From f413f7c9cf5749c231c4b4e667dc2cbab959dd59 Mon Sep 17 00:00:00 2001
From: Rod Vagg <rod@vagg.org>
Date: Thu, 15 Nov 2018 09:50:34 +1100
Subject: deps,http: llhttp set max header size to 8KB

CVE-2018-12121

As per nodejs-private/node-private#149 for http_parse but for llhttp

Ref: https://github.com/nodejs-private/node-private/pull/143
PR-URL: https://github.com/nodejs-private/node-private/pull/149
Reviewed-By: Matteo Collina <hello@matteocollina.com>
---
 src/node_http_parser.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/node_http_parser.cc')

diff --git a/src/node_http_parser.cc b/src/node_http_parser.cc
index f752a003a25..dcc5d8744ec 100644
--- a/src/node_http_parser.cc
+++ b/src/node_http_parser.cc
@@ -852,7 +852,7 @@ class Parser : public AsyncWrap, public StreamListener {
 
   static const parser_settings_t settings;
 #ifdef NODE_EXPERIMENTAL_HTTP
-  static const uint64_t kMaxHeaderSize = 80 * 1024;
+  static const uint64_t kMaxHeaderSize = 8 * 1024;
 #endif  /* NODE_EXPERIMENTAL_HTTP */
 };
 
-- 
cgit v1.2.3