From a7e3cd52e0a03286267177aa9b88d64232fbaeaf Mon Sep 17 00:00:00 2001
From: Sergey Kandaurov <pluknet@nginx.com>
Date: Fri, 3 May 2024 20:28:32 +0400
Subject: [PATCH] HTTP/3: fixed handling of malformed request body length.

Previously, a request body larger than declared in Content-Length resulted in
a 413 status code, because Content-Length was mistakenly used as the maximum
allowed request body, similar to client_max_body_size.  Following the HTTP/3
specification, such requests are now rejected with the 400 error as malformed.
---
 src/http/v3/ngx_http_v3_request.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/http/v3/ngx_http_v3_request.c b/src/http/v3/ngx_http_v3_request.c
index 87f5f3214..aec122be6 100644
--- a/src/http/v3/ngx_http_v3_request.c
+++ b/src/http/v3/ngx_http_v3_request.c
@@ -1575,6 +1575,15 @@ ngx_http_v3_request_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
                 /* rc == NGX_OK */
 
                 if (max != -1 && (uint64_t) (max - rb->received) < st->length) {
+
+                    if (r->headers_in.content_length_n != -1) {
+                        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                                      "client intended to send body data "
+                                      "larger than declared");
+
+                        return NGX_HTTP_BAD_REQUEST;
+                    }
+
                     ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
                                   "client intended to send too large "
                                   "body: %O+%ui bytes",