rpms
/
mod_http2
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: RHEL-29817 - httpd:2.4/mod_http2: httpd: CONTINUATION frames

This commit is contained in:
Luboš Uhliarik 2024-04-05 12:24:12 +02:00 committed by root
parent 4e9a81348c
commit d01234c79e
3 changed files with 64 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.mod_http2.metadata Normal file
View File

@ -0,0 +1 @@
6f52107e47548eee1c45c3fc7a7ca2245a115dd8 mod_http2-1.15.7.tar.gz

55
mod_http2-1.15.7-CVE-2024-27316.patch Normal file
View File

@ -0,0 +1,55 @@
From 134e28ae5abc997fe064995627b3ebe247a5d5d8 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Fri, 23 Feb 2024 15:13:56 +0100
Subject: [PATCH] RESET stream after 100 failed incoming headers
---
mod_http2/h2_session.c | 10 +++++++---
mod_http2/h2_stream.c | 1 +
mod_http2/h2_stream.h | 1 +
3 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/mod_http2/h2_session.c b/mod_http2/h2_session.c
index a5cc306..4b38518 100644
--- a/mod_http2/h2_session.c
+++ b/mod_http2/h2_session.c
@@ -311,7 +311,12 @@ static int on_header_cb(nghttp2_session *ngh2, const nghttp2_frame *frame,
status = h2_stream_add_header(stream, (const char *)name, namelen,
(const char *)value, valuelen);
- if (status != APR_SUCCESS && !h2_stream_is_ready(stream)) {
+ if (status != APR_SUCCESS
+ && (!h2_stream_is_ready(stream) ||
+ /* We accept a certain amount of failures in order to reply
+ * with an informative HTTP error response like 413. But of the
+ * client is too wrong, we fail the request an RESET the stream */
+ stream->request_headers_failed > 100)) {
return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
}
return 0;
diff --git a/mod_http2/h2_stream.c b/mod_http2/h2_stream.c
index 6136baa..d3c4d99 100644
--- a/mod_http2/h2_stream.c
+++ b/mod_http2/h2_stream.c
@@ -733,6 +733,7 @@ apr_status_t h2_stream_add_header(h2_stream *stream,
}
if (error) {
+ ++stream->request_headers_failed;
set_error_response(stream, error);
return APR_EINVAL;
}
diff --git a/mod_http2/h2_stream.h b/mod_http2/h2_stream.h
index 79cb39d..4ddf1a2 100644
--- a/mod_http2/h2_stream.h
+++ b/mod_http2/h2_stream.h
@@ -75,7 +75,8 @@ struct h2_stream {
struct h2_request *rtmp; /* request being assembled */
apr_table_t *trailers; /* optional incoming trailers */
int request_headers_added; /* number of request headers added */
-
+ int request_headers_failed; /* number of request headers failed to add */
+
struct h2_bucket_beam *input;
apr_bucket_brigade *in_buffer;
int in_window_size;

9
mod_http2.spec
View File

@ -3,7 +3,7 @@
Name: mod_http2
Version: 1.15.7
Release: 9%{?dist}.3
Release: 10%{?dist}
Summary: module implementing HTTP/2 for Apache 2
Group: System Environment/Daemons
License: ASL 2.0
@ -18,6 +18,8 @@ Patch5: mod_http2-1.15.7-SNI.patch
Patch6: mod_http2-1.15.7-CVE-2023-25690.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2243877
Patch7: mod_http2-1.15.7-CVE-2023-45802.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2268277
Patch8: mod_http2-1.15.7-CVE-2024-27316.patch
BuildRequires: pkgconfig, httpd-devel >= 2.4.20, libnghttp2-devel >= 1.7.0, openssl-devel >= 1.0.2
Requires: httpd-mmn = %{_httpd_mmn}
@ -36,6 +38,7 @@ top of libnghttp2 for httpd 2.4 servers.
%patch5 -p1 -b .SNI
%patch6 -p1 -b .CVE-2023-25690
%patch7 -p1 -b .CVE-2023-45802
%patch8 -p1 -b .CVE-2024-27316
%build
%configure
@ -62,6 +65,10 @@ make check
%{_httpd_moddir}/mod_proxy_http2.so
%changelog
* Fri Apr 05 2024 Luboš Uhliarik <luhliari@redhat.com> - 1.15.7-10
- Resolves: RHEL-29817 - httpd:2.4/mod_http2: httpd: CONTINUATION frames
DoS (CVE-2024-27316)
* Fri Feb 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 1.15.7-9.3
- Resolves: RHEL-13367 - httpd:2.4/mod_http2: reset requests exhaust memory
(incomplete fix of CVE-2023-44487)(CVE-2023-45802)