diff --git a/SOURCES/0001-nghttp2-1.43.0-CVE-2023-44487.patch b/SOURCES/0001-nghttp2-1.43.0-CVE-2023-44487.patch new file mode 100644 index 0000000..4622f14 --- /dev/null +++ b/SOURCES/0001-nghttp2-1.43.0-CVE-2023-44487.patch @@ -0,0 +1,976 @@ +From 965098a38e8118c0a8c6b249dba76cf498f2a126 Mon Sep 17 00:00:00 2001 +From: Tatsuhiro Tsujikawa +Date: Sun, 1 Oct 2023 00:05:01 +0900 +Subject: [PATCH] Rework session management + +(cherry picked from commit 72b4af6143681f528f1d237b21a9a7aee1738832) + +Signed-off-by: Jan Macku +--- + CMakeLists.txt | 4 ++ + cmakeconfig.h.in | 9 +++ + configure.ac | 21 +++++++ + doc/Makefile.am | 1 + + lib/CMakeLists.txt | 2 + + lib/Makefile.am | 4 ++ + lib/includes/nghttp2/nghttp2.h | 17 ++++++ + lib/nghttp2_option.c | 7 +++ + lib/nghttp2_option.h | 6 ++ + lib/nghttp2_ratelim.c | 75 ++++++++++++++++++++++++ + lib/nghttp2_ratelim.h | 57 ++++++++++++++++++ + lib/nghttp2_session.c | 34 ++++++++++- + lib/nghttp2_session.h | 12 +++- + lib/nghttp2_time.c | 62 ++++++++++++++++++++ + lib/nghttp2_time.h | 38 ++++++++++++ + tests/CMakeLists.txt | 1 + + tests/Makefile.am | 6 +- + tests/main.c | 7 ++- + tests/nghttp2_ratelim_test.c | 101 ++++++++++++++++++++++++++++++++ + tests/nghttp2_ratelim_test.h | 35 +++++++++++ + tests/nghttp2_session_test.c | 103 +++++++++++++++++++++++++++++++++ + tests/nghttp2_session_test.h | 1 + + 22 files changed, 598 insertions(+), 5 deletions(-) + create mode 100644 lib/nghttp2_ratelim.c + create mode 100644 lib/nghttp2_ratelim.h + create mode 100644 lib/nghttp2_time.c + create mode 100644 lib/nghttp2_time.h + create mode 100644 tests/nghttp2_ratelim_test.c + create mode 100644 tests/nghttp2_ratelim_test.h + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 08ab279e..5a4b2b56 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -260,6 +260,7 @@ check_include_file("netinet/in.h" HAVE_NETINET_IN_H) + check_include_file("pwd.h" HAVE_PWD_H) + check_include_file("sys/socket.h" HAVE_SYS_SOCKET_H) + check_include_file("sys/time.h" HAVE_SYS_TIME_H) ++check_include_file("sysinfoapi.h" HAVE_SYSINFOAPI_H) + check_include_file("syslog.h" HAVE_SYSLOG_H) + check_include_file("time.h" HAVE_TIME_H) + check_include_file("unistd.h" HAVE_UNISTD_H) +@@ -300,8 +301,11 @@ check_type_size("time_t" SIZEOF_TIME_T) + include(CheckFunctionExists) + check_function_exists(_Exit HAVE__EXIT) + check_function_exists(accept4 HAVE_ACCEPT4) ++check_function_exists(clock_gettime HAVE_CLOCK_GETTIME) + check_function_exists(mkostemp HAVE_MKOSTEMP) + ++check_symbol_exists(GetTickCount64 sysinfoapi.h HAVE_GETTICKCOUNT64) ++ + include(CheckSymbolExists) + # XXX does this correctly detect initgroups (un)availability on cygwin? + check_symbol_exists(initgroups grp.h HAVE_DECL_INITGROUPS) +diff --git a/cmakeconfig.h.in b/cmakeconfig.h.in +index 6c96f70a..78c2cc1d 100644 +--- a/cmakeconfig.h.in ++++ b/cmakeconfig.h.in +@@ -31,9 +31,15 @@ + /* Define to 1 if you have the `accept4` function. */ + #cmakedefine HAVE_ACCEPT4 1 + ++/* Define to 1 if you have the `clock_gettime` function. */ ++#cmakedefine HAVE_CLOCK_GETTIME 1 ++ + /* Define to 1 if you have the `mkostemp` function. */ + #cmakedefine HAVE_MKOSTEMP 1 + ++/* Define to 1 if you have the `GetTickCount64` function. */ ++#cmakedefine HAVE_GETTICKCOUNT64 1 ++ + /* Define to 1 if you have the `initgroups` function. */ + #cmakedefine01 HAVE_DECL_INITGROUPS + +@@ -70,6 +76,9 @@ + /* Define to 1 if you have the header file. */ + #cmakedefine HAVE_SYS_TIME_H 1 + ++/* Define to 1 if you have the header file. */ ++#cmakedefine HAVE_SYSINFOAPI_H 1 ++ + /* Define to 1 if you have the header file. */ + #cmakedefine HAVE_SYSLOG_H 1 + +diff --git a/configure.ac b/configure.ac +index 67f86511..a7de8dbb 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -607,6 +607,7 @@ AC_CHECK_HEADERS([ \ + string.h \ + sys/socket.h \ + sys/time.h \ ++ sysinfoapi.h \ + syslog.h \ + time.h \ + unistd.h \ +@@ -681,6 +682,7 @@ AC_FUNC_STRNLEN + AC_CHECK_FUNCS([ \ + _Exit \ + accept4 \ ++ clock_gettime \ + dup2 \ + getcwd \ + getpwnam \ +@@ -706,6 +708,25 @@ AC_CHECK_FUNCS([ \ + AC_CHECK_FUNC([timerfd_create], + [have_timerfd_create=yes], [have_timerfd_create=no]) + ++AC_MSG_CHECKING([checking for GetTickCount64]) ++AC_LINK_IFELSE([AC_LANG_PROGRAM( ++[[ ++#include ++]], ++[[ ++GetTickCount64(); ++]])], ++[have_gettickcount64=yes], ++[have_gettickcount64=no]) ++ ++if test "x${have_gettickcount64}" = "xyes"; then ++ AC_MSG_RESULT([yes]) ++ AC_DEFINE([HAVE_GETTICKCOUNT64], [1], ++ [Define to 1 if you have `GetTickCount64` function.]) ++else ++ AC_MSG_RESULT([no]) ++fi ++ + # For cygwin: we can link initgroups, so AC_CHECK_FUNCS succeeds, but + # cygwin disables initgroups due to feature test macro magic with our + # configuration. FreeBSD declares initgroups() in unistd.h. +diff --git a/doc/Makefile.am b/doc/Makefile.am +index a7226c1f..f8d7b48f 100644 +--- a/doc/Makefile.am ++++ b/doc/Makefile.am +@@ -70,6 +70,7 @@ APIDOCS= \ + nghttp2_option_set_user_recv_extension_type.rst \ + nghttp2_option_set_max_outbound_ack.rst \ + nghttp2_option_set_max_settings.rst \ ++ nghttp2_option_set_stream_reset_rate_limit.rst \ + nghttp2_pack_settings_payload.rst \ + nghttp2_priority_spec_check_default.rst \ + nghttp2_priority_spec_default_init.rst \ +diff --git a/lib/CMakeLists.txt b/lib/CMakeLists.txt +index a02a534b..03f6030b 100644 +--- a/lib/CMakeLists.txt ++++ b/lib/CMakeLists.txt +@@ -23,6 +23,8 @@ set(NGHTTP2_SOURCES + nghttp2_mem.c + nghttp2_http.c + nghttp2_rcbuf.c ++ nghttp2_ratelim.c ++ nghttp2_time.c + nghttp2_debug.c + nghttp2_ksl.c + ) +diff --git a/lib/Makefile.am b/lib/Makefile.am +index 63fa0fa8..2369f246 100644 +--- a/lib/Makefile.am ++++ b/lib/Makefile.am +@@ -49,6 +49,8 @@ OBJECTS = nghttp2_pq.c nghttp2_map.c nghttp2_queue.c \ + nghttp2_mem.c \ + nghttp2_http.c \ + nghttp2_rcbuf.c \ ++ nghttp2_ratelim.c \ ++ nghttp2_time.c \ + nghttp2_debug.c \ + nghttp2_ksl.c + +@@ -66,6 +68,8 @@ HFILES = nghttp2_pq.h nghttp2_int.h nghttp2_map.h nghttp2_queue.h \ + nghttp2_mem.h \ + nghttp2_http.h \ + nghttp2_rcbuf.h \ ++ nghttp2_ratelim.h \ ++ nghttp2_time.h \ + nghttp2_debug.h \ + nghttp2_ksl.h + +diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h +index edc0defc..1f2a3b93 100644 +--- a/lib/includes/nghttp2/nghttp2.h ++++ b/lib/includes/nghttp2/nghttp2.h +@@ -2719,6 +2719,23 @@ NGHTTP2_EXTERN void nghttp2_option_set_max_outbound_ack(nghttp2_option *option, + NGHTTP2_EXTERN void nghttp2_option_set_max_settings(nghttp2_option *option, + size_t val); + ++/** ++ * @function ++ * ++ * This function sets the rate limit for the incoming stream reset ++ * (RST_STREAM frame). It is server use only. It is a token-bucket ++ * based rate limiter. |burst| specifies the number of tokens that is ++ * initially available. The maximum number of tokens is capped to ++ * this value. |rate| specifies the number of tokens that are ++ * regenerated per second. An incoming RST_STREAM consumes one token. ++ * If there is no token available, GOAWAY is sent to tear down the ++ * connection. |burst| and |rate| default to 1000 and 33 ++ * respectively. ++ */ ++NGHTTP2_EXTERN void ++nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option, ++ uint64_t burst, uint64_t rate); ++ + /** + * @function + * +diff --git a/lib/nghttp2_option.c b/lib/nghttp2_option.c +index 34348e66..0d9a4044 100644 +--- a/lib/nghttp2_option.c ++++ b/lib/nghttp2_option.c +@@ -126,3 +126,10 @@ void nghttp2_option_set_max_settings(nghttp2_option *option, size_t val) { + option->opt_set_mask |= NGHTTP2_OPT_MAX_SETTINGS; + option->max_settings = val; + } ++ ++void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option, ++ uint64_t burst, uint64_t rate) { ++ option->opt_set_mask |= NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT; ++ option->stream_reset_burst = burst; ++ option->stream_reset_rate = rate; ++} +diff --git a/lib/nghttp2_option.h b/lib/nghttp2_option.h +index 939729fd..e6ba9100 100644 +--- a/lib/nghttp2_option.h ++++ b/lib/nghttp2_option.h +@@ -68,12 +68,18 @@ typedef enum { + NGHTTP2_OPT_NO_CLOSED_STREAMS = 1 << 10, + NGHTTP2_OPT_MAX_OUTBOUND_ACK = 1 << 11, + NGHTTP2_OPT_MAX_SETTINGS = 1 << 12, ++ NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15, + } nghttp2_option_flag; + + /** + * Struct to store option values for nghttp2_session. + */ + struct nghttp2_option { ++ /** ++ * NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT ++ */ ++ uint64_t stream_reset_burst; ++ uint64_t stream_reset_rate; + /** + * NGHTTP2_OPT_MAX_SEND_HEADER_BLOCK_LENGTH + */ +diff --git a/lib/nghttp2_ratelim.c b/lib/nghttp2_ratelim.c +new file mode 100644 +index 00000000..7011655b +--- /dev/null ++++ b/lib/nghttp2_ratelim.c +@@ -0,0 +1,75 @@ ++/* ++ * nghttp2 - HTTP/2 C Library ++ * ++ * Copyright (c) 2023 nghttp2 contributors ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining ++ * a copy of this software and associated documentation files (the ++ * "Software"), to deal in the Software without restriction, including ++ * without limitation the rights to use, copy, modify, merge, publish, ++ * distribute, sublicense, and/or sell copies of the Software, and to ++ * permit persons to whom the Software is furnished to do so, subject to ++ * the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be ++ * included in all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, ++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF ++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE ++ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION ++ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION ++ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ++ */ ++#include "nghttp2_ratelim.h" ++#include "nghttp2_helper.h" ++ ++void nghttp2_ratelim_init(nghttp2_ratelim *rl, uint64_t burst, uint64_t rate) { ++ rl->val = rl->burst = burst; ++ rl->rate = rate; ++ rl->tstamp = 0; ++} ++ ++void nghttp2_ratelim_update(nghttp2_ratelim *rl, uint64_t tstamp) { ++ uint64_t d, gain; ++ ++ if (tstamp == rl->tstamp) { ++ return; ++ } ++ ++ if (tstamp > rl->tstamp) { ++ d = tstamp - rl->tstamp; ++ } else { ++ d = 1; ++ } ++ ++ rl->tstamp = tstamp; ++ ++ if (UINT64_MAX / d < rl->rate) { ++ rl->val = rl->burst; ++ ++ return; ++ } ++ ++ gain = rl->rate * d; ++ ++ if (UINT64_MAX - gain < rl->val) { ++ rl->val = rl->burst; ++ ++ return; ++ } ++ ++ rl->val += gain; ++ rl->val = nghttp2_min(rl->val, rl->burst); ++} ++ ++int nghttp2_ratelim_drain(nghttp2_ratelim *rl, uint64_t n) { ++ if (rl->val < n) { ++ return -1; ++ } ++ ++ rl->val -= n; ++ ++ return 0; ++} +diff --git a/lib/nghttp2_ratelim.h b/lib/nghttp2_ratelim.h +new file mode 100644 +index 00000000..866ed3f0 +--- /dev/null ++++ b/lib/nghttp2_ratelim.h +@@ -0,0 +1,57 @@ ++/* ++ * nghttp2 - HTTP/2 C Library ++ * ++ * Copyright (c) 2023 nghttp2 contributors ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining ++ * a copy of this software and associated documentation files (the ++ * "Software"), to deal in the Software without restriction, including ++ * without limitation the rights to use, copy, modify, merge, publish, ++ * distribute, sublicense, and/or sell copies of the Software, and to ++ * permit persons to whom the Software is furnished to do so, subject to ++ * the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be ++ * included in all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, ++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF ++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE ++ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION ++ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION ++ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ++ */ ++#ifndef NGHTTP2_RATELIM_H ++#define NGHTTP2_RATELIM_H ++ ++#ifdef HAVE_CONFIG_H ++# include ++#endif /* HAVE_CONFIG_H */ ++ ++#include ++ ++typedef struct nghttp2_ratelim { ++ /* burst is the maximum value of val. */ ++ uint64_t burst; ++ /* rate is the amount of value that is regenerated per 1 tstamp. */ ++ uint64_t rate; ++ /* val is the amount of value available to drain. */ ++ uint64_t val; ++ /* tstamp is the last timestamp in second resolution that is known ++ to this object. */ ++ uint64_t tstamp; ++} nghttp2_ratelim; ++ ++/* nghttp2_ratelim_init initializes |rl| with the given parameters. */ ++void nghttp2_ratelim_init(nghttp2_ratelim *rl, uint64_t burst, uint64_t rate); ++ ++/* nghttp2_ratelim_update updates rl->val with the current |tstamp| ++ given in second resolution. */ ++void nghttp2_ratelim_update(nghttp2_ratelim *rl, uint64_t tstamp); ++ ++/* nghttp2_ratelim_drain drains |n| from rl->val. It returns 0 if it ++ succeeds, or -1. */ ++int nghttp2_ratelim_drain(nghttp2_ratelim *rl, uint64_t n); ++ ++#endif /* NGHTTP2_RATELIM_H */ +diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c +index 2e7e907f..80072d21 100644 +--- a/lib/nghttp2_session.c ++++ b/lib/nghttp2_session.c +@@ -36,6 +36,7 @@ + #include "nghttp2_option.h" + #include "nghttp2_http.h" + #include "nghttp2_pq.h" ++#include "nghttp2_time.h" + #include "nghttp2_debug.h" + + /* +@@ -443,6 +444,10 @@ static int session_new(nghttp2_session **session_ptr, + NGHTTP2_DEFAULT_MAX_CONCURRENT_STREAMS; + (*session_ptr)->pending_enable_push = 1; + ++ nghttp2_ratelim_init(&(*session_ptr)->stream_reset_ratelim, ++ NGHTTP2_DEFAULT_STREAM_RESET_BURST, ++ NGHTTP2_DEFAULT_STREAM_RESET_RATE); ++ + if (server) { + (*session_ptr)->server = 1; + } +@@ -527,6 +532,12 @@ static int session_new(nghttp2_session **session_ptr, + option->max_settings) { + (*session_ptr)->max_settings = option->max_settings; + } ++ ++ if (option->opt_set_mask & NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT) { ++ nghttp2_ratelim_init(&(*session_ptr)->stream_reset_ratelim, ++ option->stream_reset_burst, ++ option->stream_reset_rate); ++ } + } + + rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater, +@@ -4153,6 +4164,23 @@ static int session_process_priority_frame(nghttp2_session *session) { + return nghttp2_session_on_priority_received(session, frame); + } + ++static int session_update_stream_reset_ratelim(nghttp2_session *session) { ++ if (!session->server || (session->goaway_flags & NGHTTP2_GOAWAY_SUBMITTED)) { ++ return 0; ++ } ++ ++ nghttp2_ratelim_update(&session->stream_reset_ratelim, ++ nghttp2_time_now_sec()); ++ ++ if (nghttp2_ratelim_drain(&session->stream_reset_ratelim, 1) == 0) { ++ return 0; ++ } ++ ++ return nghttp2_session_add_goaway(session, session->last_recv_stream_id, ++ NGHTTP2_INTERNAL_ERROR, NULL, 0, ++ NGHTTP2_GOAWAY_AUX_NONE); ++} ++ + int nghttp2_session_on_rst_stream_received(nghttp2_session *session, + nghttp2_frame *frame) { + int rv; +@@ -4182,7 +4210,8 @@ int nghttp2_session_on_rst_stream_received(nghttp2_session *session, + if (nghttp2_is_fatal(rv)) { + return rv; + } +- return 0; ++ ++ return session_update_stream_reset_ratelim(session); + } + + static int session_process_rst_stream_frame(nghttp2_session *session) { +@@ -6963,6 +6992,9 @@ int nghttp2_session_add_goaway(nghttp2_session *session, int32_t last_stream_id, + nghttp2_mem_free(mem, item); + return rv; + } ++ ++ session->goaway_flags |= NGHTTP2_GOAWAY_SUBMITTED; ++ + return 0; + } + +diff --git a/lib/nghttp2_session.h b/lib/nghttp2_session.h +index 07bfbb6c..9d429921 100644 +--- a/lib/nghttp2_session.h ++++ b/lib/nghttp2_session.h +@@ -39,6 +39,7 @@ + #include "nghttp2_buf.h" + #include "nghttp2_callbacks.h" + #include "nghttp2_mem.h" ++#include "nghttp2_ratelim.h" + + /* The global variable for tests where we want to disable strict + preface handling. */ +@@ -102,6 +103,10 @@ typedef struct { + /* The default value of maximum number of concurrent streams. */ + #define NGHTTP2_DEFAULT_MAX_CONCURRENT_STREAMS 0xffffffffu + ++/* The default values for stream reset rate limiter. */ ++#define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000 ++#define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33 ++ + /* Internal state when receiving incoming frame */ + typedef enum { + /* Receiving frame header */ +@@ -176,7 +181,9 @@ typedef enum { + /* Flag means GOAWAY was sent */ + NGHTTP2_GOAWAY_SENT = 0x4, + /* Flag means GOAWAY was received */ +- NGHTTP2_GOAWAY_RECV = 0x8 ++ NGHTTP2_GOAWAY_RECV = 0x8, ++ /* Flag means GOAWAY has been submitted at least once */ ++ NGHTTP2_GOAWAY_SUBMITTED = 0x10 + } nghttp2_goaway_flag; + + /* nghttp2_inflight_settings stores the SETTINGS entries which local +@@ -227,6 +234,9 @@ struct nghttp2_session { + /* Queue of In-flight SETTINGS values. SETTINGS bearing ACK is not + considered as in-flight. */ + nghttp2_inflight_settings *inflight_settings_head; ++ /* Stream reset rate limiter. If receiving excessive amount of ++ stream resets, GOAWAY will be sent. */ ++ nghttp2_ratelim stream_reset_ratelim; + /* The number of outgoing streams. This will be capped by + remote_settings.max_concurrent_streams. */ + size_t num_outgoing_streams; +diff --git a/lib/nghttp2_time.c b/lib/nghttp2_time.c +new file mode 100644 +index 00000000..2a5f1a6f +--- /dev/null ++++ b/lib/nghttp2_time.c +@@ -0,0 +1,62 @@ ++/* ++ * nghttp2 - HTTP/2 C Library ++ * ++ * Copyright (c) 2023 nghttp2 contributors ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining ++ * a copy of this software and associated documentation files (the ++ * "Software"), to deal in the Software without restriction, including ++ * without limitation the rights to use, copy, modify, merge, publish, ++ * distribute, sublicense, and/or sell copies of the Software, and to ++ * permit persons to whom the Software is furnished to do so, subject to ++ * the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be ++ * included in all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, ++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF ++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE ++ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION ++ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION ++ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ++ */ ++#include "nghttp2_time.h" ++ ++#ifdef HAVE_TIME_H ++# include ++#endif /* HAVE_TIME_H */ ++ ++#ifdef HAVE_SYSINFOAPI_H ++# include ++#endif /* HAVE_SYSINFOAPI_H */ ++ ++#ifndef HAVE_GETTICKCOUNT64 ++static uint64_t time_now_sec(void) { ++ time_t t = time(NULL); ++ ++ if (t == -1) { ++ return 0; ++ } ++ ++ return (uint64_t)t; ++} ++#endif /* HAVE_GETTICKCOUNT64 */ ++ ++#ifdef HAVE_CLOCK_GETTIME ++uint64_t nghttp2_time_now_sec(void) { ++ struct timespec tp; ++ int rv = clock_gettime(CLOCK_MONOTONIC, &tp); ++ ++ if (rv == -1) { ++ return time_now_sec(); ++ } ++ ++ return (uint64_t)tp.tv_sec; ++} ++#elif defined(HAVE_GETTICKCOUNT64) ++uint64_t nghttp2_time_now_sec(void) { return GetTickCount64() / 1000; } ++#else /* !HAVE_CLOCK_GETTIME && !HAVE_GETTICKCOUNT64 */ ++uint64_t nghttp2_time_now_sec(void) { return time_now_sec(); } ++#endif /* !HAVE_CLOCK_GETTIME && !HAVE_GETTICKCOUNT64 */ +diff --git a/lib/nghttp2_time.h b/lib/nghttp2_time.h +new file mode 100644 +index 00000000..03c0bbe9 +--- /dev/null ++++ b/lib/nghttp2_time.h +@@ -0,0 +1,38 @@ ++/* ++ * nghttp2 - HTTP/2 C Library ++ * ++ * Copyright (c) 2023 nghttp2 contributors ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining ++ * a copy of this software and associated documentation files (the ++ * "Software"), to deal in the Software without restriction, including ++ * without limitation the rights to use, copy, modify, merge, publish, ++ * distribute, sublicense, and/or sell copies of the Software, and to ++ * permit persons to whom the Software is furnished to do so, subject to ++ * the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be ++ * included in all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, ++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF ++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE ++ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION ++ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION ++ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ++ */ ++#ifndef NGHTTP2_TIME_H ++#define NGHTTP2_TIME_H ++ ++#ifdef HAVE_CONFIG_H ++# include ++#endif /* HAVE_CONFIG_H */ ++ ++#include ++ ++/* nghttp2_time_now_sec returns seconds from implementation-specific ++ timepoint. If it is unable to get seconds, it returns 0. */ ++uint64_t nghttp2_time_now_sec(void); ++ ++#endif /* NGHTTP2_TIME_H */ +diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt +index 4250ac3a..344c5422 100644 +--- a/tests/CMakeLists.txt ++++ b/tests/CMakeLists.txt +@@ -21,6 +21,7 @@ if(HAVE_CUNIT) + nghttp2_npn_test.c + nghttp2_helper_test.c + nghttp2_buf_test.c ++ nghttp2_ratelim_test.c + ) + + add_executable(main EXCLUDE_FROM_ALL +diff --git a/tests/Makefile.am b/tests/Makefile.am +index c3e43925..c130a000 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -40,14 +40,16 @@ OBJECTS = main.c nghttp2_pq_test.c nghttp2_map_test.c nghttp2_queue_test.c \ + nghttp2_hd_test.c \ + nghttp2_npn_test.c \ + nghttp2_helper_test.c \ +- nghttp2_buf_test.c ++ nghttp2_buf_test.c \ ++ nghttp2_ratelim_test.c + + HFILES = nghttp2_pq_test.h nghttp2_map_test.h nghttp2_queue_test.h \ + nghttp2_session_test.h \ + nghttp2_frame_test.h nghttp2_stream_test.h nghttp2_hd_test.h \ + nghttp2_npn_test.h nghttp2_helper_test.h \ + nghttp2_test_helper.h \ +- nghttp2_buf_test.h ++ nghttp2_buf_test.h \ ++ nghttp2_ratelim_test.h + + main_SOURCES = $(HFILES) $(OBJECTS) + +diff --git a/tests/main.c b/tests/main.c +index 25cbbfd7..c4d39bbc 100644 +--- a/tests/main.c ++++ b/tests/main.c +@@ -40,6 +40,7 @@ + #include "nghttp2_npn_test.h" + #include "nghttp2_helper_test.h" + #include "nghttp2_buf_test.h" ++#include "nghttp2_ratelim_test.h" + + extern int nghttp2_enable_strict_preface; + +@@ -329,6 +330,8 @@ int main() { + test_nghttp2_session_no_closed_streams) || + !CU_add_test(pSuite, "session_set_stream_user_data", + test_nghttp2_session_set_stream_user_data) || ++ !CU_add_test(pSuite, "session_stream_reset_ratelim", ++ test_nghttp2_session_stream_reset_ratelim) || + !CU_add_test(pSuite, "http_mandatory_headers", + test_nghttp2_http_mandatory_headers) || + !CU_add_test(pSuite, "http_content_length", +@@ -425,7 +428,9 @@ int main() { + !CU_add_test(pSuite, "bufs_advance", test_nghttp2_bufs_advance) || + !CU_add_test(pSuite, "bufs_next_present", + test_nghttp2_bufs_next_present) || +- !CU_add_test(pSuite, "bufs_realloc", test_nghttp2_bufs_realloc)) { ++ !CU_add_test(pSuite, "bufs_realloc", test_nghttp2_bufs_realloc) || ++ !CU_add_test(pSuite, "ratelim_update", test_nghttp2_ratelim_update) || ++ !CU_add_test(pSuite, "ratelim_drain", test_nghttp2_ratelim_drain)) { + CU_cleanup_registry(); + return (int)CU_get_error(); + } +diff --git a/tests/nghttp2_ratelim_test.c b/tests/nghttp2_ratelim_test.c +new file mode 100644 +index 00000000..6abece95 +--- /dev/null ++++ b/tests/nghttp2_ratelim_test.c +@@ -0,0 +1,101 @@ ++/* ++ * nghttp2 - HTTP/2 C Library ++ * ++ * Copyright (c) 2023 nghttp2 contributors ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining ++ * a copy of this software and associated documentation files (the ++ * "Software"), to deal in the Software without restriction, including ++ * without limitation the rights to use, copy, modify, merge, publish, ++ * distribute, sublicense, and/or sell copies of the Software, and to ++ * permit persons to whom the Software is furnished to do so, subject to ++ * the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be ++ * included in all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, ++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF ++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE ++ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION ++ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION ++ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ++ */ ++#include "nghttp2_ratelim_test.h" ++ ++#include ++ ++#include ++ ++#include "nghttp2_ratelim.h" ++ ++void test_nghttp2_ratelim_update(void) { ++ nghttp2_ratelim rl; ++ ++ nghttp2_ratelim_init(&rl, 1000, 21); ++ ++ CU_ASSERT(1000 == rl.val); ++ CU_ASSERT(1000 == rl.burst); ++ CU_ASSERT(21 == rl.rate); ++ CU_ASSERT(0 == rl.tstamp); ++ ++ nghttp2_ratelim_update(&rl, 999); ++ ++ CU_ASSERT(1000 == rl.val); ++ CU_ASSERT(999 == rl.tstamp); ++ ++ nghttp2_ratelim_drain(&rl, 100); ++ ++ CU_ASSERT(900 == rl.val); ++ ++ nghttp2_ratelim_update(&rl, 1000); ++ ++ CU_ASSERT(921 == rl.val); ++ ++ nghttp2_ratelim_update(&rl, 1002); ++ ++ CU_ASSERT(963 == rl.val); ++ ++ nghttp2_ratelim_update(&rl, 1004); ++ ++ CU_ASSERT(1000 == rl.val); ++ CU_ASSERT(1004 == rl.tstamp); ++ ++ /* timer skew */ ++ nghttp2_ratelim_init(&rl, 1000, 21); ++ nghttp2_ratelim_update(&rl, 1); ++ ++ CU_ASSERT(1000 == rl.val); ++ ++ nghttp2_ratelim_update(&rl, 0); ++ ++ CU_ASSERT(1000 == rl.val); ++ ++ /* rate * duration overflow */ ++ nghttp2_ratelim_init(&rl, 1000, 100); ++ nghttp2_ratelim_drain(&rl, 999); ++ ++ CU_ASSERT(1 == rl.val); ++ ++ nghttp2_ratelim_update(&rl, UINT64_MAX); ++ ++ CU_ASSERT(1000 == rl.val); ++ ++ /* val + rate * duration overflow */ ++ nghttp2_ratelim_init(&rl, UINT64_MAX - 1, 2); ++ nghttp2_ratelim_update(&rl, 1); ++ ++ CU_ASSERT(UINT64_MAX - 1 == rl.val); ++} ++ ++void test_nghttp2_ratelim_drain(void) { ++ nghttp2_ratelim rl; ++ ++ nghttp2_ratelim_init(&rl, 100, 7); ++ ++ CU_ASSERT(-1 == nghttp2_ratelim_drain(&rl, 101)); ++ CU_ASSERT(0 == nghttp2_ratelim_drain(&rl, 51)); ++ CU_ASSERT(0 == nghttp2_ratelim_drain(&rl, 49)); ++ CU_ASSERT(-1 == nghttp2_ratelim_drain(&rl, 1)); ++} +diff --git a/tests/nghttp2_ratelim_test.h b/tests/nghttp2_ratelim_test.h +new file mode 100644 +index 00000000..02b2f2b2 +--- /dev/null ++++ b/tests/nghttp2_ratelim_test.h +@@ -0,0 +1,35 @@ ++/* ++ * nghttp2 - HTTP/2 C Library ++ * ++ * Copyright (c) 2023 nghttp2 contributors ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining ++ * a copy of this software and associated documentation files (the ++ * "Software"), to deal in the Software without restriction, including ++ * without limitation the rights to use, copy, modify, merge, publish, ++ * distribute, sublicense, and/or sell copies of the Software, and to ++ * permit persons to whom the Software is furnished to do so, subject to ++ * the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be ++ * included in all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, ++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF ++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE ++ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION ++ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION ++ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ++ */ ++#ifndef NGHTTP2_RATELIM_TEST_H ++#define NGHTTP2_RATELIM_TEST_H ++ ++#ifdef HAVE_CONFIG_H ++# include ++#endif /* HAVE_CONFIG_H */ ++ ++void test_nghttp2_ratelim_update(void); ++void test_nghttp2_ratelim_drain(void); ++ ++#endif /* NGHTTP2_RATELIM_TEST_H */ +diff --git a/tests/nghttp2_session_test.c b/tests/nghttp2_session_test.c +index 962e3c13..43db9352 100644 +--- a/tests/nghttp2_session_test.c ++++ b/tests/nghttp2_session_test.c +@@ -11055,6 +11055,109 @@ void test_nghttp2_session_set_stream_user_data(void) { + nghttp2_session_del(session); + } + ++void test_nghttp2_session_stream_reset_ratelim(void) { ++ nghttp2_session *session; ++ nghttp2_session_callbacks callbacks; ++ nghttp2_frame frame; ++ ssize_t rv; ++ nghttp2_bufs bufs; ++ nghttp2_buf *buf; ++ nghttp2_mem *mem; ++ size_t i; ++ nghttp2_hd_deflater deflater; ++ size_t nvlen; ++ nghttp2_nv *nva; ++ int32_t stream_id; ++ nghttp2_outbound_item *item; ++ nghttp2_option *option; ++ ++ mem = nghttp2_mem_default(); ++ frame_pack_bufs_init(&bufs); ++ ++ memset(&callbacks, 0, sizeof(nghttp2_session_callbacks)); ++ callbacks.send_callback = null_send_callback; ++ ++ nghttp2_option_new(&option); ++ nghttp2_option_set_stream_reset_rate_limit( ++ option, NGHTTP2_DEFAULT_STREAM_RESET_BURST, 0); ++ ++ nghttp2_session_server_new2(&session, &callbacks, NULL, option); ++ ++ nghttp2_frame_settings_init(&frame.settings, NGHTTP2_FLAG_NONE, NULL, 0); ++ rv = nghttp2_frame_pack_settings(&bufs, &frame.settings); ++ ++ CU_ASSERT(0 == rv); ++ ++ nghttp2_frame_settings_free(&frame.settings, mem); ++ ++ buf = &bufs.head->buf; ++ rv = nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf)); ++ ++ CU_ASSERT((ssize_t)nghttp2_buf_len(buf) == rv); ++ ++ /* Send SETTINGS ACK */ ++ rv = nghttp2_session_send(session); ++ ++ CU_ASSERT(0 == rv); ++ ++ nghttp2_hd_deflate_init(&deflater, mem); ++ ++ for (i = 0; i < NGHTTP2_DEFAULT_STREAM_RESET_BURST + 2; ++i) { ++ stream_id = (int32_t)(i * 2 + 1); ++ ++ nghttp2_bufs_reset(&bufs); ++ ++ /* HEADERS */ ++ nvlen = ARRLEN(reqnv); ++ nghttp2_nv_array_copy(&nva, reqnv, nvlen, mem); ++ nghttp2_frame_headers_init(&frame.headers, NGHTTP2_FLAG_END_HEADERS, ++ stream_id, NGHTTP2_HCAT_HEADERS, NULL, nva, ++ nvlen); ++ rv = nghttp2_frame_pack_headers(&bufs, &frame.headers, &deflater); ++ ++ CU_ASSERT(0 == rv); ++ ++ nghttp2_frame_headers_free(&frame.headers, mem); ++ ++ buf = &bufs.head->buf; ++ rv = nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf)); ++ ++ CU_ASSERT((ssize_t)nghttp2_buf_len(buf) == rv); ++ ++ nghttp2_bufs_reset(&bufs); ++ ++ /* RST_STREAM */ ++ nghttp2_frame_rst_stream_init(&frame.rst_stream, stream_id, ++ NGHTTP2_NO_ERROR); ++ nghttp2_frame_pack_rst_stream(&bufs, &frame.rst_stream); ++ nghttp2_frame_rst_stream_free(&frame.rst_stream); ++ ++ buf = &bufs.head->buf; ++ rv = nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf)); ++ ++ CU_ASSERT((ssize_t)nghttp2_buf_len(buf) == rv); ++ ++ if (i < NGHTTP2_DEFAULT_STREAM_RESET_BURST) { ++ CU_ASSERT(0 == nghttp2_outbound_queue_size(&session->ob_reg)); ++ ++ continue; ++ } ++ ++ CU_ASSERT(1 == nghttp2_outbound_queue_size(&session->ob_reg)); ++ ++ item = nghttp2_session_get_next_ob_item(session); ++ ++ CU_ASSERT(NGHTTP2_GOAWAY == item->frame.hd.type); ++ CU_ASSERT(NGHTTP2_DEFAULT_STREAM_RESET_BURST * 2 + 1 == ++ item->frame.goaway.last_stream_id); ++ } ++ ++ nghttp2_hd_deflate_free(&deflater); ++ nghttp2_session_del(session); ++ nghttp2_bufs_free(&bufs); ++ nghttp2_option_del(option); ++} ++ + static void check_nghttp2_http_recv_headers_fail( + nghttp2_session *session, nghttp2_hd_deflater *deflater, int32_t stream_id, + int stream_state, const nghttp2_nv *nva, size_t nvlen) { +diff --git a/tests/nghttp2_session_test.h b/tests/nghttp2_session_test.h +index bdedd849..23fda64a 100644 +--- a/tests/nghttp2_session_test.h ++++ b/tests/nghttp2_session_test.h +@@ -162,6 +162,7 @@ void test_nghttp2_session_removed_closed_stream(void); + void test_nghttp2_session_pause_data(void); + void test_nghttp2_session_no_closed_streams(void); + void test_nghttp2_session_set_stream_user_data(void); ++void test_nghttp2_session_stream_reset_ratelim(void); + void test_nghttp2_http_mandatory_headers(void); + void test_nghttp2_http_content_length(void); + void test_nghttp2_http_content_length_mismatch(void); +-- +2.41.0 + diff --git a/SOURCES/0002-nghttp2-1.43.0-CVE-2024-28182-CVE-2024-27316.patch b/SOURCES/0002-nghttp2-1.43.0-CVE-2024-28182-CVE-2024-27316.patch new file mode 100644 index 0000000..c17a8a9 --- /dev/null +++ b/SOURCES/0002-nghttp2-1.43.0-CVE-2024-28182-CVE-2024-27316.patch @@ -0,0 +1,193 @@ +From faca42daa4d3166e0af50cd1b33dc607a0f63af1 Mon Sep 17 00:00:00 2001 +From: Tatsuhiro Tsujikawa +Date: Sat, 9 Mar 2024 16:26:42 +0900 +Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame + +(cherry picked from commit 00201ecd8f982da3b67d4f6868af72a1b03b14e0) +Signed-off-by: Jan Macku + +Add nghttp2_option_set_max_continuations + +(cherry picked from commit d71a4668c6bead55805d18810d633fbb98315af9) +Signed-off-by: Jan Macku +--- + doc/Makefile.am | 1 + + lib/includes/nghttp2/nghttp2.h | 18 +++++++++++++++++- + lib/nghttp2_helper.c | 2 ++ + lib/nghttp2_option.c | 5 +++++ + lib/nghttp2_option.h | 5 +++++ + lib/nghttp2_session.c | 11 +++++++++++ + lib/nghttp2_session.h | 10 ++++++++++ + 7 files changed, 51 insertions(+), 1 deletion(-) + +diff --git a/doc/Makefile.am b/doc/Makefile.am +index f8d7b48f..39d0d304 100644 +--- a/doc/Makefile.am ++++ b/doc/Makefile.am +@@ -68,6 +68,7 @@ APIDOCS= \ + nghttp2_option_set_no_recv_client_magic.rst \ + nghttp2_option_set_peer_max_concurrent_streams.rst \ + nghttp2_option_set_user_recv_extension_type.rst \ ++ nghttp2_option_set_max_continuations.rst \ + nghttp2_option_set_max_outbound_ack.rst \ + nghttp2_option_set_max_settings.rst \ + nghttp2_option_set_stream_reset_rate_limit.rst \ +diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h +index 1f2a3b93..1137e645 100644 +--- a/lib/includes/nghttp2/nghttp2.h ++++ b/lib/includes/nghttp2/nghttp2.h +@@ -440,7 +440,12 @@ typedef enum { + * exhaustion on server side to send these frames forever and does + * not read network. + */ +- NGHTTP2_ERR_FLOODED = -904 ++ NGHTTP2_ERR_FLOODED = -904, ++ /** ++ * When a local endpoint receives too many CONTINUATION frames ++ * following a HEADER frame. ++ */ ++ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905, + } nghttp2_error; + + /** +@@ -2736,6 +2741,17 @@ NGHTTP2_EXTERN void + nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option, + uint64_t burst, uint64_t rate); + ++/** ++ * @function ++ * ++ * This function sets the maximum number of CONTINUATION frames ++ * following an incoming HEADER frame. If more than those frames are ++ * received, the remote endpoint is considered to be misbehaving and ++ * session will be closed. The default value is 8. ++ */ ++NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option, ++ size_t val); ++ + /** + * @function + * +diff --git a/lib/nghttp2_helper.c b/lib/nghttp2_helper.c +index 0bd54147..4158a0b0 100644 +--- a/lib/nghttp2_helper.c ++++ b/lib/nghttp2_helper.c +@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) { + "closed"; + case NGHTTP2_ERR_TOO_MANY_SETTINGS: + return "SETTINGS frame contained more than the maximum allowed entries"; ++ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS: ++ return "Too many CONTINUATION frames following a HEADER frame"; + default: + return "Unknown error code"; + } +diff --git a/lib/nghttp2_option.c b/lib/nghttp2_option.c +index 0d9a4044..f3659c18 100644 +--- a/lib/nghttp2_option.c ++++ b/lib/nghttp2_option.c +@@ -133,3 +133,8 @@ void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option, + option->stream_reset_burst = burst; + option->stream_reset_rate = rate; + } ++ ++void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) { ++ option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS; ++ option->max_continuations = val; ++} +diff --git a/lib/nghttp2_option.h b/lib/nghttp2_option.h +index e6ba9100..c1b48c73 100644 +--- a/lib/nghttp2_option.h ++++ b/lib/nghttp2_option.h +@@ -69,6 +69,7 @@ typedef enum { + NGHTTP2_OPT_MAX_OUTBOUND_ACK = 1 << 11, + NGHTTP2_OPT_MAX_SETTINGS = 1 << 12, + NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15, ++ NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16, + } nghttp2_option_flag; + + /** +@@ -96,6 +97,10 @@ struct nghttp2_option { + * NGHTTP2_OPT_MAX_SETTINGS + */ + size_t max_settings; ++ /** ++ * NGHTTP2_OPT_MAX_CONTINUATIONS ++ */ ++ size_t max_continuations; + /** + * Bitwise OR of nghttp2_option_flag to determine that which fields + * are specified. +diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c +index 80072d21..3e11bd8f 100644 +--- a/lib/nghttp2_session.c ++++ b/lib/nghttp2_session.c +@@ -464,6 +464,7 @@ static int session_new(nghttp2_session **session_ptr, + (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN; + (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM; + (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS; ++ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS; + + if (option) { + if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) && +@@ -538,6 +539,10 @@ static int session_new(nghttp2_session **session_ptr, + option->stream_reset_burst, + option->stream_reset_rate); + } ++ ++ if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) { ++ (*session_ptr)->max_continuations = option->max_continuations; ++ } + } + + rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater, +@@ -6309,6 +6314,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, + } + } + session_inbound_frame_reset(session); ++ ++ session->num_continuations = 0; + } + break; + } +@@ -6430,6 +6437,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, + } + #endif /* DEBUGBUILD */ + ++ if (++session->num_continuations > session->max_continuations) { ++ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS; ++ } ++ + readlen = inbound_frame_buf_read(iframe, in, last); + in += readlen; + +diff --git a/lib/nghttp2_session.h b/lib/nghttp2_session.h +index 9d429921..d8f9c395 100644 +--- a/lib/nghttp2_session.h ++++ b/lib/nghttp2_session.h +@@ -107,6 +107,10 @@ typedef struct { + #define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000 + #define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33 + ++/* The default max number of CONTINUATION frames following an incoming ++ HEADER frame. */ ++#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8 ++ + /* Internal state when receiving incoming frame */ + typedef enum { + /* Receiving frame header */ +@@ -279,6 +283,12 @@ struct nghttp2_session { + size_t max_send_header_block_length; + /* The maximum number of settings accepted per SETTINGS frame. */ + size_t max_settings; ++ /* The maximum number of CONTINUATION frames following an incoming ++ HEADER frame. */ ++ size_t max_continuations; ++ /* The number of CONTINUATION frames following an incoming HEADER ++ frame. This variable is reset when END_HEADERS flag is seen. */ ++ size_t num_continuations; + /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */ + uint32_t next_stream_id; + /* The last stream ID this session initiated. For client session, +-- +2.44.0 + diff --git a/SPECS/nghttp2.spec b/SPECS/nghttp2.spec index 6981a07..0619901 100644 --- a/SPECS/nghttp2.spec +++ b/SPECS/nghttp2.spec @@ -1,11 +1,20 @@ Summary: Experimental HTTP/2 client, server and proxy Name: nghttp2 Version: 1.43.0 -Release: 5%{?dist} +Release: 6%{?dist} License: MIT URL: https://nghttp2.org/ Source0: https://github.com/tatsuhiro-t/nghttp2/releases/download/v%{version}/nghttp2-%{version}.tar.xz +# fix HTTP/2 Rapid Reset (CVE-2023-44487) +Patch1: 0001-nghttp2-1.43.0-CVE-2023-44487.patch + +# fix CONTINUATION frames DoS (CVE-2024-28182, CVE-2024-27316) +Patch2: 0002-nghttp2-1.43.0-CVE-2024-28182-CVE-2024-27316.patch + +BuildRequires: automake +BuildRequires: libtool + BuildRequires: CUnit-devel BuildRequires: c-ares-devel BuildRequires: gcc-c++ @@ -43,7 +52,8 @@ for building applications with libnghttp2. %prep -%setup -q +%autosetup -p1 +autoreconf -fvi # make fetch-ocsp-response use Python 3 sed -e '1 s|^#!/.*python|&3|' -i script/fetch-ocsp-response @@ -115,6 +125,12 @@ export "LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" %changelog +* Wed Apr 10 2024 Jan Macku - 1.43.0-6 +- fix CONTINUATION frames DoS (CVE-2024-28182, CVE-2024-27316) + +* Fri Oct 13 2023 Jan Macku - 1.43.0-5.1 +- fix HTTP/2 Rapid Reset (CVE-2023-44487) + * Mon Aug 09 2021 Mohan Boddu - 1.43.0-5 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688