7 changed files with 894 additions and 159 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/nghttp2-1.43.0.tar.xz
+SOURCES/nghttp2-1.33.0.tar.xz
--- a/.nghttp2.metadata
+++ b/.nghttp2.metadata
@ -1 +1 @@
-b9d846e53af53fc5814015c9d3d6c0d2c684c046 SOURCES/nghttp2-1.43.0.tar.xz
+0a11f7de6ea8e66fbecc9fe4ddc61b6ab40af469 SOURCES/nghttp2-1.33.0.tar.xz
--- a/SOURCES/0003-nghttp2-1.33.0-CVE-2023-44487.patch
+++ b/SOURCES/0003-nghttp2-1.33.0-CVE-2023-44487.patch
@ -1,4 +1,4 @@
-From 965098a38e8118c0a8c6b249dba76cf498f2a126 Mon Sep 17 00:00:00 2001
+From 095040ff7ac242cec5075b8d4bd8c9884bc3ec30 Mon Sep 17 00:00:00 2001
 From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
 Date: Sun, 1 Oct 2023 00:05:01 +0900
 Subject: [PATCH] Rework session management
@ -38,10 +38,10 @@ Signed-off-by: Jan Macku <jamacku@redhat.com>
 create mode 100644 tests/nghttp2_ratelim_test.h
 diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 08ab279e..5a4b2b56 100644
+index dbac6c8..78b356d 100644
 --- a/CMakeLists.txt
 +++ b/CMakeLists.txt
-@@ -260,6 +260,7 @@ check_include_file("netinet/in.h"   HAVE_NETINET_IN_H)
+@@ -262,6 +262,7 @@ check_include_file("netinet/in.h"   HAVE_NETINET_IN_H)
 check_include_file("pwd.h"          HAVE_PWD_H)
 check_include_file("sys/socket.h"   HAVE_SYS_SOCKET_H)
 check_include_file("sys/time.h"     HAVE_SYS_TIME_H)
@ -49,7 +49,7 @@ index 08ab279e..5a4b2b56 100644
 check_include_file("syslog.h"       HAVE_SYSLOG_H)
 check_include_file("time.h"         HAVE_TIME_H)
 check_include_file("unistd.h"       HAVE_UNISTD_H)
-@@ -300,8 +301,11 @@ check_type_size("time_t"  SIZEOF_TIME_T)
+@@ -302,8 +303,11 @@ check_type_size("time_t"  SIZEOF_TIME_T)
 include(CheckFunctionExists)
 check_function_exists(_Exit     HAVE__EXIT)
 check_function_exists(accept4   HAVE_ACCEPT4)
@ -62,10 +62,10 @@ index 08ab279e..5a4b2b56 100644
 # XXX does this correctly detect initgroups (un)availability on cygwin?
 check_symbol_exists(initgroups grp.h HAVE_DECL_INITGROUPS)
 diff --git a/cmakeconfig.h.in b/cmakeconfig.h.in
-index 6c96f70a..78c2cc1d 100644
+index d67b540..4065029 100644
 --- a/cmakeconfig.h.in
 +++ b/cmakeconfig.h.in
-@@ -31,9 +31,15 @@
+@@ -34,9 +34,15 @@
 /* Define to 1 if you have the `accept4` function. */
 #cmakedefine HAVE_ACCEPT4 1
@ -81,7 +81,7 @@ index 6c96f70a..78c2cc1d 100644
 /* Define to 1 if you have the `initgroups` function. */
 #cmakedefine01 HAVE_DECL_INITGROUPS
-@@ -70,6 +76,9 @@
+@@ -73,6 +79,9 @@
 /* Define to 1 if you have the <sys/time.h> header file. */
 #cmakedefine HAVE_SYS_TIME_H 1
@ -92,7 +92,7 @@ index 6c96f70a..78c2cc1d 100644
 #cmakedefine HAVE_SYSLOG_H 1
 diff --git a/configure.ac b/configure.ac
-index 67f86511..a7de8dbb 100644
+index a54398e..a41492c 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -607,6 +607,7 @@ AC_CHECK_HEADERS([ \
@ -138,10 +138,10 @@ index 67f86511..a7de8dbb 100644
 # cygwin disables initgroups due to feature test macro magic with our
 # configuration.  FreeBSD declares initgroups() in unistd.h.
 diff --git a/doc/Makefile.am b/doc/Makefile.am
-index a7226c1f..f8d7b48f 100644
+index 5a58f8e..87f6c43 100644
 --- a/doc/Makefile.am
 +++ b/doc/Makefile.am
-@@ -70,6 +70,7 @@ APIDOCS= \
+@@ -69,6 +69,7 @@ APIDOCS= \
 	nghttp2_option_set_user_recv_extension_type.rst \
 	nghttp2_option_set_max_outbound_ack.rst \
 	nghttp2_option_set_max_settings.rst \
@ -150,7 +150,7 @@ index a7226c1f..f8d7b48f 100644
 	nghttp2_priority_spec_check_default.rst \
 	nghttp2_priority_spec_default_init.rst \
 diff --git a/lib/CMakeLists.txt b/lib/CMakeLists.txt
-index a02a534b..03f6030b 100644
+index 17e422b..d44de28 100644
 --- a/lib/CMakeLists.txt
 +++ b/lib/CMakeLists.txt
@@ -23,6 +23,8 @@ set(NGHTTP2_SOURCES
@ -160,10 +160,10 @@ index a02a534b..03f6030b 100644
 +  nghttp2_ratelim.c
 +  nghttp2_time.c
   nghttp2_debug.c
   nghttp2_ksl.c
 )
 diff --git a/lib/Makefile.am b/lib/Makefile.am
-index 63fa0fa8..2369f246 100644
+index 24a5bd6..595714d 100644
 --- a/lib/Makefile.am
 +++ b/lib/Makefile.am
@@ -49,6 +49,8 @@ OBJECTS = nghttp2_pq.c nghttp2_map.c nghttp2_queue.c \
@ -172,23 +172,23 @@ index 63fa0fa8..2369f246 100644
 	nghttp2_rcbuf.c \
 +	nghttp2_ratelim.c \
 +	nghttp2_time.c \
- 	nghttp2_debug.c \
+ 	nghttp2_debug.c
 	nghttp2_ksl.c
-@@ -66,6 +68,8 @@ HFILES = nghttp2_pq.h nghttp2_int.h nghttp2_map.h nghttp2_queue.h \
+ HFILES = nghttp2_pq.h nghttp2_int.h nghttp2_map.h nghttp2_queue.h \
@@ -65,6 +67,8 @@ HFILES = nghttp2_pq.h nghttp2_int.h nghttp2_map.h nghttp2_queue.h \
 	nghttp2_mem.h \
 	nghttp2_http.h \
 	nghttp2_rcbuf.h \
 +	nghttp2_ratelim.h \
 +	nghttp2_time.h \
- 	nghttp2_debug.h \
+ 	nghttp2_debug.h
 	nghttp2_ksl.h
 libnghttp2_la_SOURCES = $(HFILES) $(OBJECTS)
 diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h
-index edc0defc..1f2a3b93 100644
+index b0ff6c5..9eb764c 100644
 --- a/lib/includes/nghttp2/nghttp2.h
 +++ b/lib/includes/nghttp2/nghttp2.h
-@@ -2719,6 +2719,23 @@ NGHTTP2_EXTERN void nghttp2_option_set_max_outbound_ack(nghttp2_option *option,
+@@ -2671,6 +2671,23 @@ NGHTTP2_EXTERN void nghttp2_option_set_max_outbound_ack(nghttp2_option *option,
 NGHTTP2_EXTERN void nghttp2_option_set_max_settings(nghttp2_option *option,
                                                     size_t val);
@ -213,7 +213,7 @@ index edc0defc..1f2a3b93 100644
  * @function
  *
 diff --git a/lib/nghttp2_option.c b/lib/nghttp2_option.c
-index 34348e66..0d9a4044 100644
+index 34348e6..0d9a404 100644
 --- a/lib/nghttp2_option.c
 +++ b/lib/nghttp2_option.c
@@ -126,3 +126,10 @@ void nghttp2_option_set_max_settings(nghttp2_option *option, size_t val) {
@ -228,7 +228,7 @@ index 34348e66..0d9a4044 100644
 +  option->stream_reset_rate = rate;
 +}
 diff --git a/lib/nghttp2_option.h b/lib/nghttp2_option.h
-index 939729fd..e6ba9100 100644
+index 939729f..e6ba910 100644
 --- a/lib/nghttp2_option.h
 +++ b/lib/nghttp2_option.h
@@ -68,12 +68,18 @@ typedef enum {
@ -252,7 +252,7 @@ index 939729fd..e6ba9100 100644
    */
 diff --git a/lib/nghttp2_ratelim.c b/lib/nghttp2_ratelim.c
 new file mode 100644
-index 00000000..7011655b
+index 0000000..7011655
 --- /dev/null
 +++ b/lib/nghttp2_ratelim.c
@@ -0,0 +1,75 @@
@ -333,7 +333,7 @@ index 00000000..7011655b
 +}
 diff --git a/lib/nghttp2_ratelim.h b/lib/nghttp2_ratelim.h
 new file mode 100644
-index 00000000..866ed3f0
+index 0000000..866ed3f
 --- /dev/null
 +++ b/lib/nghttp2_ratelim.h
@@ -0,0 +1,57 @@
@ -395,7 +395,7 @@ index 00000000..866ed3f0
 +
 +#endif /* NGHTTP2_RATELIM_H */
 diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
-index 2e7e907f..80072d21 100644
+index 8271198..5ee08df 100644
 --- a/lib/nghttp2_session.c
 +++ b/lib/nghttp2_session.c
@@ -36,6 +36,7 @@
@ -430,7 +430,7 @@ index 2e7e907f..80072d21 100644
   }
   rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
-@@ -4153,6 +4164,23 @@ static int session_process_priority_frame(nghttp2_session *session) {
+@@ -4144,6 +4155,23 @@ static int session_process_priority_frame(nghttp2_session *session) {
   return nghttp2_session_on_priority_received(session, frame);
 }
@ -454,7 +454,7 @@ index 2e7e907f..80072d21 100644
 int nghttp2_session_on_rst_stream_received(nghttp2_session *session,
                                            nghttp2_frame *frame) {
   int rv;
-@@ -4182,7 +4210,8 @@ int nghttp2_session_on_rst_stream_received(nghttp2_session *session,
+@@ -4173,7 +4201,8 @@ int nghttp2_session_on_rst_stream_received(nghttp2_session *session,
   if (nghttp2_is_fatal(rv)) {
     return rv;
   }
@ -464,7 +464,7 @@ index 2e7e907f..80072d21 100644
 }
 static int session_process_rst_stream_frame(nghttp2_session *session) {
-@@ -6963,6 +6992,9 @@ int nghttp2_session_add_goaway(nghttp2_session *session, int32_t last_stream_id,
+@@ -6941,6 +6970,9 @@ int nghttp2_session_add_goaway(nghttp2_session *session, int32_t last_stream_id,
     nghttp2_mem_free(mem, item);
     return rv;
   }
@ -475,7 +475,7 @@ index 2e7e907f..80072d21 100644
 }
 diff --git a/lib/nghttp2_session.h b/lib/nghttp2_session.h
-index 07bfbb6c..9d429921 100644
+index e62a3bb..03f8bee 100644
 --- a/lib/nghttp2_session.h
 +++ b/lib/nghttp2_session.h
@@ -39,6 +39,7 @@
@ -497,7 +497,7 @@ index 07bfbb6c..9d429921 100644
 /* Internal state when receiving incoming frame */
 typedef enum {
   /* Receiving frame header */
-@@ -176,7 +181,9 @@ typedef enum {
+@@ -175,7 +180,9 @@ typedef enum {
   /* Flag means GOAWAY was sent */
   NGHTTP2_GOAWAY_SENT = 0x4,
   /* Flag means GOAWAY was received */
@ -508,7 +508,7 @@ index 07bfbb6c..9d429921 100644
 } nghttp2_goaway_flag;
 /* nghttp2_inflight_settings stores the SETTINGS entries which local
-@@ -227,6 +234,9 @@ struct nghttp2_session {
+@@ -229,6 +236,9 @@ struct nghttp2_session {
   /* Queue of In-flight SETTINGS values.  SETTINGS bearing ACK is not
      considered as in-flight. */
   nghttp2_inflight_settings *inflight_settings_head;
@ -520,7 +520,7 @@ index 07bfbb6c..9d429921 100644
   size_t num_outgoing_streams;
 diff --git a/lib/nghttp2_time.c b/lib/nghttp2_time.c
 new file mode 100644
-index 00000000..2a5f1a6f
+index 0000000..2a5f1a6
 --- /dev/null
 +++ b/lib/nghttp2_time.c
@@ -0,0 +1,62 @@
@ -588,7 +588,7 @@ index 00000000..2a5f1a6f
 +#endif /* !HAVE_CLOCK_GETTIME && !HAVE_GETTICKCOUNT64 */
 diff --git a/lib/nghttp2_time.h b/lib/nghttp2_time.h
 new file mode 100644
-index 00000000..03c0bbe9
+index 0000000..03c0bbe
 --- /dev/null
 +++ b/lib/nghttp2_time.h
@@ -0,0 +1,38 @@
@ -631,7 +631,7 @@ index 00000000..03c0bbe9
 +
 +#endif /* NGHTTP2_TIME_H */
 diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
-index 4250ac3a..344c5422 100644
+index 4250ac3..344c542 100644
 --- a/tests/CMakeLists.txt
 +++ b/tests/CMakeLists.txt
@@ -21,6 +21,7 @@ if(HAVE_CUNIT)
@ -643,7 +643,7 @@ index 4250ac3a..344c5422 100644
   add_executable(main EXCLUDE_FROM_ALL
 diff --git a/tests/Makefile.am b/tests/Makefile.am
-index c3e43925..c130a000 100644
+index c3e4392..c130a00 100644
 --- a/tests/Makefile.am
 +++ b/tests/Makefile.am
@@ -40,14 +40,16 @@ OBJECTS = main.c nghttp2_pq_test.c nghttp2_map_test.c nghttp2_queue_test.c \
@ -666,7 +666,7 @@ index c3e43925..c130a000 100644
 main_SOURCES = $(HFILES) $(OBJECTS)
 diff --git a/tests/main.c b/tests/main.c
-index 25cbbfd7..c4d39bbc 100644
+index 1f795cd..334cad8 100644
 --- a/tests/main.c
 +++ b/tests/main.c
@@ -40,6 +40,7 @@
@ -677,7 +677,7 @@ index 25cbbfd7..c4d39bbc 100644
 extern int nghttp2_enable_strict_preface;
-@@ -329,6 +330,8 @@ int main() {
+@@ -323,6 +324,8 @@ int main() {
                    test_nghttp2_session_no_closed_streams) ||
       !CU_add_test(pSuite, "session_set_stream_user_data",
                    test_nghttp2_session_set_stream_user_data) ||
@ -686,7 +686,7 @@ index 25cbbfd7..c4d39bbc 100644
       !CU_add_test(pSuite, "http_mandatory_headers",
                    test_nghttp2_http_mandatory_headers) ||
       !CU_add_test(pSuite, "http_content_length",
-@@ -425,7 +428,9 @@ int main() {
+@@ -418,7 +421,9 @@ int main() {
       !CU_add_test(pSuite, "bufs_advance", test_nghttp2_bufs_advance) ||
       !CU_add_test(pSuite, "bufs_next_present",
                    test_nghttp2_bufs_next_present) ||
@ -699,7 +699,7 @@ index 25cbbfd7..c4d39bbc 100644
   }
 diff --git a/tests/nghttp2_ratelim_test.c b/tests/nghttp2_ratelim_test.c
 new file mode 100644
-index 00000000..6abece95
+index 0000000..6abece9
 --- /dev/null
 +++ b/tests/nghttp2_ratelim_test.c
@@ -0,0 +1,101 @@
@ -806,7 +806,7 @@ index 00000000..6abece95
 +}
 diff --git a/tests/nghttp2_ratelim_test.h b/tests/nghttp2_ratelim_test.h
 new file mode 100644
-index 00000000..02b2f2b2
+index 0000000..02b2f2b
 --- /dev/null
 +++ b/tests/nghttp2_ratelim_test.h
@@ -0,0 +1,35 @@
@ -846,10 +846,10 @@ index 00000000..02b2f2b2
 +
 +#endif /* NGHTTP2_RATELIM_TEST_H */
 diff --git a/tests/nghttp2_session_test.c b/tests/nghttp2_session_test.c
-index 962e3c13..43db9352 100644
+index ab76ab4..dece5c1 100644
 --- a/tests/nghttp2_session_test.c
 +++ b/tests/nghttp2_session_test.c
-@@ -11055,6 +11055,109 @@ void test_nghttp2_session_set_stream_user_data(void) {
+@@ -10790,6 +10790,109 @@ void test_nghttp2_session_set_stream_user_data(void) {
   nghttp2_session_del(session);
 }
@ -960,10 +960,10 @@ index 962e3c13..43db9352 100644
     nghttp2_session *session, nghttp2_hd_deflater *deflater, int32_t stream_id,
     int stream_state, const nghttp2_nv *nva, size_t nvlen) {
 diff --git a/tests/nghttp2_session_test.h b/tests/nghttp2_session_test.h
-index bdedd849..23fda64a 100644
+index c5095c2..2b74e88 100644
 --- a/tests/nghttp2_session_test.h
 +++ b/tests/nghttp2_session_test.h
-@@ -162,6 +162,7 @@ void test_nghttp2_session_removed_closed_stream(void);
+@@ -160,6 +160,7 @@ void test_nghttp2_session_removed_closed_stream(void);
 void test_nghttp2_session_pause_data(void);
 void test_nghttp2_session_no_closed_streams(void);
 void test_nghttp2_session_set_stream_user_data(void);
--- a/SOURCES/0002-nghttp2-1.43.0-CVE-2024-28182-CVE-2024-27316.patch
+++ b/SOURCES/0002-nghttp2-1.43.0-CVE-2024-28182-CVE-2024-27316.patch
@ -1,15 +1,15 @@
-From faca42daa4d3166e0af50cd1b33dc607a0f63af1 Mon Sep 17 00:00:00 2001
+From 771044ffd217c5b20f1714e7e3fdd851a32d059c Mon Sep 17 00:00:00 2001
 From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
 Date: Sat, 9 Mar 2024 16:26:42 +0900
-Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame
+Subject: [PATCH] Add nghttp2_option_set_max_continuations
 (cherry picked from commit 00201ecd8f982da3b67d4f6868af72a1b03b14e0)
 Signed-off-by: Jan Macku <jamacku@redhat.com>
 Add nghttp2_option_set_max_continuations
 (cherry picked from commit d71a4668c6bead55805d18810d633fbb98315af9)
 Signed-off-by: Jan Macku <jamacku@redhat.com>
 Limit CONTINUATION frames following an incoming HEADER frame
 (cherry picked from commit 00201ecd8f982da3b67d4f6868af72a1b03b14e0)
 Signed-off-by: Jan Macku <jamacku@redhat.com>
 ---
 doc/Makefile.am                |  1 +
 lib/includes/nghttp2/nghttp2.h | 18 +++++++++++++++++-
@ -21,10 +21,10 @@ Signed-off-by: Jan Macku <jamacku@redhat.com>
 7 files changed, 51 insertions(+), 1 deletion(-)
 diff --git a/doc/Makefile.am b/doc/Makefile.am
-index f8d7b48f..39d0d304 100644
+index 87f6c43b..1334de63 100644
 --- a/doc/Makefile.am
 +++ b/doc/Makefile.am
-@@ -68,6 +68,7 @@ APIDOCS= \
+@@ -67,6 +67,7 @@ APIDOCS= \
 	nghttp2_option_set_no_recv_client_magic.rst \
 	nghttp2_option_set_peer_max_concurrent_streams.rst \
 	nghttp2_option_set_user_recv_extension_type.rst \
@ -33,10 +33,10 @@ index f8d7b48f..39d0d304 100644
 	nghttp2_option_set_max_settings.rst \
 	nghttp2_option_set_stream_reset_rate_limit.rst \
 diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h
-index 1f2a3b93..1137e645 100644
+index 9eb764c6..2530a061 100644
 --- a/lib/includes/nghttp2/nghttp2.h
 +++ b/lib/includes/nghttp2/nghttp2.h
-@@ -440,7 +440,12 @@ typedef enum {
+@@ -434,7 +434,12 @@ typedef enum {
    * exhaustion on server side to send these frames forever and does
    * not read network.
    */
@ -50,7 +50,7 @@ index 1f2a3b93..1137e645 100644
 } nghttp2_error;
 /**
-@@ -2736,6 +2741,17 @@ NGHTTP2_EXTERN void
+@@ -2688,6 +2693,17 @@ NGHTTP2_EXTERN void
 nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
                                            uint64_t burst, uint64_t rate);
@ -69,7 +69,7 @@ index 1f2a3b93..1137e645 100644
  * @function
  *
 diff --git a/lib/nghttp2_helper.c b/lib/nghttp2_helper.c
-index 0bd54147..4158a0b0 100644
+index 49bbf079..562c652c 100644
 --- a/lib/nghttp2_helper.c
 +++ b/lib/nghttp2_helper.c
@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) {
@ -118,7 +118,7 @@ index e6ba9100..c1b48c73 100644
    * Bitwise OR of nghttp2_option_flag to determine that which fields
    * are specified.
 diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
-index 80072d21..3e11bd8f 100644
+index 5ee08dfe..821c57ea 100644
 --- a/lib/nghttp2_session.c
 +++ b/lib/nghttp2_session.c
@@ -464,6 +464,7 @@ static int session_new(nghttp2_session **session_ptr,
@ -140,7 +140,7 @@ index 80072d21..3e11bd8f 100644
   }
   rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
-@@ -6309,6 +6314,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+@@ -6289,6 +6294,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
           }
         }
         session_inbound_frame_reset(session);
@ -149,7 +149,7 @@ index 80072d21..3e11bd8f 100644
       }
       break;
     }
-@@ -6430,6 +6437,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+@@ -6410,6 +6417,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
       }
 #endif /* DEBUGBUILD */
@ -161,7 +161,7 @@ index 80072d21..3e11bd8f 100644
       in += readlen;
 diff --git a/lib/nghttp2_session.h b/lib/nghttp2_session.h
-index 9d429921..d8f9c395 100644
+index 03f8bee4..72464024 100644
 --- a/lib/nghttp2_session.h
 +++ b/lib/nghttp2_session.h
@@ -107,6 +107,10 @@ typedef struct {
@ -175,7 +175,7 @@ index 9d429921..d8f9c395 100644
 /* Internal state when receiving incoming frame */
 typedef enum {
   /* Receiving frame header */
-@@ -279,6 +283,12 @@ struct nghttp2_session {
+@@ -281,6 +285,12 @@ struct nghttp2_session {
   size_t max_send_header_block_length;
   /* The maximum number of settings accepted per SETTINGS frame. */
   size_t max_settings;
--- a/SOURCES/nghttp2-1.31.1-CVE-2019-9511-and-CVE-2019-9513.patch
+++ b/SOURCES/nghttp2-1.31.1-CVE-2019-9511-and-CVE-2019-9513.patch
@ -0,0 +1,454 @@
 From 4b7aefd8fd1612d455f2f128c09230335ed0cee6 Mon Sep 17 00:00:00 2001
 From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
 Date: Tue, 6 Aug 2019 20:48:50 +0900
 Subject: [PATCH 1/3] nghttpx: Fix request stall
 Fix request stall if backend connection is reused and buffer is full.
 Upstream-commit: db2f612a30d54aa152ce5530fa1d683738baa4d1
 Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 ---
 integration-tests/nghttpx_http1_test.go | 29 +++++++++++++++++++++++++
 integration-tests/server_tester.go      |  4 +++-
 src/shrpx_downstream.cc                 | 12 +++++++++-
 src/shrpx_downstream.h                  |  4 ++++
 src/shrpx_http_downstream_connection.cc | 16 +++++++++++++-
 src/shrpx_https_upstream.cc             |  4 +---
 6 files changed, 63 insertions(+), 6 deletions(-)
 diff --git a/integration-tests/nghttpx_http1_test.go b/integration-tests/nghttpx_http1_test.go
 index a765333..3d41677 100644
 --- a/integration-tests/nghttpx_http1_test.go
 +++ b/integration-tests/nghttpx_http1_test.go
@@ -625,6 +625,35 @@ func TestH1H1HTTPSRedirectPort(t *testing.T) {
 	}
 }
 +// TestH1H1POSTRequests tests that server can handle 2 requests with
 +// request body.
 +func TestH1H1POSTRequests(t *testing.T) {
 +	st := newServerTester(nil, t, noopHandler)
 +	defer st.Close()
 +
 +	res, err := st.http1(requestParam{
 +		name: "TestH1H1POSTRequestsNo1",
 +		body: make([]byte, 1),
 +	})
 +	if err != nil {
 +		t.Fatalf("Error st.http1() = %v", err)
 +	}
 +	if got, want := res.status, 200; got != want {
 +		t.Errorf("res.status: %v; want %v", got, want)
 +	}
 +
 +	res, err = st.http1(requestParam{
 +		name: "TestH1H1POSTRequestsNo2",
 +		body: make([]byte, 65536),
 +	})
 +	if err != nil {
 +		t.Fatalf("Error st.http1() = %v", err)
 +	}
 +	if got, want := res.status, 200; got != want {
 +		t.Errorf("res.status: %v; want %v", got, want)
 +	}
 +}
 +
 // // TestH1H2ConnectFailure tests that server handles the situation that
 // // connection attempt to HTTP/2 backend failed.
 // func TestH1H2ConnectFailure(t *testing.T) {
 diff --git a/integration-tests/server_tester.go b/integration-tests/server_tester.go
 index d145519..1156986 100644
 --- a/integration-tests/server_tester.go
 +++ b/integration-tests/server_tester.go
@@ -662,7 +662,9 @@ func cloneHeader(h http.Header) http.Header {
 	return h2
 }
 -func noopHandler(w http.ResponseWriter, r *http.Request) {}
 +func noopHandler(w http.ResponseWriter, r *http.Request) {
 +	ioutil.ReadAll(r.Body)
 +}
 type APIResponse struct {
 	Status string                 `json:"status,omitempty"`
 diff --git a/src/shrpx_downstream.cc b/src/shrpx_downstream.cc
 index 360a9a9..48db65b 100644
 --- a/src/shrpx_downstream.cc
 +++ b/src/shrpx_downstream.cc
@@ -144,7 +144,8 @@ Downstream::Downstream(Upstream *upstream, MemchunkPool *mcpool,
       request_header_sent_(false),
       accesslog_written_(false),
       new_affinity_cookie_(false),
 -      blocked_request_data_eof_(false) {
 +      blocked_request_data_eof_(false),
 +      expect_100_continue_(false) {
   auto &timeoutconf = get_config()->http2.timeout;
@@ -807,6 +808,11 @@ void Downstream::inspect_http1_request() {
       chunked_request_ = true;
     }
   }
 +
 +  auto expect = req_.fs.header(http2::HD_EXPECT);
 +  expect_100_continue_ =
 +      expect &&
 +      util::strieq(expect->value, StringRef::from_lit("100-continue"));
 }
 void Downstream::inspect_http1_response() {
@@ -1103,4 +1109,8 @@ bool Downstream::get_blocked_request_data_eof() const {
   return blocked_request_data_eof_;
 }
 +bool Downstream::get_expect_100_continue() const {
 +  return expect_100_continue_;
 +}
 +
 } // namespace shrpx
 diff --git a/src/shrpx_downstream.h b/src/shrpx_downstream.h
 index c81fcf6..b9a851f 100644
 --- a/src/shrpx_downstream.h
 +++ b/src/shrpx_downstream.h
@@ -466,6 +466,8 @@ public:
     EVENT_TIMEOUT = 0x2,
   };
 +  bool get_expect_100_continue() const;
 +
   enum {
     DISPATCH_NONE,
     DISPATCH_PENDING,
@@ -556,6 +558,8 @@ private:
   // true if eof is received from client before sending header fields
   // to backend.
   bool blocked_request_data_eof_;
 +  // true if request contains "expect: 100-continue" header field.
 +  bool expect_100_continue_;
 };
 } // namespace shrpx
 diff --git a/src/shrpx_http_downstream_connection.cc b/src/shrpx_http_downstream_connection.cc
 index f50c0f4..85ca947 100644
 --- a/src/shrpx_http_downstream_connection.cc
 +++ b/src/shrpx_http_downstream_connection.cc
@@ -698,7 +698,8 @@ int HttpDownstreamConnection::push_request_headers() {
   // signal_write() when we received request body chunk, and it
   // enables us to send headers and data in one writev system call.
   if (connect_method || downstream_->get_blocked_request_buf()->rleft() ||
 -      (!req.http2_expect_body && req.fs.content_length == 0)) {
 +      (!req.http2_expect_body && req.fs.content_length == 0) ||
 +      downstream_->get_expect_100_continue()) {
     signal_write();
   }
@@ -1172,6 +1173,19 @@ int HttpDownstreamConnection::write_reuse_first() {
   reuse_first_write_done_ = true;
 +  // upstream->resume_read() might be called in
 +  // write_tls()/write_clear(), but before blocked_request_buf_ is
 +  // reset.  So upstream read might still be blocked.  Let's do it
 +  // again here.
 +  auto input = downstream_->get_request_buf();
 +  if (input->rleft() == 0) {
 +    auto upstream = downstream_->get_upstream();
 +    auto &req = downstream_->request();
 +
 +    upstream->resume_read(SHRPX_NO_BUFFER, downstream_,
 +                          req.unconsumed_body_length);
 +  }
 +
   return 0;
 }
 diff --git a/src/shrpx_https_upstream.cc b/src/shrpx_https_upstream.cc
 index 452ec90..96ca2cd 100644
 --- a/src/shrpx_https_upstream.cc
 +++ b/src/shrpx_https_upstream.cc
@@ -467,9 +467,7 @@ int htp_hdrs_completecb(http_parser *htp) {
     // and let them decide whether responds with 100 Continue or not.
     // For alternative mode, we have no backend, so just send 100
     // Continue here to make the client happy.
 -    auto expect = req.fs.header(http2::HD_EXPECT);
 -    if (expect &&
 -        util::strieq(expect->value, StringRef::from_lit("100-continue"))) {
 +    if (downstream->get_expect_100_continue()) {
       auto output = downstream->get_response_buf();
       constexpr auto res = StringRef::from_lit("HTTP/1.1 100 Continue\r\n\r\n");
       output->append(res);
 -- 
 2.20.1
 From 589a98eba0b3c7a4dbb2262c60b609cac2b1f838 Mon Sep 17 00:00:00 2001
 From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
 Date: Tue, 25 Jun 2019 22:33:35 +0900
 Subject: [PATCH 2/3] Add nghttp2_option_set_max_outbound_ack
 Upstream-commit: a76d0723b5f52902139ff453e0ec840673e86e75
 Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 ---
 doc/Makefile.am                |  1 +
 lib/includes/nghttp2/nghttp2.h | 11 +++++++++++
 lib/nghttp2_option.c           |  5 +++++
 lib/nghttp2_option.h           |  5 +++++
 lib/nghttp2_session.c          |  9 +++++++--
 lib/nghttp2_session.h          |  8 ++++++--
 tests/nghttp2_session_test.c   |  4 ++--
 7 files changed, 37 insertions(+), 6 deletions(-)
 diff --git a/doc/Makefile.am b/doc/Makefile.am
 index 07cd34e..66e5ba3 100644
 --- a/doc/Makefile.am
 +++ b/doc/Makefile.am
@@ -67,6 +67,7 @@ APIDOCS= \
 	nghttp2_option_set_no_recv_client_magic.rst \
 	nghttp2_option_set_peer_max_concurrent_streams.rst \
 	nghttp2_option_set_user_recv_extension_type.rst \
 +	nghttp2_option_set_max_outbound_ack.rst \
 	nghttp2_pack_settings_payload.rst \
 	nghttp2_priority_spec_check_default.rst \
 	nghttp2_priority_spec_default_init.rst \
 diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h
 index 14f8950..137a675 100644
 --- a/lib/includes/nghttp2/nghttp2.h
 +++ b/lib/includes/nghttp2/nghttp2.h
@@ -2637,6 +2637,17 @@ nghttp2_option_set_max_deflate_dynamic_table_size(nghttp2_option *option,
 NGHTTP2_EXTERN void nghttp2_option_set_no_closed_streams(nghttp2_option *option,
                                                          int val);
 +/**
 + * @function
 + *
 + * This function sets the maximum number of outgoing SETTINGS ACK and
 + * PING ACK frames retained in :type:`nghttp2_session` object.  If
 + * more than those frames are retained, the peer is considered to be
 + * misbehaving and session will be closed.  The default value is 1000.
 + */
 +NGHTTP2_EXTERN void nghttp2_option_set_max_outbound_ack(nghttp2_option *option,
 +                                                        size_t val);
 +
 /**
  * @function
  *
 diff --git a/lib/nghttp2_option.c b/lib/nghttp2_option.c
 index aec5dcf..ae22493 100644
 --- a/lib/nghttp2_option.c
 +++ b/lib/nghttp2_option.c
@@ -116,3 +116,8 @@ void nghttp2_option_set_no_closed_streams(nghttp2_option *option, int val) {
   option->opt_set_mask |= NGHTTP2_OPT_NO_CLOSED_STREAMS;
   option->no_closed_streams = val;
 }
 +
 +void nghttp2_option_set_max_outbound_ack(nghttp2_option *option, size_t val) {
 +  option->opt_set_mask |= NGHTTP2_OPT_MAX_OUTBOUND_ACK;
 +  option->max_outbound_ack = val;
 +}
 diff --git a/lib/nghttp2_option.h b/lib/nghttp2_option.h
 index c743e33..86d31f7 100644
 --- a/lib/nghttp2_option.h
 +++ b/lib/nghttp2_option.h
@@ -66,6 +66,7 @@ typedef enum {
   NGHTTP2_OPT_MAX_SEND_HEADER_BLOCK_LENGTH = 1 << 8,
   NGHTTP2_OPT_MAX_DEFLATE_DYNAMIC_TABLE_SIZE = 1 << 9,
   NGHTTP2_OPT_NO_CLOSED_STREAMS = 1 << 10,
 +  NGHTTP2_OPT_MAX_OUTBOUND_ACK = 1 << 11,
 } nghttp2_option_flag;
 /**
@@ -80,6 +81,10 @@ struct nghttp2_option {
    * NGHTTP2_OPT_MAX_DEFLATE_DYNAMIC_TABLE_SIZE
    */
   size_t max_deflate_dynamic_table_size;
 +  /**
 +   * NGHTTP2_OPT_MAX_OUTBOUND_ACK
 +   */
 +  size_t max_outbound_ack;
   /**
    * Bitwise OR of nghttp2_option_flag to determine that which fields
    * are specified.
 diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
 index c58f059..8628cc7 100644
 --- a/lib/nghttp2_session.c
 +++ b/lib/nghttp2_session.c
@@ -457,6 +457,7 @@ static int session_new(nghttp2_session **session_ptr,
   (*session_ptr)->remote_settings.max_concurrent_streams = 100;
   (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
 +  (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
   if (option) {
     if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
@@ -516,6 +517,10 @@ static int session_new(nghttp2_session **session_ptr,
         option->no_closed_streams) {
       (*session_ptr)->opt_flags |= NGHTTP2_OPTMASK_NO_CLOSED_STREAMS;
     }
 +
 +    if (option->opt_set_mask & NGHTTP2_OPT_MAX_OUTBOUND_ACK) {
 +      (*session_ptr)->max_outbound_ack = option->max_outbound_ack;
 +    }
   }
   rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
@@ -6831,7 +6836,7 @@ int nghttp2_session_add_ping(nghttp2_session *session, uint8_t flags,
   mem = &session->mem;
   if ((flags & NGHTTP2_FLAG_ACK) &&
 -      session->obq_flood_counter_ >= NGHTTP2_MAX_OBQ_FLOOD_ITEM) {
 +      session->obq_flood_counter_ >= session->max_outbound_ack) {
     return NGHTTP2_ERR_FLOODED;
   }
@@ -6976,7 +6981,7 @@ int nghttp2_session_add_settings(nghttp2_session *session, uint8_t flags,
       return NGHTTP2_ERR_INVALID_ARGUMENT;
     }
 -    if (session->obq_flood_counter_ >= NGHTTP2_MAX_OBQ_FLOOD_ITEM) {
 +    if (session->obq_flood_counter_ >= session->max_outbound_ack) {
       return NGHTTP2_ERR_FLOODED;
     }
   }
 diff --git a/lib/nghttp2_session.h b/lib/nghttp2_session.h
 index c7cb27d..d9e2846 100644
 --- a/lib/nghttp2_session.h
 +++ b/lib/nghttp2_session.h
@@ -97,7 +97,7 @@ typedef struct {
    response frames are stacked up, which leads to memory exhaustion.
    The value selected here is arbitrary, but safe value and if we have
    these frames in this number, it is considered suspicious. */
 -#define NGHTTP2_MAX_OBQ_FLOOD_ITEM 10000
 +#define NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM 1000
 /* The default value of maximum number of concurrent streams. */
 #define NGHTTP2_DEFAULT_MAX_CONCURRENT_STREAMS 0xffffffffu
@@ -260,8 +260,12 @@ struct nghttp2_session {
   size_t num_idle_streams;
   /* The number of bytes allocated for nvbuf */
   size_t nvbuflen;
 -  /* Counter for detecting flooding in outbound queue */
 +  /* Counter for detecting flooding in outbound queue.  If it exceeds
 +     max_outbound_ack, session will be closed. */
   size_t obq_flood_counter_;
 +  /* The maximum number of outgoing SETTINGS ACK and PING ACK in
 +     outbound queue. */
 +  size_t max_outbound_ack;
   /* The maximum length of header block to send.  Calculated by the
      same way as nghttp2_hd_deflate_bound() does. */
   size_t max_send_header_block_length;
 diff --git a/tests/nghttp2_session_test.c b/tests/nghttp2_session_test.c
 index 783b0ed..debec59 100644
 --- a/tests/nghttp2_session_test.c
 +++ b/tests/nghttp2_session_test.c
@@ -9894,7 +9894,7 @@ void test_nghttp2_session_flooding(void) {
   buf = &bufs.head->buf;
 -  for (i = 0; i < NGHTTP2_MAX_OBQ_FLOOD_ITEM; ++i) {
 +  for (i = 0; i < NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM; ++i) {
     CU_ASSERT(
         (ssize_t)nghttp2_buf_len(buf) ==
         nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf)));
@@ -9916,7 +9916,7 @@ void test_nghttp2_session_flooding(void) {
   buf = &bufs.head->buf;
 -  for (i = 0; i < NGHTTP2_MAX_OBQ_FLOOD_ITEM; ++i) {
 +  for (i = 0; i < NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM; ++i) {
     CU_ASSERT(
         (ssize_t)nghttp2_buf_len(buf) ==
         nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf)));
 -- 
 2.20.1
 From e32b3e4c9df4abb83ca1c1c41901fadbae44699b Mon Sep 17 00:00:00 2001
 From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
 Date: Tue, 25 Jun 2019 22:38:43 +0900
 Subject: [PATCH 3/3] Don't read too greedily
 Upstream-commit: 83d362c6d21f76599b86e7b94cd1992288a1d43c
 Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 ---
 src/HttpServer.cc           | 2 ++
 src/shrpx_client_handler.cc | 9 +++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)
 diff --git a/src/HttpServer.cc b/src/HttpServer.cc
 index b3e35ef..a75cee4 100644
 --- a/src/HttpServer.cc
 +++ b/src/HttpServer.cc
@@ -650,6 +650,7 @@ int Http2Handler::read_clear() {
       }
       return -1;
     }
 +    break;
   }
   return write_(*this);
@@ -775,6 +776,7 @@ int Http2Handler::read_tls() {
       }
       return -1;
     }
 +    break;
   }
 fin:
 diff --git a/src/shrpx_client_handler.cc b/src/shrpx_client_handler.cc
 index 21430dd..fa1fc87 100644
 --- a/src/shrpx_client_handler.cc
 +++ b/src/shrpx_client_handler.cc
@@ -111,6 +111,7 @@ void writecb(struct ev_loop *loop, ev_io *w, int revents) {
 int ClientHandler::noop() { return 0; }
 int ClientHandler::read_clear() {
 +  auto should_break = false;
   rb_.ensure_chunk();
   for (;;) {
     if (rb_.rleft() && on_read() != 0) {
@@ -123,7 +124,7 @@ int ClientHandler::read_clear() {
       return 0;
     }
 -    if (!ev_is_active(&conn_.rev)) {
 +    if (!ev_is_active(&conn_.rev) || should_break) {
       return 0;
     }
@@ -141,6 +142,7 @@ int ClientHandler::read_clear() {
     }
     rb_.write(nread);
 +    should_break = true;
   }
 }
@@ -205,6 +207,8 @@ int ClientHandler::tls_handshake() {
 }
 int ClientHandler::read_tls() {
 +  auto should_break = false;
 +
   ERR_clear_error();
   rb_.ensure_chunk();
@@ -221,7 +225,7 @@ int ClientHandler::read_tls() {
       return 0;
     }
 -    if (!ev_is_active(&conn_.rev)) {
 +    if (!ev_is_active(&conn_.rev) || should_break) {
       return 0;
     }
@@ -239,6 +243,7 @@ int ClientHandler::read_tls() {
     }
     rb_.write(nread);
 +    should_break = true;
   }
 }
 -- 
 2.20.1
--- a/SOURCES/nghttp2-1.33.0-CVE-2020-11080.patch
+++ b/SOURCES/nghttp2-1.33.0-CVE-2020-11080.patch
@ -0,0 +1,340 @@
 From 34670cfbc56f1c63ec046c38b9ad518010b5c84d Mon Sep 17 00:00:00 2001
 From: James M Snell <jasnell@gmail.com>
 Date: Fri, 17 Apr 2020 16:53:51 -0700
 Subject: [PATCH 1/2] Implement max settings option
 Upstream-commit: 336a98feb0d56b9ac54e12736b18785c27f75090
 Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 ---
 doc/CMakeLists.txt             |  1 +
 doc/Makefile.am                |  1 +
 lib/includes/nghttp2/nghttp2.h | 23 +++++++++++++
 lib/nghttp2_helper.c           |  2 ++
 lib/nghttp2_option.c           |  5 +++
 lib/nghttp2_option.h           |  5 +++
 lib/nghttp2_session.c          | 21 ++++++++++++
 lib/nghttp2_session.h          |  2 ++
 tests/main.c                   |  2 ++
 tests/nghttp2_session_test.c   | 61 ++++++++++++++++++++++++++++++++++
 tests/nghttp2_session_test.h   |  1 +
 11 files changed, 124 insertions(+)
 diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt
 index 34c0279..f3aec84 100644
 --- a/doc/CMakeLists.txt
 +++ b/doc/CMakeLists.txt
@@ -42,6 +42,7 @@ set(APIDOCS
   nghttp2_option_set_no_recv_client_magic.rst
   nghttp2_option_set_peer_max_concurrent_streams.rst
   nghttp2_option_set_user_recv_extension_type.rst
 +  nghttp2_option_set_max_settings.rst
   nghttp2_pack_settings_payload.rst
   nghttp2_priority_spec_check_default.rst
   nghttp2_priority_spec_default_init.rst
 diff --git a/doc/Makefile.am b/doc/Makefile.am
 index c17d933..5a58f8e 100644
 --- a/doc/Makefile.am
 +++ b/doc/Makefile.am
@@ -68,6 +68,7 @@ APIDOCS= \
 	nghttp2_option_set_peer_max_concurrent_streams.rst \
 	nghttp2_option_set_user_recv_extension_type.rst \
 	nghttp2_option_set_max_outbound_ack.rst \
 +	nghttp2_option_set_max_settings.rst \
 	nghttp2_pack_settings_payload.rst \
 	nghttp2_priority_spec_check_default.rst \
 	nghttp2_priority_spec_default_init.rst \
 diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h
 index d79bf48..b0ff6c5 100644
 --- a/lib/includes/nghttp2/nghttp2.h
 +++ b/lib/includes/nghttp2/nghttp2.h
@@ -222,6 +222,13 @@ typedef struct {
  */
 #define NGHTTP2_CLIENT_MAGIC_LEN 24
 +/**
 + * @macro
 + *
 + * The default max number of settings per SETTINGS frame
 + */
 +#define NGHTTP2_DEFAULT_MAX_SETTINGS 32
 +
 /**
  * @enum
  *
@@ -392,6 +399,11 @@ typedef enum {
    * receives an other type of frame.
    */
   NGHTTP2_ERR_SETTINGS_EXPECTED = -536,
 +  /**
 +   * When a local endpoint receives too many settings entries
 +   * in a single SETTINGS frame.
 +   */
 +  NGHTTP2_ERR_TOO_MANY_SETTINGS = -537,
   /**
    * The errors < :enum:`NGHTTP2_ERR_FATAL` mean that the library is
    * under unexpected condition and processing was terminated (e.g.,
@@ -2648,6 +2660,17 @@ NGHTTP2_EXTERN void nghttp2_option_set_no_closed_streams(nghttp2_option *option,
 NGHTTP2_EXTERN void nghttp2_option_set_max_outbound_ack(nghttp2_option *option,
                                                         size_t val);
 +/**
 + * @function
 + *
 + * This function sets the maximum number of SETTINGS entries per
 + * SETTINGS frame that will be accepted. If more than those entries
 + * are received, the peer is considered to be misbehaving and session
 + * will be closed. The default value is 32.
 + */
 +NGHTTP2_EXTERN void nghttp2_option_set_max_settings(nghttp2_option *option,
 +                                                    size_t val);
 +
 /**
  * @function
  *
 diff --git a/lib/nghttp2_helper.c b/lib/nghttp2_helper.c
 index 3b282c7..49bbf07 100644
 --- a/lib/nghttp2_helper.c
 +++ b/lib/nghttp2_helper.c
@@ -334,6 +334,8 @@ const char *nghttp2_strerror(int error_code) {
   case NGHTTP2_ERR_FLOODED:
     return "Flooding was detected in this HTTP/2 session, and it must be "
            "closed";
 +  case NGHTTP2_ERR_TOO_MANY_SETTINGS:
 +    return "SETTINGS frame contained more than the maximum allowed entries";
   default:
     return "Unknown error code";
   }
 diff --git a/lib/nghttp2_option.c b/lib/nghttp2_option.c
 index e53f22d..34348e6 100644
 --- a/lib/nghttp2_option.c
 +++ b/lib/nghttp2_option.c
@@ -121,3 +121,8 @@ void nghttp2_option_set_max_outbound_ack(nghttp2_option *option, size_t val) {
   option->opt_set_mask |= NGHTTP2_OPT_MAX_OUTBOUND_ACK;
   option->max_outbound_ack = val;
 }
 +
 +void nghttp2_option_set_max_settings(nghttp2_option *option, size_t val) {
 +  option->opt_set_mask |= NGHTTP2_OPT_MAX_SETTINGS;
 +  option->max_settings = val;
 +}
 diff --git a/lib/nghttp2_option.h b/lib/nghttp2_option.h
 index 1f740aa..939729f 100644
 --- a/lib/nghttp2_option.h
 +++ b/lib/nghttp2_option.h
@@ -67,6 +67,7 @@ typedef enum {
   NGHTTP2_OPT_MAX_DEFLATE_DYNAMIC_TABLE_SIZE = 1 << 9,
   NGHTTP2_OPT_NO_CLOSED_STREAMS = 1 << 10,
   NGHTTP2_OPT_MAX_OUTBOUND_ACK = 1 << 11,
 +  NGHTTP2_OPT_MAX_SETTINGS = 1 << 12,
 } nghttp2_option_flag;
 /**
@@ -85,6 +86,10 @@ struct nghttp2_option {
    * NGHTTP2_OPT_MAX_OUTBOUND_ACK
    */
   size_t max_outbound_ack;
 +  /**
 +   * NGHTTP2_OPT_MAX_SETTINGS
 +   */
 +  size_t max_settings;
   /**
    * Bitwise OR of nghttp2_option_flag to determine that which fields
    * are specified.
 diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
 index 670f83f..7638823 100644
 --- a/lib/nghttp2_session.c
 +++ b/lib/nghttp2_session.c
@@ -458,6 +458,7 @@ static int session_new(nghttp2_session **session_ptr,
   (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
   (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
 +  (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
   if (option) {
     if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
@@ -521,6 +522,11 @@ static int session_new(nghttp2_session **session_ptr,
     if (option->opt_set_mask & NGHTTP2_OPT_MAX_OUTBOUND_ACK) {
       (*session_ptr)->max_outbound_ack = option->max_outbound_ack;
     }
 +
 +    if ((option->opt_set_mask & NGHTTP2_OPT_MAX_SETTINGS) &&
 +        option->max_settings) {
 +      (*session_ptr)->max_settings = option->max_settings;
 +    }
   }
   rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
@@ -5658,6 +5664,16 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
           iframe->max_niv =
               iframe->frame.hd.length / NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH + 1;
 +          if (iframe->max_niv - 1 > session->max_settings) {
 +            rv = nghttp2_session_terminate_session_with_reason(
 +                session, NGHTTP2_ENHANCE_YOUR_CALM,
 +                "SETTINGS: too many setting entries");
 +            if (nghttp2_is_fatal(rv)) {
 +              return rv;
 +            }
 +            return (ssize_t)inlen;
 +          }
 +
           iframe->iv = nghttp2_mem_malloc(mem, sizeof(nghttp2_settings_entry) *
                                                    iframe->max_niv);
@@ -7413,6 +7429,11 @@ static int nghttp2_session_upgrade_internal(nghttp2_session *session,
   if (settings_payloadlen % NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH) {
     return NGHTTP2_ERR_INVALID_ARGUMENT;
   }
 +  /* SETTINGS frame contains too many settings */
 +  if (settings_payloadlen / NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH
 +        > session->max_settings) {
 +    return NGHTTP2_ERR_TOO_MANY_SETTINGS;
 +  }
   rv = nghttp2_frame_unpack_settings_payload2(&iv, &niv, settings_payload,
                                               settings_payloadlen, mem);
   if (rv != 0) {
 diff --git a/lib/nghttp2_session.h b/lib/nghttp2_session.h
 index 2969364..e62a3bb 100644
 --- a/lib/nghttp2_session.h
 +++ b/lib/nghttp2_session.h
@@ -269,6 +269,8 @@ struct nghttp2_session {
   /* The maximum length of header block to send.  Calculated by the
      same way as nghttp2_hd_deflate_bound() does. */
   size_t max_send_header_block_length;
 +  /* The maximum number of settings accepted per SETTINGS frame. */
 +  size_t max_settings;
   /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
   uint32_t next_stream_id;
   /* The last stream ID this session initiated.  For client session,
 diff --git a/tests/main.c b/tests/main.c
 index 13865de..1f795cd 100644
 --- a/tests/main.c
 +++ b/tests/main.c
@@ -313,6 +313,8 @@ int main() {
                    test_nghttp2_session_set_local_window_size) ||
       !CU_add_test(pSuite, "session_cancel_from_before_frame_send",
                    test_nghttp2_session_cancel_from_before_frame_send) ||
 +      !CU_add_test(pSuite, "session_too_many_settings",
 +                   test_nghttp2_session_too_many_settings) ||
       !CU_add_test(pSuite, "session_removed_closed_stream",
                    test_nghttp2_session_removed_closed_stream) ||
       !CU_add_test(pSuite, "session_pause_data",
 diff --git a/tests/nghttp2_session_test.c b/tests/nghttp2_session_test.c
 index 0013e92..ab76ab4 100644
 --- a/tests/nghttp2_session_test.c
 +++ b/tests/nghttp2_session_test.c
@@ -10450,6 +10450,67 @@ void test_nghttp2_session_cancel_from_before_frame_send(void) {
   nghttp2_session_del(session);
 }
 +void test_nghttp2_session_too_many_settings(void) {
 +  nghttp2_session *session;
 +  nghttp2_option *option;
 +  nghttp2_session_callbacks callbacks;
 +  nghttp2_frame frame;
 +  nghttp2_bufs bufs;
 +  nghttp2_buf *buf;
 +  ssize_t rv;
 +  my_user_data ud;
 +  nghttp2_settings_entry iv[3];
 +  nghttp2_mem *mem;
 +  nghttp2_outbound_item *item;
 +
 +  mem = nghttp2_mem_default();
 +  frame_pack_bufs_init(&bufs);
 +
 +  memset(&callbacks, 0, sizeof(nghttp2_session_callbacks));
 +  callbacks.on_frame_recv_callback = on_frame_recv_callback;
 +  callbacks.send_callback = null_send_callback;
 +
 +  nghttp2_option_new(&option);
 +  nghttp2_option_set_max_settings(option, 1);
 +
 +  nghttp2_session_client_new2(&session, &callbacks, &ud, option);
 +
 +  CU_ASSERT(1 == session->max_settings);
 +
 +  nghttp2_option_del(option);
 +
 +  iv[0].settings_id = NGHTTP2_SETTINGS_HEADER_TABLE_SIZE;
 +  iv[0].value = 3000;
 +
 +  iv[1].settings_id = NGHTTP2_SETTINGS_INITIAL_WINDOW_SIZE;
 +  iv[1].value = 16384;
 +
 +  nghttp2_frame_settings_init(&frame.settings, NGHTTP2_FLAG_NONE, dup_iv(iv, 2),
 +                              2);
 +
 +  rv = nghttp2_frame_pack_settings(&bufs, &frame.settings);
 +
 +  CU_ASSERT(0 == rv);
 +  CU_ASSERT(nghttp2_bufs_len(&bufs) > 0);
 +
 +  nghttp2_frame_settings_free(&frame.settings, mem);
 +
 +  buf = &bufs.head->buf;
 +  assert(nghttp2_bufs_len(&bufs) == nghttp2_buf_len(buf));
 +
 +  ud.frame_recv_cb_called = 0;
 +
 +  rv = nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf));
 +  CU_ASSERT((ssize_t)nghttp2_buf_len(buf) == rv);
 +
 +  item = nghttp2_session_get_next_ob_item(session);
 +  CU_ASSERT(NGHTTP2_GOAWAY == item->frame.hd.type);
 +
 +  nghttp2_bufs_reset(&bufs);
 +  nghttp2_bufs_free(&bufs);
 +  nghttp2_session_del(session);
 +}
 +
 static void
 prepare_session_removed_closed_stream(nghttp2_session *session,
                                       nghttp2_hd_deflater *deflater) {
 diff --git a/tests/nghttp2_session_test.h b/tests/nghttp2_session_test.h
 index 35a48b8..c5095c2 100644
 --- a/tests/nghttp2_session_test.h
 +++ b/tests/nghttp2_session_test.h
@@ -155,6 +155,7 @@ void test_nghttp2_session_repeated_priority_change(void);
 void test_nghttp2_session_repeated_priority_submission(void);
 void test_nghttp2_session_set_local_window_size(void);
 void test_nghttp2_session_cancel_from_before_frame_send(void);
 +void test_nghttp2_session_too_many_settings(void);
 void test_nghttp2_session_removed_closed_stream(void);
 void test_nghttp2_session_pause_data(void);
 void test_nghttp2_session_no_closed_streams(void);
 -- 
 2.21.3
 From da3f4a5730ffa015a9e2d62e6e876a02f1dced20 Mon Sep 17 00:00:00 2001
 From: James M Snell <jasnell@gmail.com>
 Date: Sun, 19 Apr 2020 09:12:24 -0700
 Subject: [PATCH 2/2] Earlier check for settings flood
 Upstream-commit: f8da73bd042f810f34d19f9eae02b46d870af394
 Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 ---
 lib/nghttp2_session.c | 6 ++++++
 1 file changed, 6 insertions(+)
 diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
 index 7638823..8271198 100644
 --- a/lib/nghttp2_session.c
 +++ b/lib/nghttp2_session.c
@@ -5654,6 +5654,12 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
           break;
         }
 +        /* Check the settings flood counter early to be safe */
 +        if (session->obq_flood_counter_ >= session->max_outbound_ack &&
 +            !(iframe->frame.hd.flags & NGHTTP2_FLAG_ACK)) {
 +          return NGHTTP2_ERR_FLOODED;
 +        }
 +
         iframe->state = NGHTTP2_IB_READ_SETTINGS;
         if (iframe->payloadleft) {
 -- 
 2.21.3
--- a/SPECS/nghttp2.spec
+++ b/SPECS/nghttp2.spec
@ -1,16 +1,23 @@
 Summary: Experimental HTTP/2 client, server and proxy
 Name: nghttp2
-Version: 1.43.0
+Version: 1.33.0
-Release: 6%{?dist}
+Release: 6%{?dist}.1
 License: MIT
 Group: Applications/Internet
 URL: https://nghttp2.org/
 Source0: https://github.com/tatsuhiro-t/nghttp2/releases/download/v%{version}/nghttp2-%{version}.tar.xz
 # backport security fixes from nghttp2-1.39.2 (CVE-2019-9511 and CVE-2019-9513)
 Patch1: nghttp2-1.31.1-CVE-2019-9511-and-CVE-2019-9513.patch
 # prevent DoS caused by overly large SETTINGS frames (CVE-2020-11080)
 Patch2: nghttp2-1.33.0-CVE-2020-11080.patch
 # fix HTTP/2 Rapid Reset (CVE-2023-44487)
-Patch1:   0001-nghttp2-1.43.0-CVE-2023-44487.patch
+Patch3: 0003-nghttp2-1.33.0-CVE-2023-44487.patch
 # fix CONTINUATION frames DoS (CVE-2024-28182, CVE-2024-27316)
-Patch2:   0002-nghttp2-1.43.0-CVE-2024-28182-CVE-2024-27316.patch
+Patch4: 0004-nghttp2-1.33.0-CVE-2024-28182.patch
 BuildRequires: automake
 BuildRequires: libtool
@ -19,8 +26,6 @@ BuildRequires: CUnit-devel
 BuildRequires: c-ares-devel
 BuildRequires: gcc-c++
 BuildRequires: libev-devel
 BuildRequires: libxml2-devel
 BuildRequires: make
 BuildRequires: openssl-devel
 BuildRequires: python3-devel
 BuildRequires: systemd-devel
@ -35,6 +40,7 @@ This package contains the HTTP/2 client, server and proxy programs.
 %package -n libnghttp2
 Summary: A library implementing the HTTP/2 protocol
 Group: Development/Libraries
 %description -n libnghttp2
 libnghttp2 is a library implementing the Hypertext Transfer Protocol
@ -43,6 +49,7 @@ version 2 (HTTP/2) protocol in C.
 %package -n libnghttp2-devel
 Summary: Files needed for building applications with libnghttp2
 Group: Development/Libraries
 Requires: libnghttp2%{?_isa} = %{version}-%{release}
 Requires: pkgconfig
@ -52,18 +59,21 @@ for building applications with libnghttp2.
 %prep
-%autosetup -p1
+%setup -q
-autoreconf -fvi
+%patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 autoreconf -fiv
 # make fetch-ocsp-response use Python 3
 sed -e '1 s|^#!/.*python|&3|' -i script/fetch-ocsp-response
 %build
 %configure PYTHON=%{__python3}              \
    --disable-hpack-tools                   \
    --disable-python-bindings               \
    --disable-static                        \
-    --with-libxml2                          \
+    --without-libxml2                       \
    --without-spdylay
 # avoid using rpath
@ -71,7 +81,7 @@ sed -i libtool                              \
    -e 's/^runpath_var=.*/runpath_var=/'    \
    -e 's/^hardcode_libdir_flag_spec=".*"$/hardcode_libdir_flag_spec=""/'
-%make_build
+make %{?_smp_mflags} V=1
 %install
@ -97,7 +107,7 @@ rm -f "$RPM_BUILD_ROOT%{_datadir}/doc/nghttp2/README.rst"
 %check
 # test the just built library instead of the system one, without using rpath
 export "LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH"
-%make_build check
+make %{?_smp_mflags} check
 %files
@ -125,96 +135,27 @@ export "LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH"
 %changelog
-* Wed Apr 10 2024 Jan Macku <jamacku@redhat.com> - 1.43.0-6
+* Mon Apr 10 2024 Jan Macku <jamacku@redhat.com> - 1.33.0-6.1
- fix CONTINUATION frames DoS (CVE-2024-28182, CVE-2024-27316)
+- fix CONTINUATION frames DoS (CVE-2024-27316)
-* Fri Oct 13 2023 Jan Macku <jamacku@redhat.com> - 1.43.0-5.1
+* Mon Apr 08 2024 Jan Macku <jamacku@redhat.com> - 1.33.0-6
 - fix CONTINUATION frames DoS (CVE-2024-28182)
 * Fri Oct 13 2023 Jan Macku <jamacku@redhat.com> - 1.33.0-5
 - fix HTTP/2 Rapid Reset (CVE-2023-44487)
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.43.0-5
+* Tue Jun 09 2020 Kamil Dudka <kdudka@redhat.com> 1.33.0-4
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+- prevent DoS caused by overly large SETTINGS frames (CVE-2020-11080)
  Related: rhbz#1991688
-* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.43.0-4
+* Wed Aug 28 2019 Kamil Dudka <kdudka@redhat.com> 1.33.0-3
- Rebuilt for RHEL 9 BETA for openssl 3.0
+- rebuild to trigger gating (#1681044)
  Related: rhbz#1971065
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.43.0-3
+* Mon Aug 19 2019 Kamil Dudka <kdudka@redhat.com> 1.33.0-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+- backport security fixes from nghttp2-1.39.2 (CVE-2019-9511 and CVE-2019-9513)
-* Tue Mar 30 2021 Jonathan Wakely <jwakely@redhat.com> - 1.43.0-2
+* Tue Oct 09 2018 Kamil Dudka <kdudka@redhat.com> 1.33.0-1
 - Rebuilt for removed libstdc++ symbol (#1937698)
 * Tue Feb 02 2021 Kamil Dudka <kdudka@redhat.com> 1.43.0-1
 - update to the latest upstream release
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.42.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Tue Nov 24 2020 Kamil Dudka <kdudka@redhat.com> 1.42.0-1
 - update to the latest upstream release
 * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.41.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 1.41.0-2
 - Use make macros
 - https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
 * Tue Jun 02 2020 Kamil Dudka <kdudka@redhat.com> 1.41.0-1
 - update to the latest upstream release
 * Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.40.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Fri Nov 15 2019 Kamil Dudka <kdudka@redhat.com> 1.40.0-1
 - update to the latest upstream release
 * Thu Nov 14 2019 Kamil Dudka <kdudka@redhat.com> 1.39.2-2
 - enable use of libxml2 to make `nghttp --get-assets` work (#1772462)
 * Wed Aug 14 2019 Kamil Dudka <kdudka@redhat.com> 1.39.2-1
 - update to the latest upstream release
 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.39.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Tue Jun 11 2019 Kamil Dudka <kdudka@redhat.com> 1.39.1-1
 - update to the latest upstream release
 * Tue Jun 11 2019 Kamil Dudka <kdudka@redhat.com> 1.39.0-1
 - update to the latest upstream release
 * Thu Apr 18 2019 Kamil Dudka <kdudka@redhat.com> 1.38.0-1
 - update to the latest upstream release
 * Fri Mar 08 2019 Kamil Dudka <kdudka@redhat.com> 1.37.0-1
 - update to the latest upstream release
 * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.36.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Fri Jan 18 2019 Kamil Dudka <kdudka@redhat.com> 1.36.0-1
 - update to the latest upstream release
 * Mon Dec 10 2018 Kamil Dudka <kdudka@redhat.com> 1.35.1-1
 - update to the latest upstream release
 * Fri Nov 23 2018 Kamil Dudka <kdudka@redhat.com> 1.35.0-1
 - update to the latest upstream release
 * Thu Oct 04 2018 Kamil Dudka <kdudka@redhat.com> 1.34.0-1
 - update to the latest upstream release
 * Mon Sep 03 2018 Kamil Dudka <kdudka@redhat.com> 1.33.0-1
 - use python3 for build
- update to the latest upstream release
+- update to the latest upstream release (#1636992)
 * Mon Aug 27 2018 Kamil Dudka <kdudka@redhat.com> 1.32.1-1
 - update to the latest upstream bugfix release
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.32.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Wed May 09 2018 Kamil Dudka <kdudka@redhat.com> 1.32.0-1
 - update to the latest upstream release
`@ -1 +1 @@`
	`SOURCES/nghttp2-1.43.0.tar.xz`	`SOURCES/nghttp2-1.33.0.tar.xz`
`@ -1 +1 @@`
	`b9d846e53af53fc5814015c9d3d6c0d2c684c046 SOURCES/nghttp2-1.43.0.tar.xz`	`0a11f7de6ea8e66fbecc9fe4ddc61b6ab40af469 SOURCES/nghttp2-1.33.0.tar.xz`