Fix for CVE-2024-27316

This commit is contained in:
Andrew Lukoshko 2024-04-12 12:08:52 +00:00
parent f716275667
commit 02c9d0f5d9
2 changed files with 64 additions and 1 deletions

View File

@ -0,0 +1,55 @@
From 134e28ae5abc997fe064995627b3ebe247a5d5d8 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Fri, 23 Feb 2024 15:13:56 +0100
Subject: [PATCH] RESET stream after 100 failed incoming headers
---
mod_http2/h2_session.c | 10 +++++++---
mod_http2/h2_stream.c | 1 +
mod_http2/h2_stream.h | 1 +
3 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/mod_http2/h2_session.c b/mod_http2/h2_session.c
index a5cc306..4b38518 100644
--- a/mod_http2/h2_session.c
+++ b/mod_http2/h2_session.c
@@ -311,7 +311,12 @@ static int on_header_cb(nghttp2_session *ngh2, const nghttp2_frame *frame,
status = h2_stream_add_header(stream, (const char *)name, namelen,
(const char *)value, valuelen);
- if (status != APR_SUCCESS && !h2_stream_is_ready(stream)) {
+ if (status != APR_SUCCESS
+ && (!h2_stream_is_ready(stream) ||
+ /* We accept a certain amount of failures in order to reply
+ * with an informative HTTP error response like 413. But of the
+ * client is too wrong, we fail the request an RESET the stream */
+ stream->request_headers_failed > 100)) {
return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
}
return 0;
diff --git a/mod_http2/h2_stream.c b/mod_http2/h2_stream.c
index 6136baa..d3c4d99 100644
--- a/mod_http2/h2_stream.c
+++ b/mod_http2/h2_stream.c
@@ -733,6 +733,7 @@ apr_status_t h2_stream_add_header(h2_stream *stream,
}
if (error) {
+ ++stream->request_headers_failed;
set_error_response(stream, error);
return APR_EINVAL;
}
diff --git a/mod_http2/h2_stream.h b/mod_http2/h2_stream.h
index 79cb39d..4ddf1a2 100644
--- a/mod_http2/h2_stream.h
+++ b/mod_http2/h2_stream.h
@@ -75,7 +75,8 @@ struct h2_stream {
struct h2_request *rtmp; /* request being assembled */
apr_table_t *trailers; /* optional incoming trailers */
int request_headers_added; /* number of request headers added */
-
+ int request_headers_failed; /* number of request headers failed to add */
+
struct h2_bucket_beam *input;
apr_bucket_brigade *in_buffer;
int in_window_size;

View File

@ -3,7 +3,7 @@
Name: mod_http2 Name: mod_http2
Version: 1.15.7 Version: 1.15.7
Release: 8%{?dist}.3 Release: 8%{?dist}.5.alma.1
Summary: module implementing HTTP/2 for Apache 2 Summary: module implementing HTTP/2 for Apache 2
Group: System Environment/Daemons Group: System Environment/Daemons
License: ASL 2.0 License: ASL 2.0
@ -16,6 +16,9 @@ Patch4: mod_http2-1.15.7-CVE-2021-44224.patch
Patch5: mod_http2-1.15.7-SNI.patch Patch5: mod_http2-1.15.7-SNI.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2176209 # https://bugzilla.redhat.com/show_bug.cgi?id=2176209
Patch6: mod_http2-1.15.7-CVE-2023-25690.patch Patch6: mod_http2-1.15.7-CVE-2023-25690.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2268277
Patch7: mod_http2-1.15.7-CVE-2024-27316.patch
BuildRequires: pkgconfig, httpd-devel >= 2.4.20, libnghttp2-devel >= 1.7.0, openssl-devel >= 1.0.2 BuildRequires: pkgconfig, httpd-devel >= 2.4.20, libnghttp2-devel >= 1.7.0, openssl-devel >= 1.0.2
Requires: httpd-mmn = %{_httpd_mmn} Requires: httpd-mmn = %{_httpd_mmn}
@ -33,6 +36,7 @@ top of libnghttp2 for httpd 2.4 servers.
%patch4 -p1 -b .CVE-2021-44224 %patch4 -p1 -b .CVE-2021-44224
%patch5 -p1 -b .SNI %patch5 -p1 -b .SNI
%patch6 -p1 -b .CVE-2023-25690 %patch6 -p1 -b .CVE-2023-25690
%patch7 -p1 -b .CVE-2024-27316
%build %build
%configure %configure
@ -59,6 +63,10 @@ make check
%{_httpd_moddir}/mod_proxy_http2.so %{_httpd_moddir}/mod_proxy_http2.so
%changelog %changelog
* Fri Apr 12 2024 Andrew Lukoshko <alukoshko@almalinux.org> - 1.15.7-8.5.alma.1
- Resolves: RHEL-29817 - httpd:2.4/mod_http2: httpd: CONTINUATION frames
DoS (CVE-2024-27316)
* Sat Mar 18 2023 Luboš Uhliarik <luhliari@redhat.com> - 1.15.7-8.3 * Sat Mar 18 2023 Luboš Uhliarik <luhliari@redhat.com> - 1.15.7-8.3
- Resolves: #2177748 - CVE-2023-25690 httpd:2.4/httpd: HTTP request splitting - Resolves: #2177748 - CVE-2023-25690 httpd:2.4/httpd: HTTP request splitting
with mod_rewrite and mod_proxy with mod_rewrite and mod_proxy