diff --git a/0004-nghttp2-1.33.0-CVE-2024-28182.patch b/0004-nghttp2-1.33.0-CVE-2024-28182.patch new file mode 100644 index 0000000..bcadb29 --- /dev/null +++ b/0004-nghttp2-1.33.0-CVE-2024-28182.patch @@ -0,0 +1,193 @@ +From 771044ffd217c5b20f1714e7e3fdd851a32d059c Mon Sep 17 00:00:00 2001 +From: Tatsuhiro Tsujikawa +Date: Sat, 9 Mar 2024 16:26:42 +0900 +Subject: [PATCH] Add nghttp2_option_set_max_continuations + +(cherry picked from commit d71a4668c6bead55805d18810d633fbb98315af9) +Signed-off-by: Jan Macku + +Limit CONTINUATION frames following an incoming HEADER frame + +(cherry picked from commit 00201ecd8f982da3b67d4f6868af72a1b03b14e0) +Signed-off-by: Jan Macku +--- + doc/Makefile.am | 1 + + lib/includes/nghttp2/nghttp2.h | 18 +++++++++++++++++- + lib/nghttp2_helper.c | 2 ++ + lib/nghttp2_option.c | 5 +++++ + lib/nghttp2_option.h | 5 +++++ + lib/nghttp2_session.c | 11 +++++++++++ + lib/nghttp2_session.h | 10 ++++++++++ + 7 files changed, 51 insertions(+), 1 deletion(-) + +diff --git a/doc/Makefile.am b/doc/Makefile.am +index 87f6c43b..1334de63 100644 +--- a/doc/Makefile.am ++++ b/doc/Makefile.am +@@ -67,6 +67,7 @@ APIDOCS= \ + nghttp2_option_set_no_recv_client_magic.rst \ + nghttp2_option_set_peer_max_concurrent_streams.rst \ + nghttp2_option_set_user_recv_extension_type.rst \ ++ nghttp2_option_set_max_continuations.rst \ + nghttp2_option_set_max_outbound_ack.rst \ + nghttp2_option_set_max_settings.rst \ + nghttp2_option_set_stream_reset_rate_limit.rst \ +diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h +index 9eb764c6..2530a061 100644 +--- a/lib/includes/nghttp2/nghttp2.h ++++ b/lib/includes/nghttp2/nghttp2.h +@@ -434,7 +434,12 @@ typedef enum { + * exhaustion on server side to send these frames forever and does + * not read network. + */ +- NGHTTP2_ERR_FLOODED = -904 ++ NGHTTP2_ERR_FLOODED = -904, ++ /** ++ * When a local endpoint receives too many CONTINUATION frames ++ * following a HEADER frame. ++ */ ++ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905, + } nghttp2_error; + + /** +@@ -2688,6 +2693,17 @@ NGHTTP2_EXTERN void + nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option, + uint64_t burst, uint64_t rate); + ++/** ++ * @function ++ * ++ * This function sets the maximum number of CONTINUATION frames ++ * following an incoming HEADER frame. If more than those frames are ++ * received, the remote endpoint is considered to be misbehaving and ++ * session will be closed. The default value is 8. ++ */ ++NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option, ++ size_t val); ++ + /** + * @function + * +diff --git a/lib/nghttp2_helper.c b/lib/nghttp2_helper.c +index 49bbf079..562c652c 100644 +--- a/lib/nghttp2_helper.c ++++ b/lib/nghttp2_helper.c +@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) { + "closed"; + case NGHTTP2_ERR_TOO_MANY_SETTINGS: + return "SETTINGS frame contained more than the maximum allowed entries"; ++ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS: ++ return "Too many CONTINUATION frames following a HEADER frame"; + default: + return "Unknown error code"; + } +diff --git a/lib/nghttp2_option.c b/lib/nghttp2_option.c +index 0d9a4044..f3659c18 100644 +--- a/lib/nghttp2_option.c ++++ b/lib/nghttp2_option.c +@@ -133,3 +133,8 @@ void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option, + option->stream_reset_burst = burst; + option->stream_reset_rate = rate; + } ++ ++void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) { ++ option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS; ++ option->max_continuations = val; ++} +diff --git a/lib/nghttp2_option.h b/lib/nghttp2_option.h +index e6ba9100..c1b48c73 100644 +--- a/lib/nghttp2_option.h ++++ b/lib/nghttp2_option.h +@@ -69,6 +69,7 @@ typedef enum { + NGHTTP2_OPT_MAX_OUTBOUND_ACK = 1 << 11, + NGHTTP2_OPT_MAX_SETTINGS = 1 << 12, + NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15, ++ NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16, + } nghttp2_option_flag; + + /** +@@ -96,6 +97,10 @@ struct nghttp2_option { + * NGHTTP2_OPT_MAX_SETTINGS + */ + size_t max_settings; ++ /** ++ * NGHTTP2_OPT_MAX_CONTINUATIONS ++ */ ++ size_t max_continuations; + /** + * Bitwise OR of nghttp2_option_flag to determine that which fields + * are specified. +diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c +index 5ee08dfe..821c57ea 100644 +--- a/lib/nghttp2_session.c ++++ b/lib/nghttp2_session.c +@@ -464,6 +464,7 @@ static int session_new(nghttp2_session **session_ptr, + (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN; + (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM; + (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS; ++ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS; + + if (option) { + if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) && +@@ -538,6 +539,10 @@ static int session_new(nghttp2_session **session_ptr, + option->stream_reset_burst, + option->stream_reset_rate); + } ++ ++ if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) { ++ (*session_ptr)->max_continuations = option->max_continuations; ++ } + } + + rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater, +@@ -6289,6 +6294,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, + } + } + session_inbound_frame_reset(session); ++ ++ session->num_continuations = 0; + } + break; + } +@@ -6410,6 +6417,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, + } + #endif /* DEBUGBUILD */ + ++ if (++session->num_continuations > session->max_continuations) { ++ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS; ++ } ++ + readlen = inbound_frame_buf_read(iframe, in, last); + in += readlen; + +diff --git a/lib/nghttp2_session.h b/lib/nghttp2_session.h +index 03f8bee4..72464024 100644 +--- a/lib/nghttp2_session.h ++++ b/lib/nghttp2_session.h +@@ -107,6 +107,10 @@ typedef struct { + #define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000 + #define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33 + ++/* The default max number of CONTINUATION frames following an incoming ++ HEADER frame. */ ++#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8 ++ + /* Internal state when receiving incoming frame */ + typedef enum { + /* Receiving frame header */ +@@ -281,6 +285,12 @@ struct nghttp2_session { + size_t max_send_header_block_length; + /* The maximum number of settings accepted per SETTINGS frame. */ + size_t max_settings; ++ /* The maximum number of CONTINUATION frames following an incoming ++ HEADER frame. */ ++ size_t max_continuations; ++ /* The number of CONTINUATION frames following an incoming HEADER ++ frame. This variable is reset when END_HEADERS flag is seen. */ ++ size_t num_continuations; + /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */ + uint32_t next_stream_id; + /* The last stream ID this session initiated. For client session, +-- +2.44.0 + diff --git a/nghttp2.spec b/nghttp2.spec index 4906bb2..3d38c70 100644 --- a/nghttp2.spec +++ b/nghttp2.spec @@ -1,7 +1,7 @@ Summary: Experimental HTTP/2 client, server and proxy Name: nghttp2 Version: 1.33.0 -Release: 5%{?dist} +Release: 6%{?dist} License: MIT Group: Applications/Internet URL: https://nghttp2.org/ @@ -16,6 +16,9 @@ Patch2: nghttp2-1.33.0-CVE-2020-11080.patch # fix HTTP/2 Rapid Reset (CVE-2023-44487) Patch3: 0003-nghttp2-1.33.0-CVE-2023-44487.patch +# fix CONTINUATION frames DoS (CVE-2024-28182) +Patch4: 0004-nghttp2-1.33.0-CVE-2024-28182.patch + BuildRequires: automake BuildRequires: libtool @@ -60,6 +63,7 @@ for building applications with libnghttp2. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 autoreconf -fiv # make fetch-ocsp-response use Python 3 @@ -131,6 +135,9 @@ make %{?_smp_mflags} check %changelog +* Mon Apr 08 2024 Jan Macku - 1.33.0-6 +- fix CONTINUATION frames DoS (CVE-2024-28182) + * Fri Oct 13 2023 Jan Macku - 1.33.0-5 - fix HTTP/2 Rapid Reset (CVE-2023-44487)