Source: https://trac.nginx.org/nginx/changeset/cdda286c0f1b4b10f30d4eb6a63fefb9b8708ecc/nginx

This patch was modified from upstream in the following way(s):

* Update path so that the patch applies correctly
* dos2unix

Index: src/http/v2/ngx_http_v2.c
===================================================================
--- a/src/http/v2/ngx_http_v2.c	(revision 9121)
+++ b/src/http/v2/ngx_http_v2.c	(revision 9165)
@@ -348,4 +348,5 @@
 
     h2c->blocked = 1;
+    h2c->new_streams = 0;
 
     if (c->close) {
@@ -1285,4 +1286,12 @@
     }
 
+    if (h2c->new_streams++ >= 2 * h2scf->concurrent_streams) {
+        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+                      "client sent too many streams at once");
+
+        status = NGX_HTTP_V2_REFUSED_STREAM;
+        goto rst_stream;
+    }
+
     if (!h2c->settings_ack
         && !(h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG)
@@ -1349,4 +1358,10 @@
 
 rst_stream:
+
+    if (h2c->refused_streams++ > ngx_max(h2scf->concurrent_streams, 100)) {
+        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+                      "client sent too many refused streams");
+        return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_NO_ERROR);
+    }
 
     if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid, status) != NGX_OK) {
Index: src/http/v2/ngx_http_v2.h
===================================================================
--- a/src/http/v2/ngx_http_v2.h	(revision 9121)
+++ b/src/http/v2/ngx_http_v2.h	(revision 9165)
@@ -132,4 +132,6 @@
     ngx_uint_t                       frames;
     ngx_uint_t                       idle;
+    ngx_uint_t                       new_streams;
+    ngx_uint_t                       refused_streams;
     ngx_uint_t                       priority_limit;