CVE-2026-27135 - fix Denial of service: Assertion failure due to the missing state
validation Resolves: RHEL-157378
This commit is contained in:
parent
0d9404dd36
commit
9f2f72bf1e
133
0003-nghttp2-1.43.0-CVE-2026-27135.patch
Normal file
133
0003-nghttp2-1.43.0-CVE-2026-27135.patch
Normal file
@ -0,0 +1,133 @@
|
||||
From f5e9e3d3e73703d501ffd72057db107e6a3cab02 Mon Sep 17 00:00:00 2001
|
||||
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
|
||||
Date: Wed, 18 Feb 2026 22:40:57 +0900
|
||||
Subject: [PATCH] CVE-2026-27135
|
||||
|
||||
Check nghttp2_is_fatal first
|
||||
|
||||
(cherry picked from commit 68f77a347544c207eeff7ff7457284697ccf7f7d)
|
||||
|
||||
Fix missing iframe->state validations to avoid assertion failure
|
||||
|
||||
(cherry picked from commit 5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1)
|
||||
---
|
||||
lib/nghttp2_session.c | 44 +++++++++++++++++++++++++++++++++++--------
|
||||
1 file changed, 36 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
|
||||
index 3e11bd8f..fe823713 100644
|
||||
--- a/lib/nghttp2_session.c
|
||||
+++ b/lib/nghttp2_session.c
|
||||
@@ -5537,6 +5537,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
|
||||
busy = 1;
|
||||
|
||||
rv = session_on_data_received_fail_fast(session);
|
||||
+ if (nghttp2_is_fatal(rv)) {
|
||||
+ return rv;
|
||||
+ }
|
||||
+
|
||||
if (iframe->state == NGHTTP2_IB_IGN_ALL) {
|
||||
return (ssize_t)inlen;
|
||||
}
|
||||
@@ -5547,10 +5551,6 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
|
||||
break;
|
||||
}
|
||||
|
||||
- if (nghttp2_is_fatal(rv)) {
|
||||
- return rv;
|
||||
- }
|
||||
-
|
||||
rv = inbound_frame_handle_pad(iframe, &iframe->frame.hd);
|
||||
if (rv < 0) {
|
||||
rv = nghttp2_session_terminate_session_with_reason(
|
||||
@@ -5620,6 +5620,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
|
||||
return rv;
|
||||
}
|
||||
|
||||
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
|
||||
+ return (ssize_t)inlen;
|
||||
+ }
|
||||
+
|
||||
on_begin_frame_called = 1;
|
||||
|
||||
rv = session_process_headers_frame(session);
|
||||
@@ -5943,6 +5947,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
|
||||
if (nghttp2_is_fatal(rv)) {
|
||||
return rv;
|
||||
}
|
||||
+
|
||||
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
|
||||
+ return (ssize_t)inlen;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -6486,6 +6494,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
|
||||
if (nghttp2_is_fatal(rv)) {
|
||||
return rv;
|
||||
}
|
||||
+
|
||||
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
|
||||
+ return (ssize_t)inlen;
|
||||
+ }
|
||||
} else {
|
||||
iframe->state = NGHTTP2_IB_IGN_HEADER_BLOCK;
|
||||
}
|
||||
@@ -6651,13 +6663,17 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
|
||||
rv = session->callbacks.on_data_chunk_recv_callback(
|
||||
session, iframe->frame.hd.flags, iframe->frame.hd.stream_id,
|
||||
in - readlen, (size_t)data_readlen, session->user_data);
|
||||
- if (rv == NGHTTP2_ERR_PAUSE) {
|
||||
- return in - first;
|
||||
- }
|
||||
-
|
||||
if (nghttp2_is_fatal(rv)) {
|
||||
return NGHTTP2_ERR_CALLBACK_FAILURE;
|
||||
}
|
||||
+
|
||||
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
|
||||
+ return (ssize_t)inlen;
|
||||
+ }
|
||||
+
|
||||
+ if (rv == NGHTTP2_ERR_PAUSE) {
|
||||
+ return in - first;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -6738,6 +6754,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
|
||||
return rv;
|
||||
}
|
||||
|
||||
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
|
||||
+ return (ssize_t)inlen;
|
||||
+ }
|
||||
+
|
||||
if (rv != 0) {
|
||||
busy = 1;
|
||||
|
||||
@@ -6756,6 +6776,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
|
||||
return rv;
|
||||
}
|
||||
|
||||
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
|
||||
+ return (ssize_t)inlen;
|
||||
+ }
|
||||
+
|
||||
session_inbound_frame_reset(session);
|
||||
|
||||
break;
|
||||
@@ -6784,6 +6808,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
|
||||
return rv;
|
||||
}
|
||||
|
||||
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
|
||||
+ return (ssize_t)inlen;
|
||||
+ }
|
||||
+
|
||||
session_inbound_frame_reset(session);
|
||||
|
||||
break;
|
||||
--
|
||||
2.53.0
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
Summary: Experimental HTTP/2 client, server and proxy
|
||||
Name: nghttp2
|
||||
Version: 1.43.0
|
||||
Release: 6%{?dist}
|
||||
Release: 7%{?dist}
|
||||
License: MIT
|
||||
URL: https://nghttp2.org/
|
||||
Source0: https://github.com/tatsuhiro-t/nghttp2/releases/download/v%{version}/nghttp2-%{version}.tar.xz
|
||||
@ -12,6 +12,9 @@ Patch1: 0001-nghttp2-1.43.0-CVE-2023-44487.patch
|
||||
# fix CONTINUATION frames DoS (CVE-2024-28182, CVE-2024-27316)
|
||||
Patch2: 0002-nghttp2-1.43.0-CVE-2024-28182-CVE-2024-27316.patch
|
||||
|
||||
# fix Denial of service: Assertion failure due to the missing state validation (CVE-2026-27135)
|
||||
Patch3: 0003-nghttp2-1.43.0-CVE-2026-27135.patch
|
||||
|
||||
BuildRequires: automake
|
||||
BuildRequires: libtool
|
||||
|
||||
@ -125,6 +128,9 @@ export "LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH"
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Apr 01 2026 Jan Macku <jamacku@redhat.com> - 1.43.0-7
|
||||
- fix Denial of service: Assertion failure due to the missing state validation (CVE-2026-27135)
|
||||
|
||||
* Wed Apr 10 2024 Jan Macku <jamacku@redhat.com> - 1.43.0-6
|
||||
- fix CONTINUATION frames DoS (CVE-2024-28182, CVE-2024-27316)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user