rpms
/
nghttp2
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c10s
rpms:c9
rpms:c9s
rpms:c8s
rpms:c9-beta
rpms:c8-beta
rpms:imports/c9/nghttp2-1.43.0-5.el9_4.3
rpms:imports/c8/nghttp2-1.33.0-5.el8_9
rpms:imports/c8/nghttp2-1.33.0-5.el8_8
rpms:imports/c9/nghttp2-1.43.0-5.el9_3.1
rpms:imports/c9/nghttp2-1.43.0-5.el9_2.1
rpms:imports/c9/nghttp2-1.43.0-5.el9
rpms:imports/c9-beta/nghttp2-1.43.0-5.el9
rpms:imports/c8-beta/nghttp2-1.33.0-3.el8_2.1
rpms:imports/c8-beta/nghttp2-1.33.0-1.el8_0.1
rpms:imports/c8-beta/nghttp2-1.33.0-1.el8
rpms:imports/c8s/nghttp2-1.33.0-3.el8_2.1
rpms:imports/c8/nghttp2-1.33.0-3.el8_2.1
rpms:imports/c8/nghttp2-1.33.0-1.el8_0.1
rpms:imports/c8/nghttp2-1.33.0-1.el8
...
pull from: rpms:c9s
Branches Tags
rpms:c10s
rpms:c9
rpms:c9s
rpms:c8s
rpms:c8
rpms:c9-beta
rpms:c8-beta
rpms:imports/c9/nghttp2-1.43.0-5.el9_4.3
rpms:imports/c8/nghttp2-1.33.0-5.el8_9
rpms:imports/c8/nghttp2-1.33.0-5.el8_8
rpms:imports/c9/nghttp2-1.43.0-5.el9_3.1
rpms:imports/c9/nghttp2-1.43.0-5.el9_2.1
rpms:imports/c9/nghttp2-1.43.0-5.el9
rpms:imports/c9-beta/nghttp2-1.43.0-5.el9
rpms:imports/c8-beta/nghttp2-1.33.0-3.el8_2.1
rpms:imports/c8-beta/nghttp2-1.33.0-1.el8_0.1
rpms:imports/c8-beta/nghttp2-1.33.0-1.el8
rpms:imports/c8s/nghttp2-1.33.0-3.el8_2.1
rpms:imports/c8/nghttp2-1.33.0-3.el8_2.1
rpms:imports/c8/nghttp2-1.33.0-1.el8_0.1
rpms:imports/c8/nghttp2-1.33.0-1.el8

No commits in common. "c8" and "c9s" have entirely different histories.
c8 ... c9s

9 changed files with 344 additions and 869 deletions
Show Stats Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/nghttp2-1.33.0.tar.xz
/nghttp2-[0-9]*.tar.xz

2
.nghttp2.metadata
View File

@ -1 +1 @@
0a11f7de6ea8e66fbecc9fe4ddc61b6ab40af469 SOURCES/nghttp2-1.33.0.tar.xz
b9d846e53af53fc5814015c9d3d6c0d2c684c046 nghttp2-1.43.0.tar.xz

88
SOURCES/0003-nghttp2-1.33.0-CVE-2023-44487.patch → 0001-nghttp2-1.43.0-CVE-2023-44487.patch
View File

@ -1,4 +1,4 @@
From 095040ff7ac242cec5075b8d4bd8c9884bc3ec30 Mon Sep 17 00:00:00 2001
From 965098a38e8118c0a8c6b249dba76cf498f2a126 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sun, 1 Oct 2023 00:05:01 +0900
Subject: [PATCH] Rework session management
@ -38,10 +38,10 @@ Signed-off-by: Jan Macku <jamacku@redhat.com>
create mode 100644 tests/nghttp2_ratelim_test.h
diff --git a/CMakeLists.txt b/CMakeLists.txt
index dbac6c8..78b356d 100644
index 08ab279e..5a4b2b56 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -262,6 +262,7 @@ check_include_file("netinet/in.h" HAVE_NETINET_IN_H)
@@ -260,6 +260,7 @@ check_include_file("netinet/in.h" HAVE_NETINET_IN_H)
check_include_file("pwd.h" HAVE_PWD_H)
check_include_file("sys/socket.h" HAVE_SYS_SOCKET_H)
check_include_file("sys/time.h" HAVE_SYS_TIME_H)
@ -49,7 +49,7 @@ index dbac6c8..78b356d 100644
check_include_file("syslog.h" HAVE_SYSLOG_H)
check_include_file("time.h" HAVE_TIME_H)
check_include_file("unistd.h" HAVE_UNISTD_H)
@@ -302,8 +303,11 @@ check_type_size("time_t" SIZEOF_TIME_T)
@@ -300,8 +301,11 @@ check_type_size("time_t" SIZEOF_TIME_T)
include(CheckFunctionExists)
check_function_exists(_Exit HAVE__EXIT)
check_function_exists(accept4 HAVE_ACCEPT4)
@ -62,10 +62,10 @@ index dbac6c8..78b356d 100644
# XXX does this correctly detect initgroups (un)availability on cygwin?
check_symbol_exists(initgroups grp.h HAVE_DECL_INITGROUPS)
diff --git a/cmakeconfig.h.in b/cmakeconfig.h.in
index d67b540..4065029 100644
index 6c96f70a..78c2cc1d 100644
--- a/cmakeconfig.h.in
+++ b/cmakeconfig.h.in
@@ -34,9 +34,15 @@
@@ -31,9 +31,15 @@
/* Define to 1 if you have the `accept4` function. */
#cmakedefine HAVE_ACCEPT4 1
@ -81,7 +81,7 @@ index d67b540..4065029 100644
/* Define to 1 if you have the `initgroups` function. */
#cmakedefine01 HAVE_DECL_INITGROUPS
@@ -73,6 +79,9 @@
@@ -70,6 +76,9 @@
/* Define to 1 if you have the <sys/time.h> header file. */
#cmakedefine HAVE_SYS_TIME_H 1
@ -92,7 +92,7 @@ index d67b540..4065029 100644
#cmakedefine HAVE_SYSLOG_H 1
diff --git a/configure.ac b/configure.ac
index a54398e..a41492c 100644
index 67f86511..a7de8dbb 100644
--- a/configure.ac
+++ b/configure.ac
@@ -607,6 +607,7 @@ AC_CHECK_HEADERS([ \
@ -138,10 +138,10 @@ index a54398e..a41492c 100644
# cygwin disables initgroups due to feature test macro magic with our
# configuration. FreeBSD declares initgroups() in unistd.h.
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 5a58f8e..87f6c43 100644
index a7226c1f..f8d7b48f 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -69,6 +69,7 @@ APIDOCS= \
@@ -70,6 +70,7 @@ APIDOCS= \
nghttp2_option_set_user_recv_extension_type.rst \
nghttp2_option_set_max_outbound_ack.rst \
nghttp2_option_set_max_settings.rst \
@ -150,7 +150,7 @@ index 5a58f8e..87f6c43 100644
nghttp2_priority_spec_check_default.rst \
nghttp2_priority_spec_default_init.rst \
diff --git a/lib/CMakeLists.txt b/lib/CMakeLists.txt
index 17e422b..d44de28 100644
index a02a534b..03f6030b 100644
--- a/lib/CMakeLists.txt
+++ b/lib/CMakeLists.txt
@@ -23,6 +23,8 @@ set(NGHTTP2_SOURCES
@ -160,10 +160,10 @@ index 17e422b..d44de28 100644
+ nghttp2_ratelim.c
+ nghttp2_time.c
nghttp2_debug.c
nghttp2_ksl.c
)
diff --git a/lib/Makefile.am b/lib/Makefile.am
index 24a5bd6..595714d 100644
index 63fa0fa8..2369f246 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -49,6 +49,8 @@ OBJECTS = nghttp2_pq.c nghttp2_map.c nghttp2_queue.c \
@ -172,23 +172,23 @@ index 24a5bd6..595714d 100644
nghttp2_rcbuf.c \
+ nghttp2_ratelim.c \
+ nghttp2_time.c \
nghttp2_debug.c
nghttp2_debug.c \
nghttp2_ksl.c
HFILES = nghttp2_pq.h nghttp2_int.h nghttp2_map.h nghttp2_queue.h \
@@ -65,6 +67,8 @@ HFILES = nghttp2_pq.h nghttp2_int.h nghttp2_map.h nghttp2_queue.h \
@@ -66,6 +68,8 @@ HFILES = nghttp2_pq.h nghttp2_int.h nghttp2_map.h nghttp2_queue.h \
nghttp2_mem.h \
nghttp2_http.h \
nghttp2_rcbuf.h \
+ nghttp2_ratelim.h \
+ nghttp2_time.h \
nghttp2_debug.h
nghttp2_debug.h \
nghttp2_ksl.h
libnghttp2_la_SOURCES = $(HFILES) $(OBJECTS)
diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h
index b0ff6c5..9eb764c 100644
index edc0defc..1f2a3b93 100644
--- a/lib/includes/nghttp2/nghttp2.h
+++ b/lib/includes/nghttp2/nghttp2.h
@@ -2671,6 +2671,23 @@ NGHTTP2_EXTERN void nghttp2_option_set_max_outbound_ack(nghttp2_option *option,
@@ -2719,6 +2719,23 @@ NGHTTP2_EXTERN void nghttp2_option_set_max_outbound_ack(nghttp2_option *option,
NGHTTP2_EXTERN void nghttp2_option_set_max_settings(nghttp2_option *option,
size_t val);
@ -213,7 +213,7 @@ index b0ff6c5..9eb764c 100644
* @function
*
diff --git a/lib/nghttp2_option.c b/lib/nghttp2_option.c
index 34348e6..0d9a404 100644
index 34348e66..0d9a4044 100644
--- a/lib/nghttp2_option.c
+++ b/lib/nghttp2_option.c
@@ -126,3 +126,10 @@ void nghttp2_option_set_max_settings(nghttp2_option *option, size_t val) {
@ -228,7 +228,7 @@ index 34348e6..0d9a404 100644
+ option->stream_reset_rate = rate;
+}
diff --git a/lib/nghttp2_option.h b/lib/nghttp2_option.h
index 939729f..e6ba910 100644
index 939729fd..e6ba9100 100644
--- a/lib/nghttp2_option.h
+++ b/lib/nghttp2_option.h
@@ -68,12 +68,18 @@ typedef enum {
@ -252,7 +252,7 @@ index 939729f..e6ba910 100644
*/
diff --git a/lib/nghttp2_ratelim.c b/lib/nghttp2_ratelim.c
new file mode 100644
index 0000000..7011655
index 00000000..7011655b
--- /dev/null
+++ b/lib/nghttp2_ratelim.c
@@ -0,0 +1,75 @@
@ -333,7 +333,7 @@ index 0000000..7011655
+}
diff --git a/lib/nghttp2_ratelim.h b/lib/nghttp2_ratelim.h
new file mode 100644
index 0000000..866ed3f
index 00000000..866ed3f0
--- /dev/null
+++ b/lib/nghttp2_ratelim.h
@@ -0,0 +1,57 @@
@ -395,7 +395,7 @@ index 0000000..866ed3f
+
+#endif /* NGHTTP2_RATELIM_H */
diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
index 8271198..5ee08df 100644
index 2e7e907f..80072d21 100644
--- a/lib/nghttp2_session.c
+++ b/lib/nghttp2_session.c
@@ -36,6 +36,7 @@
@ -430,7 +430,7 @@ index 8271198..5ee08df 100644
}
rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
@@ -4144,6 +4155,23 @@ static int session_process_priority_frame(nghttp2_session *session) {
@@ -4153,6 +4164,23 @@ static int session_process_priority_frame(nghttp2_session *session) {
return nghttp2_session_on_priority_received(session, frame);
}
@ -454,7 +454,7 @@ index 8271198..5ee08df 100644
int nghttp2_session_on_rst_stream_received(nghttp2_session *session,
nghttp2_frame *frame) {
int rv;
@@ -4173,7 +4201,8 @@ int nghttp2_session_on_rst_stream_received(nghttp2_session *session,
@@ -4182,7 +4210,8 @@ int nghttp2_session_on_rst_stream_received(nghttp2_session *session,
if (nghttp2_is_fatal(rv)) {
return rv;
}
@ -464,7 +464,7 @@ index 8271198..5ee08df 100644
}
static int session_process_rst_stream_frame(nghttp2_session *session) {
@@ -6941,6 +6970,9 @@ int nghttp2_session_add_goaway(nghttp2_session *session, int32_t last_stream_id,
@@ -6963,6 +6992,9 @@ int nghttp2_session_add_goaway(nghttp2_session *session, int32_t last_stream_id,
nghttp2_mem_free(mem, item);
return rv;
}
@ -475,7 +475,7 @@ index 8271198..5ee08df 100644
}
diff --git a/lib/nghttp2_session.h b/lib/nghttp2_session.h
index e62a3bb..03f8bee 100644
index 07bfbb6c..9d429921 100644
--- a/lib/nghttp2_session.h
+++ b/lib/nghttp2_session.h
@@ -39,6 +39,7 @@
@ -497,7 +497,7 @@ index e62a3bb..03f8bee 100644
/* Internal state when receiving incoming frame */
typedef enum {
/* Receiving frame header */
@@ -175,7 +180,9 @@ typedef enum {
@@ -176,7 +181,9 @@ typedef enum {
/* Flag means GOAWAY was sent */
NGHTTP2_GOAWAY_SENT = 0x4,
/* Flag means GOAWAY was received */
@ -508,7 +508,7 @@ index e62a3bb..03f8bee 100644
} nghttp2_goaway_flag;
/* nghttp2_inflight_settings stores the SETTINGS entries which local
@@ -229,6 +236,9 @@ struct nghttp2_session {
@@ -227,6 +234,9 @@ struct nghttp2_session {
/* Queue of In-flight SETTINGS values. SETTINGS bearing ACK is not
considered as in-flight. */
nghttp2_inflight_settings *inflight_settings_head;
@ -520,7 +520,7 @@ index e62a3bb..03f8bee 100644
size_t num_outgoing_streams;
diff --git a/lib/nghttp2_time.c b/lib/nghttp2_time.c
new file mode 100644
index 0000000..2a5f1a6
index 00000000..2a5f1a6f
--- /dev/null
+++ b/lib/nghttp2_time.c
@@ -0,0 +1,62 @@
@ -588,7 +588,7 @@ index 0000000..2a5f1a6
+#endif /* !HAVE_CLOCK_GETTIME && !HAVE_GETTICKCOUNT64 */
diff --git a/lib/nghttp2_time.h b/lib/nghttp2_time.h
new file mode 100644
index 0000000..03c0bbe
index 00000000..03c0bbe9
--- /dev/null
+++ b/lib/nghttp2_time.h
@@ -0,0 +1,38 @@
@ -631,7 +631,7 @@ index 0000000..03c0bbe
+
+#endif /* NGHTTP2_TIME_H */
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 4250ac3..344c542 100644
index 4250ac3a..344c5422 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -21,6 +21,7 @@ if(HAVE_CUNIT)
@ -643,7 +643,7 @@ index 4250ac3..344c542 100644
add_executable(main EXCLUDE_FROM_ALL
diff --git a/tests/Makefile.am b/tests/Makefile.am
index c3e4392..c130a00 100644
index c3e43925..c130a000 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -40,14 +40,16 @@ OBJECTS = main.c nghttp2_pq_test.c nghttp2_map_test.c nghttp2_queue_test.c \
@ -666,7 +666,7 @@ index c3e4392..c130a00 100644
main_SOURCES = $(HFILES) $(OBJECTS)
diff --git a/tests/main.c b/tests/main.c
index 1f795cd..334cad8 100644
index 25cbbfd7..c4d39bbc 100644
--- a/tests/main.c
+++ b/tests/main.c
@@ -40,6 +40,7 @@
@ -677,7 +677,7 @@ index 1f795cd..334cad8 100644
extern int nghttp2_enable_strict_preface;
@@ -323,6 +324,8 @@ int main() {
@@ -329,6 +330,8 @@ int main() {
test_nghttp2_session_no_closed_streams) ||
!CU_add_test(pSuite, "session_set_stream_user_data",
test_nghttp2_session_set_stream_user_data) ||
@ -686,7 +686,7 @@ index 1f795cd..334cad8 100644
!CU_add_test(pSuite, "http_mandatory_headers",
test_nghttp2_http_mandatory_headers) ||
!CU_add_test(pSuite, "http_content_length",
@@ -418,7 +421,9 @@ int main() {
@@ -425,7 +428,9 @@ int main() {
!CU_add_test(pSuite, "bufs_advance", test_nghttp2_bufs_advance) ||
!CU_add_test(pSuite, "bufs_next_present",
test_nghttp2_bufs_next_present) ||
@ -699,7 +699,7 @@ index 1f795cd..334cad8 100644
}
diff --git a/tests/nghttp2_ratelim_test.c b/tests/nghttp2_ratelim_test.c
new file mode 100644
index 0000000..6abece9
index 00000000..6abece95
--- /dev/null
+++ b/tests/nghttp2_ratelim_test.c
@@ -0,0 +1,101 @@
@ -806,7 +806,7 @@ index 0000000..6abece9
+}
diff --git a/tests/nghttp2_ratelim_test.h b/tests/nghttp2_ratelim_test.h
new file mode 100644
index 0000000..02b2f2b
index 00000000..02b2f2b2
--- /dev/null
+++ b/tests/nghttp2_ratelim_test.h
@@ -0,0 +1,35 @@
@ -846,10 +846,10 @@ index 0000000..02b2f2b
+
+#endif /* NGHTTP2_RATELIM_TEST_H */
diff --git a/tests/nghttp2_session_test.c b/tests/nghttp2_session_test.c
index ab76ab4..dece5c1 100644
index 962e3c13..43db9352 100644
--- a/tests/nghttp2_session_test.c
+++ b/tests/nghttp2_session_test.c
@@ -10790,6 +10790,109 @@ void test_nghttp2_session_set_stream_user_data(void) {
@@ -11055,6 +11055,109 @@ void test_nghttp2_session_set_stream_user_data(void) {
nghttp2_session_del(session);
}
@ -960,10 +960,10 @@ index ab76ab4..dece5c1 100644
nghttp2_session *session, nghttp2_hd_deflater *deflater, int32_t stream_id,
int stream_state, const nghttp2_nv *nva, size_t nvlen) {
diff --git a/tests/nghttp2_session_test.h b/tests/nghttp2_session_test.h
index c5095c2..2b74e88 100644
index bdedd849..23fda64a 100644
--- a/tests/nghttp2_session_test.h
+++ b/tests/nghttp2_session_test.h
@@ -160,6 +160,7 @@ void test_nghttp2_session_removed_closed_stream(void);
@@ -162,6 +162,7 @@ void test_nghttp2_session_removed_closed_stream(void);
void test_nghttp2_session_pause_data(void);
void test_nghttp2_session_no_closed_streams(void);
void test_nghttp2_session_set_stream_user_data(void);

193
0002-nghttp2-1.43.0-CVE-2024-28182-CVE-2024-27316.patch Normal file
View File

@ -0,0 +1,193 @@
From faca42daa4d3166e0af50cd1b33dc607a0f63af1 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sat, 9 Mar 2024 16:26:42 +0900
Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame
(cherry picked from commit 00201ecd8f982da3b67d4f6868af72a1b03b14e0)
Signed-off-by: Jan Macku <jamacku@redhat.com>
Add nghttp2_option_set_max_continuations
(cherry picked from commit d71a4668c6bead55805d18810d633fbb98315af9)
Signed-off-by: Jan Macku <jamacku@redhat.com>
---
doc/Makefile.am | 1 +
lib/includes/nghttp2/nghttp2.h | 18 +++++++++++++++++-
lib/nghttp2_helper.c | 2 ++
lib/nghttp2_option.c | 5 +++++
lib/nghttp2_option.h | 5 +++++
lib/nghttp2_session.c | 11 +++++++++++
lib/nghttp2_session.h | 10 ++++++++++
7 files changed, 51 insertions(+), 1 deletion(-)
diff --git a/doc/Makefile.am b/doc/Makefile.am
index f8d7b48f..39d0d304 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -68,6 +68,7 @@ APIDOCS= \
nghttp2_option_set_no_recv_client_magic.rst \
nghttp2_option_set_peer_max_concurrent_streams.rst \
nghttp2_option_set_user_recv_extension_type.rst \
+ nghttp2_option_set_max_continuations.rst \
nghttp2_option_set_max_outbound_ack.rst \
nghttp2_option_set_max_settings.rst \
nghttp2_option_set_stream_reset_rate_limit.rst \
diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h
index 1f2a3b93..1137e645 100644
--- a/lib/includes/nghttp2/nghttp2.h
+++ b/lib/includes/nghttp2/nghttp2.h
@@ -440,7 +440,12 @@ typedef enum {
* exhaustion on server side to send these frames forever and does
* not read network.
*/
- NGHTTP2_ERR_FLOODED = -904
+ NGHTTP2_ERR_FLOODED = -904,
+ /**
+ * When a local endpoint receives too many CONTINUATION frames
+ * following a HEADER frame.
+ */
+ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
} nghttp2_error;
/**
@@ -2736,6 +2741,17 @@ NGHTTP2_EXTERN void
nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
uint64_t burst, uint64_t rate);
+/**
+ * @function
+ *
+ * This function sets the maximum number of CONTINUATION frames
+ * following an incoming HEADER frame. If more than those frames are
+ * received, the remote endpoint is considered to be misbehaving and
+ * session will be closed. The default value is 8.
+ */
+NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option,
+ size_t val);
+
/**
* @function
*
diff --git a/lib/nghttp2_helper.c b/lib/nghttp2_helper.c
index 0bd54147..4158a0b0 100644
--- a/lib/nghttp2_helper.c
+++ b/lib/nghttp2_helper.c
@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) {
"closed";
case NGHTTP2_ERR_TOO_MANY_SETTINGS:
return "SETTINGS frame contained more than the maximum allowed entries";
+ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
+ return "Too many CONTINUATION frames following a HEADER frame";
default:
return "Unknown error code";
}
diff --git a/lib/nghttp2_option.c b/lib/nghttp2_option.c
index 0d9a4044..f3659c18 100644
--- a/lib/nghttp2_option.c
+++ b/lib/nghttp2_option.c
@@ -133,3 +133,8 @@ void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
option->stream_reset_burst = burst;
option->stream_reset_rate = rate;
}
+
+void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) {
+ option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS;
+ option->max_continuations = val;
+}
diff --git a/lib/nghttp2_option.h b/lib/nghttp2_option.h
index e6ba9100..c1b48c73 100644
--- a/lib/nghttp2_option.h
+++ b/lib/nghttp2_option.h
@@ -69,6 +69,7 @@ typedef enum {
NGHTTP2_OPT_MAX_OUTBOUND_ACK = 1 << 11,
NGHTTP2_OPT_MAX_SETTINGS = 1 << 12,
NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15,
+ NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16,
} nghttp2_option_flag;
/**
@@ -96,6 +97,10 @@ struct nghttp2_option {
* NGHTTP2_OPT_MAX_SETTINGS
*/
size_t max_settings;
+ /**
+ * NGHTTP2_OPT_MAX_CONTINUATIONS
+ */
+ size_t max_continuations;
/**
* Bitwise OR of nghttp2_option_flag to determine that which fields
* are specified.
diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
index 80072d21..3e11bd8f 100644
--- a/lib/nghttp2_session.c
+++ b/lib/nghttp2_session.c
@@ -464,6 +464,7 @@ static int session_new(nghttp2_session **session_ptr,
(*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
(*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
(*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
+ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
if (option) {
if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
@@ -538,6 +539,10 @@ static int session_new(nghttp2_session **session_ptr,
option->stream_reset_burst,
option->stream_reset_rate);
}
+
+ if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) {
+ (*session_ptr)->max_continuations = option->max_continuations;
+ }
}
rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
@@ -6309,6 +6314,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
}
}
session_inbound_frame_reset(session);
+
+ session->num_continuations = 0;
}
break;
}
@@ -6430,6 +6437,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
}
#endif /* DEBUGBUILD */
+ if (++session->num_continuations > session->max_continuations) {
+ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
+ }
+
readlen = inbound_frame_buf_read(iframe, in, last);
in += readlen;
diff --git a/lib/nghttp2_session.h b/lib/nghttp2_session.h
index 9d429921..d8f9c395 100644
--- a/lib/nghttp2_session.h
+++ b/lib/nghttp2_session.h
@@ -107,6 +107,10 @@ typedef struct {
#define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
#define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
+/* The default max number of CONTINUATION frames following an incoming
+ HEADER frame. */
+#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
+
/* Internal state when receiving incoming frame */
typedef enum {
/* Receiving frame header */
@@ -279,6 +283,12 @@ struct nghttp2_session {
size_t max_send_header_block_length;
/* The maximum number of settings accepted per SETTINGS frame. */
size_t max_settings;
+ /* The maximum number of CONTINUATION frames following an incoming
+ HEADER frame. */
+ size_t max_continuations;
+ /* The number of CONTINUATION frames following an incoming HEADER
+ frame. This variable is reset when END_HEADERS flag is seen. */
+ size_t num_continuations;
/* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
uint32_t next_stream_id;
/* The last stream ID this session initiated. For client session,
--
2.44.0

454
SOURCES/nghttp2-1.31.1-CVE-2019-9511-and-CVE-2019-9513.patch
View File

@ -1,454 +0,0 @@
From 4b7aefd8fd1612d455f2f128c09230335ed0cee6 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Tue, 6 Aug 2019 20:48:50 +0900
Subject: [PATCH 1/3] nghttpx: Fix request stall
Fix request stall if backend connection is reused and buffer is full.
Upstream-commit: db2f612a30d54aa152ce5530fa1d683738baa4d1
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
integration-tests/nghttpx_http1_test.go | 29 +++++++++++++++++++++++++
integration-tests/server_tester.go | 4 +++-
src/shrpx_downstream.cc | 12 +++++++++-
src/shrpx_downstream.h | 4 ++++
src/shrpx_http_downstream_connection.cc | 16 +++++++++++++-
src/shrpx_https_upstream.cc | 4 +---
6 files changed, 63 insertions(+), 6 deletions(-)
diff --git a/integration-tests/nghttpx_http1_test.go b/integration-tests/nghttpx_http1_test.go
index a765333..3d41677 100644
--- a/integration-tests/nghttpx_http1_test.go
+++ b/integration-tests/nghttpx_http1_test.go
@@ -625,6 +625,35 @@ func TestH1H1HTTPSRedirectPort(t *testing.T) {
}
}
+// TestH1H1POSTRequests tests that server can handle 2 requests with
+// request body.
+func TestH1H1POSTRequests(t *testing.T) {
+ st := newServerTester(nil, t, noopHandler)
+ defer st.Close()
+
+ res, err := st.http1(requestParam{
+ name: "TestH1H1POSTRequestsNo1",
+ body: make([]byte, 1),
+ })
+ if err != nil {
+ t.Fatalf("Error st.http1() = %v", err)
+ }
+ if got, want := res.status, 200; got != want {
+ t.Errorf("res.status: %v; want %v", got, want)
+ }
+
+ res, err = st.http1(requestParam{
+ name: "TestH1H1POSTRequestsNo2",
+ body: make([]byte, 65536),
+ })
+ if err != nil {
+ t.Fatalf("Error st.http1() = %v", err)
+ }
+ if got, want := res.status, 200; got != want {
+ t.Errorf("res.status: %v; want %v", got, want)
+ }
+}
+
// // TestH1H2ConnectFailure tests that server handles the situation that
// // connection attempt to HTTP/2 backend failed.
// func TestH1H2ConnectFailure(t *testing.T) {
diff --git a/integration-tests/server_tester.go b/integration-tests/server_tester.go
index d145519..1156986 100644
--- a/integration-tests/server_tester.go
+++ b/integration-tests/server_tester.go
@@ -662,7 +662,9 @@ func cloneHeader(h http.Header) http.Header {
return h2
}
-func noopHandler(w http.ResponseWriter, r *http.Request) {}
+func noopHandler(w http.ResponseWriter, r *http.Request) {
+ ioutil.ReadAll(r.Body)
+}
type APIResponse struct {
Status string `json:"status,omitempty"`
diff --git a/src/shrpx_downstream.cc b/src/shrpx_downstream.cc
index 360a9a9..48db65b 100644
--- a/src/shrpx_downstream.cc
+++ b/src/shrpx_downstream.cc
@@ -144,7 +144,8 @@ Downstream::Downstream(Upstream *upstream, MemchunkPool *mcpool,
request_header_sent_(false),
accesslog_written_(false),
new_affinity_cookie_(false),
- blocked_request_data_eof_(false) {
+ blocked_request_data_eof_(false),
+ expect_100_continue_(false) {
auto &timeoutconf = get_config()->http2.timeout;
@@ -807,6 +808,11 @@ void Downstream::inspect_http1_request() {
chunked_request_ = true;
}
}
+
+ auto expect = req_.fs.header(http2::HD_EXPECT);
+ expect_100_continue_ =
+ expect &&
+ util::strieq(expect->value, StringRef::from_lit("100-continue"));
}
void Downstream::inspect_http1_response() {
@@ -1103,4 +1109,8 @@ bool Downstream::get_blocked_request_data_eof() const {
return blocked_request_data_eof_;
}
+bool Downstream::get_expect_100_continue() const {
+ return expect_100_continue_;
+}
+
} // namespace shrpx
diff --git a/src/shrpx_downstream.h b/src/shrpx_downstream.h
index c81fcf6..b9a851f 100644
--- a/src/shrpx_downstream.h
+++ b/src/shrpx_downstream.h
@@ -466,6 +466,8 @@ public:
EVENT_TIMEOUT = 0x2,
};
+ bool get_expect_100_continue() const;
+
enum {
DISPATCH_NONE,
DISPATCH_PENDING,
@@ -556,6 +558,8 @@ private:
// true if eof is received from client before sending header fields
// to backend.
bool blocked_request_data_eof_;
+ // true if request contains "expect: 100-continue" header field.
+ bool expect_100_continue_;
};
} // namespace shrpx
diff --git a/src/shrpx_http_downstream_connection.cc b/src/shrpx_http_downstream_connection.cc
index f50c0f4..85ca947 100644
--- a/src/shrpx_http_downstream_connection.cc
+++ b/src/shrpx_http_downstream_connection.cc
@@ -698,7 +698,8 @@ int HttpDownstreamConnection::push_request_headers() {
// signal_write() when we received request body chunk, and it
// enables us to send headers and data in one writev system call.
if (connect_method || downstream_->get_blocked_request_buf()->rleft() ||
- (!req.http2_expect_body && req.fs.content_length == 0)) {
+ (!req.http2_expect_body && req.fs.content_length == 0) ||
+ downstream_->get_expect_100_continue()) {
signal_write();
}
@@ -1172,6 +1173,19 @@ int HttpDownstreamConnection::write_reuse_first() {
reuse_first_write_done_ = true;
+ // upstream->resume_read() might be called in
+ // write_tls()/write_clear(), but before blocked_request_buf_ is
+ // reset. So upstream read might still be blocked. Let's do it
+ // again here.
+ auto input = downstream_->get_request_buf();
+ if (input->rleft() == 0) {
+ auto upstream = downstream_->get_upstream();
+ auto &req = downstream_->request();
+
+ upstream->resume_read(SHRPX_NO_BUFFER, downstream_,
+ req.unconsumed_body_length);
+ }
+
return 0;
}
diff --git a/src/shrpx_https_upstream.cc b/src/shrpx_https_upstream.cc
index 452ec90..96ca2cd 100644
--- a/src/shrpx_https_upstream.cc
+++ b/src/shrpx_https_upstream.cc
@@ -467,9 +467,7 @@ int htp_hdrs_completecb(http_parser *htp) {
// and let them decide whether responds with 100 Continue or not.
// For alternative mode, we have no backend, so just send 100
// Continue here to make the client happy.
- auto expect = req.fs.header(http2::HD_EXPECT);
- if (expect &&
- util::strieq(expect->value, StringRef::from_lit("100-continue"))) {
+ if (downstream->get_expect_100_continue()) {
auto output = downstream->get_response_buf();
constexpr auto res = StringRef::from_lit("HTTP/1.1 100 Continue\r\n\r\n");
output->append(res);
--
2.20.1
From 589a98eba0b3c7a4dbb2262c60b609cac2b1f838 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Tue, 25 Jun 2019 22:33:35 +0900
Subject: [PATCH 2/3] Add nghttp2_option_set_max_outbound_ack
Upstream-commit: a76d0723b5f52902139ff453e0ec840673e86e75
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
doc/Makefile.am | 1 +
lib/includes/nghttp2/nghttp2.h | 11 +++++++++++
lib/nghttp2_option.c | 5 +++++
lib/nghttp2_option.h | 5 +++++
lib/nghttp2_session.c | 9 +++++++--
lib/nghttp2_session.h | 8 ++++++--
tests/nghttp2_session_test.c | 4 ++--
7 files changed, 37 insertions(+), 6 deletions(-)
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 07cd34e..66e5ba3 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -67,6 +67,7 @@ APIDOCS= \
nghttp2_option_set_no_recv_client_magic.rst \
nghttp2_option_set_peer_max_concurrent_streams.rst \
nghttp2_option_set_user_recv_extension_type.rst \
+ nghttp2_option_set_max_outbound_ack.rst \
nghttp2_pack_settings_payload.rst \
nghttp2_priority_spec_check_default.rst \
nghttp2_priority_spec_default_init.rst \
diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h
index 14f8950..137a675 100644
--- a/lib/includes/nghttp2/nghttp2.h
+++ b/lib/includes/nghttp2/nghttp2.h
@@ -2637,6 +2637,17 @@ nghttp2_option_set_max_deflate_dynamic_table_size(nghttp2_option *option,
NGHTTP2_EXTERN void nghttp2_option_set_no_closed_streams(nghttp2_option *option,
int val);
+/**
+ * @function
+ *
+ * This function sets the maximum number of outgoing SETTINGS ACK and
+ * PING ACK frames retained in :type:`nghttp2_session` object. If
+ * more than those frames are retained, the peer is considered to be
+ * misbehaving and session will be closed. The default value is 1000.
+ */
+NGHTTP2_EXTERN void nghttp2_option_set_max_outbound_ack(nghttp2_option *option,
+ size_t val);
+
/**
* @function
*
diff --git a/lib/nghttp2_option.c b/lib/nghttp2_option.c
index aec5dcf..ae22493 100644
--- a/lib/nghttp2_option.c
+++ b/lib/nghttp2_option.c
@@ -116,3 +116,8 @@ void nghttp2_option_set_no_closed_streams(nghttp2_option *option, int val) {
option->opt_set_mask |= NGHTTP2_OPT_NO_CLOSED_STREAMS;
option->no_closed_streams = val;
}
+
+void nghttp2_option_set_max_outbound_ack(nghttp2_option *option, size_t val) {
+ option->opt_set_mask |= NGHTTP2_OPT_MAX_OUTBOUND_ACK;
+ option->max_outbound_ack = val;
+}
diff --git a/lib/nghttp2_option.h b/lib/nghttp2_option.h
index c743e33..86d31f7 100644
--- a/lib/nghttp2_option.h
+++ b/lib/nghttp2_option.h
@@ -66,6 +66,7 @@ typedef enum {
NGHTTP2_OPT_MAX_SEND_HEADER_BLOCK_LENGTH = 1 << 8,
NGHTTP2_OPT_MAX_DEFLATE_DYNAMIC_TABLE_SIZE = 1 << 9,
NGHTTP2_OPT_NO_CLOSED_STREAMS = 1 << 10,
+ NGHTTP2_OPT_MAX_OUTBOUND_ACK = 1 << 11,
} nghttp2_option_flag;
/**
@@ -80,6 +81,10 @@ struct nghttp2_option {
* NGHTTP2_OPT_MAX_DEFLATE_DYNAMIC_TABLE_SIZE
*/
size_t max_deflate_dynamic_table_size;
+ /**
+ * NGHTTP2_OPT_MAX_OUTBOUND_ACK
+ */
+ size_t max_outbound_ack;
/**
* Bitwise OR of nghttp2_option_flag to determine that which fields
* are specified.
diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
index c58f059..8628cc7 100644
--- a/lib/nghttp2_session.c
+++ b/lib/nghttp2_session.c
@@ -457,6 +457,7 @@ static int session_new(nghttp2_session **session_ptr,
(*session_ptr)->remote_settings.max_concurrent_streams = 100;
(*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
+ (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
if (option) {
if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
@@ -516,6 +517,10 @@ static int session_new(nghttp2_session **session_ptr,
option->no_closed_streams) {
(*session_ptr)->opt_flags |= NGHTTP2_OPTMASK_NO_CLOSED_STREAMS;
}
+
+ if (option->opt_set_mask & NGHTTP2_OPT_MAX_OUTBOUND_ACK) {
+ (*session_ptr)->max_outbound_ack = option->max_outbound_ack;
+ }
}
rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
@@ -6831,7 +6836,7 @@ int nghttp2_session_add_ping(nghttp2_session *session, uint8_t flags,
mem = &session->mem;
if ((flags & NGHTTP2_FLAG_ACK) &&
- session->obq_flood_counter_ >= NGHTTP2_MAX_OBQ_FLOOD_ITEM) {
+ session->obq_flood_counter_ >= session->max_outbound_ack) {
return NGHTTP2_ERR_FLOODED;
}
@@ -6976,7 +6981,7 @@ int nghttp2_session_add_settings(nghttp2_session *session, uint8_t flags,
return NGHTTP2_ERR_INVALID_ARGUMENT;
}
- if (session->obq_flood_counter_ >= NGHTTP2_MAX_OBQ_FLOOD_ITEM) {
+ if (session->obq_flood_counter_ >= session->max_outbound_ack) {
return NGHTTP2_ERR_FLOODED;
}
}
diff --git a/lib/nghttp2_session.h b/lib/nghttp2_session.h
index c7cb27d..d9e2846 100644
--- a/lib/nghttp2_session.h
+++ b/lib/nghttp2_session.h
@@ -97,7 +97,7 @@ typedef struct {
response frames are stacked up, which leads to memory exhaustion.
The value selected here is arbitrary, but safe value and if we have
these frames in this number, it is considered suspicious. */
-#define NGHTTP2_MAX_OBQ_FLOOD_ITEM 10000
+#define NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM 1000
/* The default value of maximum number of concurrent streams. */
#define NGHTTP2_DEFAULT_MAX_CONCURRENT_STREAMS 0xffffffffu
@@ -260,8 +260,12 @@ struct nghttp2_session {
size_t num_idle_streams;
/* The number of bytes allocated for nvbuf */
size_t nvbuflen;
- /* Counter for detecting flooding in outbound queue */
+ /* Counter for detecting flooding in outbound queue. If it exceeds
+ max_outbound_ack, session will be closed. */
size_t obq_flood_counter_;
+ /* The maximum number of outgoing SETTINGS ACK and PING ACK in
+ outbound queue. */
+ size_t max_outbound_ack;
/* The maximum length of header block to send. Calculated by the
same way as nghttp2_hd_deflate_bound() does. */
size_t max_send_header_block_length;
diff --git a/tests/nghttp2_session_test.c b/tests/nghttp2_session_test.c
index 783b0ed..debec59 100644
--- a/tests/nghttp2_session_test.c
+++ b/tests/nghttp2_session_test.c
@@ -9894,7 +9894,7 @@ void test_nghttp2_session_flooding(void) {
buf = &bufs.head->buf;
- for (i = 0; i < NGHTTP2_MAX_OBQ_FLOOD_ITEM; ++i) {
+ for (i = 0; i < NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM; ++i) {
CU_ASSERT(
(ssize_t)nghttp2_buf_len(buf) ==
nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf)));
@@ -9916,7 +9916,7 @@ void test_nghttp2_session_flooding(void) {
buf = &bufs.head->buf;
- for (i = 0; i < NGHTTP2_MAX_OBQ_FLOOD_ITEM; ++i) {
+ for (i = 0; i < NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM; ++i) {
CU_ASSERT(
(ssize_t)nghttp2_buf_len(buf) ==
nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf)));
--
2.20.1
From e32b3e4c9df4abb83ca1c1c41901fadbae44699b Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Tue, 25 Jun 2019 22:38:43 +0900
Subject: [PATCH 3/3] Don't read too greedily
Upstream-commit: 83d362c6d21f76599b86e7b94cd1992288a1d43c
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
src/HttpServer.cc | 2 ++
src/shrpx_client_handler.cc | 9 +++++++--
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/HttpServer.cc b/src/HttpServer.cc
index b3e35ef..a75cee4 100644
--- a/src/HttpServer.cc
+++ b/src/HttpServer.cc
@@ -650,6 +650,7 @@ int Http2Handler::read_clear() {
}
return -1;
}
+ break;
}
return write_(*this);
@@ -775,6 +776,7 @@ int Http2Handler::read_tls() {
}
return -1;
}
+ break;
}
fin:
diff --git a/src/shrpx_client_handler.cc b/src/shrpx_client_handler.cc
index 21430dd..fa1fc87 100644
--- a/src/shrpx_client_handler.cc
+++ b/src/shrpx_client_handler.cc
@@ -111,6 +111,7 @@ void writecb(struct ev_loop *loop, ev_io *w, int revents) {
int ClientHandler::noop() { return 0; }
int ClientHandler::read_clear() {
+ auto should_break = false;
rb_.ensure_chunk();
for (;;) {
if (rb_.rleft() && on_read() != 0) {
@@ -123,7 +124,7 @@ int ClientHandler::read_clear() {
return 0;
}
- if (!ev_is_active(&conn_.rev)) {
+ if (!ev_is_active(&conn_.rev) || should_break) {
return 0;
}
@@ -141,6 +142,7 @@ int ClientHandler::read_clear() {
}
rb_.write(nread);
+ should_break = true;
}
}
@@ -205,6 +207,8 @@ int ClientHandler::tls_handshake() {
}
int ClientHandler::read_tls() {
+ auto should_break = false;
+
ERR_clear_error();
rb_.ensure_chunk();
@@ -221,7 +225,7 @@ int ClientHandler::read_tls() {
return 0;
}
- if (!ev_is_active(&conn_.rev)) {
+ if (!ev_is_active(&conn_.rev) || should_break) {
return 0;
}
@@ -239,6 +243,7 @@ int ClientHandler::read_tls() {
}
rb_.write(nread);
+ should_break = true;
}
}
--
2.20.1

340
SOURCES/nghttp2-1.33.0-CVE-2020-11080.patch
View File

@ -1,340 +0,0 @@
From 34670cfbc56f1c63ec046c38b9ad518010b5c84d Mon Sep 17 00:00:00 2001
From: James M Snell <jasnell@gmail.com>
Date: Fri, 17 Apr 2020 16:53:51 -0700
Subject: [PATCH 1/2] Implement max settings option
Upstream-commit: 336a98feb0d56b9ac54e12736b18785c27f75090
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
doc/CMakeLists.txt | 1 +
doc/Makefile.am | 1 +
lib/includes/nghttp2/nghttp2.h | 23 +++++++++++++
lib/nghttp2_helper.c | 2 ++
lib/nghttp2_option.c | 5 +++
lib/nghttp2_option.h | 5 +++
lib/nghttp2_session.c | 21 ++++++++++++
lib/nghttp2_session.h | 2 ++
tests/main.c | 2 ++
tests/nghttp2_session_test.c | 61 ++++++++++++++++++++++++++++++++++
tests/nghttp2_session_test.h | 1 +
11 files changed, 124 insertions(+)
diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt
index 34c0279..f3aec84 100644
--- a/doc/CMakeLists.txt
+++ b/doc/CMakeLists.txt
@@ -42,6 +42,7 @@ set(APIDOCS
nghttp2_option_set_no_recv_client_magic.rst
nghttp2_option_set_peer_max_concurrent_streams.rst
nghttp2_option_set_user_recv_extension_type.rst
+ nghttp2_option_set_max_settings.rst
nghttp2_pack_settings_payload.rst
nghttp2_priority_spec_check_default.rst
nghttp2_priority_spec_default_init.rst
diff --git a/doc/Makefile.am b/doc/Makefile.am
index c17d933..5a58f8e 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -68,6 +68,7 @@ APIDOCS= \
nghttp2_option_set_peer_max_concurrent_streams.rst \
nghttp2_option_set_user_recv_extension_type.rst \
nghttp2_option_set_max_outbound_ack.rst \
+ nghttp2_option_set_max_settings.rst \
nghttp2_pack_settings_payload.rst \
nghttp2_priority_spec_check_default.rst \
nghttp2_priority_spec_default_init.rst \
diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h
index d79bf48..b0ff6c5 100644
--- a/lib/includes/nghttp2/nghttp2.h
+++ b/lib/includes/nghttp2/nghttp2.h
@@ -222,6 +222,13 @@ typedef struct {
*/
#define NGHTTP2_CLIENT_MAGIC_LEN 24
+/**
+ * @macro
+ *
+ * The default max number of settings per SETTINGS frame
+ */
+#define NGHTTP2_DEFAULT_MAX_SETTINGS 32
+
/**
* @enum
*
@@ -392,6 +399,11 @@ typedef enum {
* receives an other type of frame.
*/
NGHTTP2_ERR_SETTINGS_EXPECTED = -536,
+ /**
+ * When a local endpoint receives too many settings entries
+ * in a single SETTINGS frame.
+ */
+ NGHTTP2_ERR_TOO_MANY_SETTINGS = -537,
/**
* The errors < :enum:`NGHTTP2_ERR_FATAL` mean that the library is
* under unexpected condition and processing was terminated (e.g.,
@@ -2648,6 +2660,17 @@ NGHTTP2_EXTERN void nghttp2_option_set_no_closed_streams(nghttp2_option *option,
NGHTTP2_EXTERN void nghttp2_option_set_max_outbound_ack(nghttp2_option *option,
size_t val);
+/**
+ * @function
+ *
+ * This function sets the maximum number of SETTINGS entries per
+ * SETTINGS frame that will be accepted. If more than those entries
+ * are received, the peer is considered to be misbehaving and session
+ * will be closed. The default value is 32.
+ */
+NGHTTP2_EXTERN void nghttp2_option_set_max_settings(nghttp2_option *option,
+ size_t val);
+
/**
* @function
*
diff --git a/lib/nghttp2_helper.c b/lib/nghttp2_helper.c
index 3b282c7..49bbf07 100644
--- a/lib/nghttp2_helper.c
+++ b/lib/nghttp2_helper.c
@@ -334,6 +334,8 @@ const char *nghttp2_strerror(int error_code) {
case NGHTTP2_ERR_FLOODED:
return "Flooding was detected in this HTTP/2 session, and it must be "
"closed";
+ case NGHTTP2_ERR_TOO_MANY_SETTINGS:
+ return "SETTINGS frame contained more than the maximum allowed entries";
default:
return "Unknown error code";
}
diff --git a/lib/nghttp2_option.c b/lib/nghttp2_option.c
index e53f22d..34348e6 100644
--- a/lib/nghttp2_option.c
+++ b/lib/nghttp2_option.c
@@ -121,3 +121,8 @@ void nghttp2_option_set_max_outbound_ack(nghttp2_option *option, size_t val) {
option->opt_set_mask |= NGHTTP2_OPT_MAX_OUTBOUND_ACK;
option->max_outbound_ack = val;
}
+
+void nghttp2_option_set_max_settings(nghttp2_option *option, size_t val) {
+ option->opt_set_mask |= NGHTTP2_OPT_MAX_SETTINGS;
+ option->max_settings = val;
+}
diff --git a/lib/nghttp2_option.h b/lib/nghttp2_option.h
index 1f740aa..939729f 100644
--- a/lib/nghttp2_option.h
+++ b/lib/nghttp2_option.h
@@ -67,6 +67,7 @@ typedef enum {
NGHTTP2_OPT_MAX_DEFLATE_DYNAMIC_TABLE_SIZE = 1 << 9,
NGHTTP2_OPT_NO_CLOSED_STREAMS = 1 << 10,
NGHTTP2_OPT_MAX_OUTBOUND_ACK = 1 << 11,
+ NGHTTP2_OPT_MAX_SETTINGS = 1 << 12,
} nghttp2_option_flag;
/**
@@ -85,6 +86,10 @@ struct nghttp2_option {
* NGHTTP2_OPT_MAX_OUTBOUND_ACK
*/
size_t max_outbound_ack;
+ /**
+ * NGHTTP2_OPT_MAX_SETTINGS
+ */
+ size_t max_settings;
/**
* Bitwise OR of nghttp2_option_flag to determine that which fields
* are specified.
diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
index 670f83f..7638823 100644
--- a/lib/nghttp2_session.c
+++ b/lib/nghttp2_session.c
@@ -458,6 +458,7 @@ static int session_new(nghttp2_session **session_ptr,
(*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
(*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
+ (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
if (option) {
if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
@@ -521,6 +522,11 @@ static int session_new(nghttp2_session **session_ptr,
if (option->opt_set_mask & NGHTTP2_OPT_MAX_OUTBOUND_ACK) {
(*session_ptr)->max_outbound_ack = option->max_outbound_ack;
}
+
+ if ((option->opt_set_mask & NGHTTP2_OPT_MAX_SETTINGS) &&
+ option->max_settings) {
+ (*session_ptr)->max_settings = option->max_settings;
+ }
}
rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
@@ -5658,6 +5664,16 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
iframe->max_niv =
iframe->frame.hd.length / NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH + 1;
+ if (iframe->max_niv - 1 > session->max_settings) {
+ rv = nghttp2_session_terminate_session_with_reason(
+ session, NGHTTP2_ENHANCE_YOUR_CALM,
+ "SETTINGS: too many setting entries");
+ if (nghttp2_is_fatal(rv)) {
+ return rv;
+ }
+ return (ssize_t)inlen;
+ }
+
iframe->iv = nghttp2_mem_malloc(mem, sizeof(nghttp2_settings_entry) *
iframe->max_niv);
@@ -7413,6 +7429,11 @@ static int nghttp2_session_upgrade_internal(nghttp2_session *session,
if (settings_payloadlen % NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH) {
return NGHTTP2_ERR_INVALID_ARGUMENT;
}
+ /* SETTINGS frame contains too many settings */
+ if (settings_payloadlen / NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH
+ > session->max_settings) {
+ return NGHTTP2_ERR_TOO_MANY_SETTINGS;
+ }
rv = nghttp2_frame_unpack_settings_payload2(&iv, &niv, settings_payload,
settings_payloadlen, mem);
if (rv != 0) {
diff --git a/lib/nghttp2_session.h b/lib/nghttp2_session.h
index 2969364..e62a3bb 100644
--- a/lib/nghttp2_session.h
+++ b/lib/nghttp2_session.h
@@ -269,6 +269,8 @@ struct nghttp2_session {
/* The maximum length of header block to send. Calculated by the
same way as nghttp2_hd_deflate_bound() does. */
size_t max_send_header_block_length;
+ /* The maximum number of settings accepted per SETTINGS frame. */
+ size_t max_settings;
/* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
uint32_t next_stream_id;
/* The last stream ID this session initiated. For client session,
diff --git a/tests/main.c b/tests/main.c
index 13865de..1f795cd 100644
--- a/tests/main.c
+++ b/tests/main.c
@@ -313,6 +313,8 @@ int main() {
test_nghttp2_session_set_local_window_size) ||
!CU_add_test(pSuite, "session_cancel_from_before_frame_send",
test_nghttp2_session_cancel_from_before_frame_send) ||
+ !CU_add_test(pSuite, "session_too_many_settings",
+ test_nghttp2_session_too_many_settings) ||
!CU_add_test(pSuite, "session_removed_closed_stream",
test_nghttp2_session_removed_closed_stream) ||
!CU_add_test(pSuite, "session_pause_data",
diff --git a/tests/nghttp2_session_test.c b/tests/nghttp2_session_test.c
index 0013e92..ab76ab4 100644
--- a/tests/nghttp2_session_test.c
+++ b/tests/nghttp2_session_test.c
@@ -10450,6 +10450,67 @@ void test_nghttp2_session_cancel_from_before_frame_send(void) {
nghttp2_session_del(session);
}
+void test_nghttp2_session_too_many_settings(void) {
+ nghttp2_session *session;
+ nghttp2_option *option;
+ nghttp2_session_callbacks callbacks;
+ nghttp2_frame frame;
+ nghttp2_bufs bufs;
+ nghttp2_buf *buf;
+ ssize_t rv;
+ my_user_data ud;
+ nghttp2_settings_entry iv[3];
+ nghttp2_mem *mem;
+ nghttp2_outbound_item *item;
+
+ mem = nghttp2_mem_default();
+ frame_pack_bufs_init(&bufs);
+
+ memset(&callbacks, 0, sizeof(nghttp2_session_callbacks));
+ callbacks.on_frame_recv_callback = on_frame_recv_callback;
+ callbacks.send_callback = null_send_callback;
+
+ nghttp2_option_new(&option);
+ nghttp2_option_set_max_settings(option, 1);
+
+ nghttp2_session_client_new2(&session, &callbacks, &ud, option);
+
+ CU_ASSERT(1 == session->max_settings);
+
+ nghttp2_option_del(option);
+
+ iv[0].settings_id = NGHTTP2_SETTINGS_HEADER_TABLE_SIZE;
+ iv[0].value = 3000;
+
+ iv[1].settings_id = NGHTTP2_SETTINGS_INITIAL_WINDOW_SIZE;
+ iv[1].value = 16384;
+
+ nghttp2_frame_settings_init(&frame.settings, NGHTTP2_FLAG_NONE, dup_iv(iv, 2),
+ 2);
+
+ rv = nghttp2_frame_pack_settings(&bufs, &frame.settings);
+
+ CU_ASSERT(0 == rv);
+ CU_ASSERT(nghttp2_bufs_len(&bufs) > 0);
+
+ nghttp2_frame_settings_free(&frame.settings, mem);
+
+ buf = &bufs.head->buf;
+ assert(nghttp2_bufs_len(&bufs) == nghttp2_buf_len(buf));
+
+ ud.frame_recv_cb_called = 0;
+
+ rv = nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf));
+ CU_ASSERT((ssize_t)nghttp2_buf_len(buf) == rv);
+
+ item = nghttp2_session_get_next_ob_item(session);
+ CU_ASSERT(NGHTTP2_GOAWAY == item->frame.hd.type);
+
+ nghttp2_bufs_reset(&bufs);
+ nghttp2_bufs_free(&bufs);
+ nghttp2_session_del(session);
+}
+
static void
prepare_session_removed_closed_stream(nghttp2_session *session,
nghttp2_hd_deflater *deflater) {
diff --git a/tests/nghttp2_session_test.h b/tests/nghttp2_session_test.h
index 35a48b8..c5095c2 100644
--- a/tests/nghttp2_session_test.h
+++ b/tests/nghttp2_session_test.h
@@ -155,6 +155,7 @@ void test_nghttp2_session_repeated_priority_change(void);
void test_nghttp2_session_repeated_priority_submission(void);
void test_nghttp2_session_set_local_window_size(void);
void test_nghttp2_session_cancel_from_before_frame_send(void);
+void test_nghttp2_session_too_many_settings(void);
void test_nghttp2_session_removed_closed_stream(void);
void test_nghttp2_session_pause_data(void);
void test_nghttp2_session_no_closed_streams(void);
--
2.21.3
From da3f4a5730ffa015a9e2d62e6e876a02f1dced20 Mon Sep 17 00:00:00 2001
From: James M Snell <jasnell@gmail.com>
Date: Sun, 19 Apr 2020 09:12:24 -0700
Subject: [PATCH 2/2] Earlier check for settings flood
Upstream-commit: f8da73bd042f810f34d19f9eae02b46d870af394
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/nghttp2_session.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
index 7638823..8271198 100644
--- a/lib/nghttp2_session.c
+++ b/lib/nghttp2_session.c
@@ -5654,6 +5654,12 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
break;
}
+ /* Check the settings flood counter early to be safe */
+ if (session->obq_flood_counter_ >= session->max_outbound_ack &&
+ !(iframe->frame.hd.flags & NGHTTP2_FLAG_ACK)) {
+ return NGHTTP2_ERR_FLOODED;
+ }
+
iframe->state = NGHTTP2_IB_READ_SETTINGS;
if (iframe->payloadleft) {
--
2.21.3

6
gating.yaml Normal file
View File

@ -0,0 +1,6 @@
--- !Policy
product_versions:
- rhel-9
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

127
SPECS/nghttp2.spec → nghttp2.spec
View File

@ -1,20 +1,16 @@
Summary: Experimental HTTP/2 client, server and proxy
Name: nghttp2
Version: 1.33.0
Release: 5%{?dist}
Version: 1.43.0
Release: 6%{?dist}
License: MIT
Group: Applications/Internet
URL: https://nghttp2.org/
Source0: https://github.com/tatsuhiro-t/nghttp2/releases/download/v%{version}/nghttp2-%{version}.tar.xz
# backport security fixes from nghttp2-1.39.2 (CVE-2019-9511 and CVE-2019-9513)
Patch1: nghttp2-1.31.1-CVE-2019-9511-and-CVE-2019-9513.patch
# prevent DoS caused by overly large SETTINGS frames (CVE-2020-11080)
Patch2: nghttp2-1.33.0-CVE-2020-11080.patch
# fix HTTP/2 Rapid Reset (CVE-2023-44487)
Patch3: 0003-nghttp2-1.33.0-CVE-2023-44487.patch
Patch1: 0001-nghttp2-1.43.0-CVE-2023-44487.patch
# fix CONTINUATION frames DoS (CVE-2024-28182, CVE-2024-27316)
Patch2: 0002-nghttp2-1.43.0-CVE-2024-28182-CVE-2024-27316.patch
BuildRequires: automake
BuildRequires: libtool
@ -23,6 +19,8 @@ BuildRequires: CUnit-devel
BuildRequires: c-ares-devel
BuildRequires: gcc-c++
BuildRequires: libev-devel
BuildRequires: libxml2-devel
BuildRequires: make
BuildRequires: openssl-devel
BuildRequires: python3-devel
BuildRequires: systemd-devel
@ -37,7 +35,6 @@ This package contains the HTTP/2 client, server and proxy programs.
%package -n libnghttp2
Summary: A library implementing the HTTP/2 protocol
Group: Development/Libraries
%description -n libnghttp2
libnghttp2 is a library implementing the Hypertext Transfer Protocol
@ -46,7 +43,6 @@ version 2 (HTTP/2) protocol in C.
%package -n libnghttp2-devel
Summary: Files needed for building applications with libnghttp2
Group: Development/Libraries
Requires: libnghttp2%{?_isa} = %{version}-%{release}
Requires: pkgconfig
@ -56,20 +52,18 @@ for building applications with libnghttp2.
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
autoreconf -fiv
%autosetup -p1
autoreconf -fvi
# make fetch-ocsp-response use Python 3
sed -e '1 s|^#!/.*python|&3|' -i script/fetch-ocsp-response
%build
%configure PYTHON=%{__python3} \
--disable-hpack-tools \
--disable-python-bindings \
--disable-static \
--without-libxml2 \
--with-libxml2 \
--without-spdylay
# avoid using rpath
@ -77,7 +71,7 @@ sed -i libtool \
-e 's/^runpath_var=.*/runpath_var=/' \
-e 's/^hardcode_libdir_flag_spec=".*"$/hardcode_libdir_flag_spec=""/'
make %{?_smp_mflags} V=1
%make_build
%install
@ -103,7 +97,7 @@ rm -f "$RPM_BUILD_ROOT%{_datadir}/doc/nghttp2/README.rst"
%check
# test the just built library instead of the system one, without using rpath
export "LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH"
make %{?_smp_mflags} check
%make_build check
%files
@ -131,21 +125,96 @@ make %{?_smp_mflags} check
%changelog
* Fri Oct 13 2023 Jan Macku <jamacku@redhat.com> - 1.33.0-5
* Wed Apr 10 2024 Jan Macku <jamacku@redhat.com> - 1.43.0-6
- fix CONTINUATION frames DoS (CVE-2024-28182, CVE-2024-27316)
* Fri Oct 13 2023 Jan Macku <jamacku@redhat.com> - 1.43.0-5.1
- fix HTTP/2 Rapid Reset (CVE-2023-44487)
* Tue Jun 09 2020 Kamil Dudka <kdudka@redhat.com> 1.33.0-4
- prevent DoS caused by overly large SETTINGS frames (CVE-2020-11080)
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.43.0-5
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Aug 28 2019 Kamil Dudka <kdudka@redhat.com> 1.33.0-3
- rebuild to trigger gating (#1681044)
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.43.0-4
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Mon Aug 19 2019 Kamil Dudka <kdudka@redhat.com> 1.33.0-2
- backport security fixes from nghttp2-1.39.2 (CVE-2019-9511 and CVE-2019-9513)
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.43.0-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Oct 09 2018 Kamil Dudka <kdudka@redhat.com> 1.33.0-1
* Tue Mar 30 2021 Jonathan Wakely <jwakely@redhat.com> - 1.43.0-2
- Rebuilt for removed libstdc++ symbol (#1937698)
* Tue Feb 02 2021 Kamil Dudka <kdudka@redhat.com> 1.43.0-1
- update to the latest upstream release
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.42.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Nov 24 2020 Kamil Dudka <kdudka@redhat.com> 1.42.0-1
- update to the latest upstream release
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.41.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 1.41.0-2
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
* Tue Jun 02 2020 Kamil Dudka <kdudka@redhat.com> 1.41.0-1
- update to the latest upstream release
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.40.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Nov 15 2019 Kamil Dudka <kdudka@redhat.com> 1.40.0-1
- update to the latest upstream release
* Thu Nov 14 2019 Kamil Dudka <kdudka@redhat.com> 1.39.2-2
- enable use of libxml2 to make `nghttp --get-assets` work (#1772462)
* Wed Aug 14 2019 Kamil Dudka <kdudka@redhat.com> 1.39.2-1
- update to the latest upstream release
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.39.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Tue Jun 11 2019 Kamil Dudka <kdudka@redhat.com> 1.39.1-1
- update to the latest upstream release
* Tue Jun 11 2019 Kamil Dudka <kdudka@redhat.com> 1.39.0-1
- update to the latest upstream release
* Thu Apr 18 2019 Kamil Dudka <kdudka@redhat.com> 1.38.0-1
- update to the latest upstream release
* Fri Mar 08 2019 Kamil Dudka <kdudka@redhat.com> 1.37.0-1
- update to the latest upstream release
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.36.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jan 18 2019 Kamil Dudka <kdudka@redhat.com> 1.36.0-1
- update to the latest upstream release
* Mon Dec 10 2018 Kamil Dudka <kdudka@redhat.com> 1.35.1-1
- update to the latest upstream release
* Fri Nov 23 2018 Kamil Dudka <kdudka@redhat.com> 1.35.0-1
- update to the latest upstream release
* Thu Oct 04 2018 Kamil Dudka <kdudka@redhat.com> 1.34.0-1
- update to the latest upstream release
* Mon Sep 03 2018 Kamil Dudka <kdudka@redhat.com> 1.33.0-1
- use python3 for build
- update to the latest upstream release (#1636992)
- update to the latest upstream release
* Mon Aug 27 2018 Kamil Dudka <kdudka@redhat.com> 1.32.1-1
- update to the latest upstream bugfix release
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.32.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed May 09 2018 Kamil Dudka <kdudka@redhat.com> 1.32.0-1
- update to the latest upstream release

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (nghttp2-1.43.0.tar.xz) = eac69ba356870a1cba420a06771082897be8dd40a68f4e04223f41f3d22626e4f5b3766d3dbcc496dd212be01f64c3ac280a2ebddd31dd88f7350c20f56e5d39