stream_in_dep_tree(stream)) {
       assert(!(stream->flags & NGHTTP2_STREAM_FLAG_NO_RFC7540_PRIORITIES));
-      nghttp2_session_detach_idle_stream(session, stream);
+
       rv = nghttp2_stream_dep_remove(stream);
       if (rv != 0) {
         return NULL;
@@ -1471,6 +1485,21 @@ int nghttp2_session_close_stream(nghttp2_session *session, int32_t stream_id,
 
   DEBUGF("stream: stream(%p)=%d close\n", stream, stream->stream_id);
 
+  /* We call on_stream_close_callback even if stream->state is
+     NGHTTP2_STREAM_INITIAL. This will happen while sending request
+     HEADERS, a local endpoint receives RST_STREAM for that stream. It
+     may be PROTOCOL_ERROR, but without notifying stream closure will
+     hang the stream in a local endpoint.
+  */
+
+  if (session->callbacks.on_stream_close_callback) {
+    if (session->callbacks.on_stream_close_callback(
+            session, stream_id, error_code, session->user_data) != 0) {
+
+      return NGHTTP2_ERR_CALLBACK_FAILURE;
+    }
+  }
+
   if (stream->item) {
     nghttp2_outbound_item *item;
 
@@ -1488,21 +1517,6 @@ int nghttp2_session_close_stream(nghttp2_session *session, int32_t stream_id,
     }
   }
 
-  /* We call on_stream_close_callback even if stream->state is
-     NGHTTP2_STREAM_INITIAL. This will happen while sending request
-     HEADERS, a local endpoint receives RST_STREAM for that stream. It
-     may be PROTOCOL_ERROR, but without notifying stream closure will
-     hang the stream in a local endpoint.
-  */
-
-  if (session->callbacks.on_stream_close_callback) {
-    if (session->callbacks.on_stream_close_callback(
-            session, stream_id, error_code, session->user_data) != 0) {
-
-      return NGHTTP2_ERR_CALLBACK_FAILURE;
-    }
-  }
-
   is_my_stream_id = nghttp2_session_is_my_stream_id(session, stream_id);
 
   /* pushed streams which is not opened yet is not counted toward max
@@ -1559,6 +1573,11 @@ int nghttp2_session_destroy_stream(nghttp2_session *session,
     }
   }
 
+  if (stream->queued &&
+      (stream->flags & NGHTTP2_STREAM_FLAG_NO_RFC7540_PRIORITIES)) {
+    session_ob_data_remove(session, stream);
+  }
+
   nghttp2_map_remove(&session->streams, stream->stream_id);
   nghttp2_stream_free(stream);
   nghttp2_mem_free(mem, stream);
@@ -6812,6 +6831,8 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
           }
         }
         session_inbound_frame_reset(session);
+
+        session->num_continuations = 0;
       }
       break;
     }
@@ -6933,6 +6954,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
       }
 #endif /* DEBUGBUILD */
 
+      if (++session->num_continuations > session->max_continuations) {
+        return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
+      }
+
       readlen = inbound_frame_buf_read(iframe, in, last);
       in += readlen;
 
diff --git a/contrib/libs/nghttp2/lib/nghttp2_session.h b/contrib/libs/nghttp2/lib/nghttp2_session.h
index b119329a04..ef8f7b27d6 100644
--- a/contrib/libs/nghttp2/lib/nghttp2_session.h
+++ b/contrib/libs/nghttp2/lib/nghttp2_session.h
@@ -110,6 +110,10 @@ typedef struct {
 #define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
 #define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
 
+/* The default max number of CONTINUATION frames following an incoming
+   HEADER frame. */
+#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
+
 /* Internal state when receiving incoming frame */
 typedef enum {
   /* Receiving frame header */
@@ -290,6 +294,12 @@ struct nghttp2_session {
   size_t max_send_header_block_length;
   /* The maximum number of settings accepted per SETTINGS frame. */
   size_t max_settings;
+  /* The maximum number of CONTINUATION frames following an incoming
+     HEADER frame. */
+  size_t max_continuations;
+  /* The number of CONTINUATION frames following an incoming HEADER
+     frame.  This variable is reset when END_HEADERS flag is seen. */
+  size_t num_continuations;
   /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
   uint32_t next_stream_id;
   /* The last stream ID this session initiated.  For client session,
diff --git a/contrib/libs/nghttp2/ya.make b/contrib/libs/nghttp2/ya.make
index 12c83b34a5..c12d6e78ed 100644
--- a/contrib/libs/nghttp2/ya.make
+++ b/contrib/libs/nghttp2/ya.make
@@ -9,9 +9,9 @@ LICENSE(
 
 LICENSE_TEXTS(.yandex_meta/licenses.list.txt)
 
-VERSION(1.60.0)
+VERSION(1.61.0)
 
-ORIGINAL_SOURCE(https://github.com/nghttp2/nghttp2/archive/v1.60.0.tar.gz)
+ORIGINAL_SOURCE(https://github.com/nghttp2/nghttp2/archive/v1.61.0.tar.gz)
 
 ADDINCL(
     GLOBAL contrib/libs/nghttp2/lib/includes