rpms
/
nghttp2
7
0
Fork 0
Code Issues Pull Requests Releases Activity

CVE-2024-27316, CVE-2024-28182 - fix CONTINUATION frames DoS

This commit is contained in:
Jan Macku 2024-04-10 12:35:11 +02:00 committed by root
parent 81506b8ab5
commit a9db312d3f
3 changed files with 201 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.nghttp2.metadata Normal file
View File

@ -0,0 +1 @@
b9d846e53af53fc5814015c9d3d6c0d2c684c046 nghttp2-1.43.0.tar.xz

193
0002-nghttp2-1.43.0-CVE-2024-28182-CVE-2024-27316.patch Normal file
View File

@ -0,0 +1,193 @@
From faca42daa4d3166e0af50cd1b33dc607a0f63af1 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sat, 9 Mar 2024 16:26:42 +0900
Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame
(cherry picked from commit 00201ecd8f982da3b67d4f6868af72a1b03b14e0)
Signed-off-by: Jan Macku <jamacku@redhat.com>
Add nghttp2_option_set_max_continuations
(cherry picked from commit d71a4668c6bead55805d18810d633fbb98315af9)
Signed-off-by: Jan Macku <jamacku@redhat.com>
---
doc/Makefile.am | 1 +
lib/includes/nghttp2/nghttp2.h | 18 +++++++++++++++++-
lib/nghttp2_helper.c | 2 ++
lib/nghttp2_option.c | 5 +++++
lib/nghttp2_option.h | 5 +++++
lib/nghttp2_session.c | 11 +++++++++++
lib/nghttp2_session.h | 10 ++++++++++
7 files changed, 51 insertions(+), 1 deletion(-)
diff --git a/doc/Makefile.am b/doc/Makefile.am
index f8d7b48f..39d0d304 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -68,6 +68,7 @@ APIDOCS= \
nghttp2_option_set_no_recv_client_magic.rst \
nghttp2_option_set_peer_max_concurrent_streams.rst \
nghttp2_option_set_user_recv_extension_type.rst \
+ nghttp2_option_set_max_continuations.rst \
nghttp2_option_set_max_outbound_ack.rst \
nghttp2_option_set_max_settings.rst \
nghttp2_option_set_stream_reset_rate_limit.rst \
diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h
index 1f2a3b93..1137e645 100644
--- a/lib/includes/nghttp2/nghttp2.h
+++ b/lib/includes/nghttp2/nghttp2.h
@@ -440,7 +440,12 @@ typedef enum {
* exhaustion on server side to send these frames forever and does
* not read network.
*/
- NGHTTP2_ERR_FLOODED = -904
+ NGHTTP2_ERR_FLOODED = -904,
+ /**
+ * When a local endpoint receives too many CONTINUATION frames
+ * following a HEADER frame.
+ */
+ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
} nghttp2_error;
/**
@@ -2736,6 +2741,17 @@ NGHTTP2_EXTERN void
nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
uint64_t burst, uint64_t rate);
+/**
+ * @function
+ *
+ * This function sets the maximum number of CONTINUATION frames
+ * following an incoming HEADER frame. If more than those frames are
+ * received, the remote endpoint is considered to be misbehaving and
+ * session will be closed. The default value is 8.
+ */
+NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option,
+ size_t val);
+
/**
* @function
*
diff --git a/lib/nghttp2_helper.c b/lib/nghttp2_helper.c
index 0bd54147..4158a0b0 100644
--- a/lib/nghttp2_helper.c
+++ b/lib/nghttp2_helper.c
@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) {
"closed";
case NGHTTP2_ERR_TOO_MANY_SETTINGS:
return "SETTINGS frame contained more than the maximum allowed entries";
+ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
+ return "Too many CONTINUATION frames following a HEADER frame";
default:
return "Unknown error code";
}
diff --git a/lib/nghttp2_option.c b/lib/nghttp2_option.c
index 0d9a4044..f3659c18 100644
--- a/lib/nghttp2_option.c
+++ b/lib/nghttp2_option.c
@@ -133,3 +133,8 @@ void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
option->stream_reset_burst = burst;
option->stream_reset_rate = rate;
}
+
+void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) {
+ option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS;
+ option->max_continuations = val;
+}
diff --git a/lib/nghttp2_option.h b/lib/nghttp2_option.h
index e6ba9100..c1b48c73 100644
--- a/lib/nghttp2_option.h
+++ b/lib/nghttp2_option.h
@@ -69,6 +69,7 @@ typedef enum {
NGHTTP2_OPT_MAX_OUTBOUND_ACK = 1 << 11,
NGHTTP2_OPT_MAX_SETTINGS = 1 << 12,
NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15,
+ NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16,
} nghttp2_option_flag;
/**
@@ -96,6 +97,10 @@ struct nghttp2_option {
* NGHTTP2_OPT_MAX_SETTINGS
*/
size_t max_settings;
+ /**
+ * NGHTTP2_OPT_MAX_CONTINUATIONS
+ */
+ size_t max_continuations;
/**
* Bitwise OR of nghttp2_option_flag to determine that which fields
* are specified.
diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
index 80072d21..3e11bd8f 100644
--- a/lib/nghttp2_session.c
+++ b/lib/nghttp2_session.c
@@ -464,6 +464,7 @@ static int session_new(nghttp2_session **session_ptr,
(*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
(*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
(*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
+ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
if (option) {
if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
@@ -538,6 +539,10 @@ static int session_new(nghttp2_session **session_ptr,
option->stream_reset_burst,
option->stream_reset_rate);
}
+
+ if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) {
+ (*session_ptr)->max_continuations = option->max_continuations;
+ }
}
rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
@@ -6309,6 +6314,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
}
}
session_inbound_frame_reset(session);
+
+ session->num_continuations = 0;
}
break;
}
@@ -6430,6 +6437,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
}
#endif /* DEBUGBUILD */
+ if (++session->num_continuations > session->max_continuations) {
+ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
+ }
+
readlen = inbound_frame_buf_read(iframe, in, last);
in += readlen;
diff --git a/lib/nghttp2_session.h b/lib/nghttp2_session.h
index 9d429921..d8f9c395 100644
--- a/lib/nghttp2_session.h
+++ b/lib/nghttp2_session.h
@@ -107,6 +107,10 @@ typedef struct {
#define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
#define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
+/* The default max number of CONTINUATION frames following an incoming
+ HEADER frame. */
+#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
+
/* Internal state when receiving incoming frame */
typedef enum {
/* Receiving frame header */
@@ -279,6 +283,12 @@ struct nghttp2_session {
size_t max_send_header_block_length;
/* The maximum number of settings accepted per SETTINGS frame. */
size_t max_settings;
+ /* The maximum number of CONTINUATION frames following an incoming
+ HEADER frame. */
+ size_t max_continuations;
+ /* The number of CONTINUATION frames following an incoming HEADER
+ frame. This variable is reset when END_HEADERS flag is seen. */
+ size_t num_continuations;
/* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
uint32_t next_stream_id;
/* The last stream ID this session initiated. For client session,
--
2.44.0

8
nghttp2.spec
View File

@ -1,7 +1,7 @@
Summary: Experimental HTTP/2 client, server and proxy
Name: nghttp2
Version: 1.43.0
Release: 5%{?dist}.1
Release: 6%{?dist}
License: MIT
URL: https://nghttp2.org/
Source0: https://github.com/tatsuhiro-t/nghttp2/releases/download/v%{version}/nghttp2-%{version}.tar.xz
@ -9,6 +9,9 @@ Source0: https://github.com/tatsuhiro-t/nghttp2/releases/download/v%{version}/ng
# fix HTTP/2 Rapid Reset (CVE-2023-44487)
Patch1: 0001-nghttp2-1.43.0-CVE-2023-44487.patch
# fix CONTINUATION frames DoS (CVE-2024-28182, CVE-2024-27316)
Patch2: 0002-nghttp2-1.43.0-CVE-2024-28182-CVE-2024-27316.patch
BuildRequires: automake
BuildRequires: libtool
@ -122,6 +125,9 @@ export "LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH"
%changelog
* Wed Apr 10 2024 Jan Macku <jamacku@redhat.com> - 1.43.0-6
- fix CONTINUATION frames DoS (CVE-2024-28182, CVE-2024-27316)
* Fri Oct 13 2023 Jan Macku <jamacku@redhat.com> - 1.43.0-5.1
- fix HTTP/2 Rapid Reset (CVE-2023-44487)