nodejs/SOURCES/0006-Limit-CONTINUATION-frames-following-an-incoming-HEAD.patch

From 132ad9e8a8f8e246e59744a7fed995ed396f6cb4 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sat, 9 Mar 2024 16:26:42 +0900
Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jan Staněk <jstanek@redhat.com>
Fixes: CVE-2024-28182
Signed-off-by: rpm-build <rpm-build>
---
 deps/nghttp2/lib/includes/nghttp2/nghttp2.h |  7 ++++++-
 deps/nghttp2/lib/nghttp2_helper.c           |  2 ++
 deps/nghttp2/lib/nghttp2_session.c          |  7 +++++++
 deps/nghttp2/lib/nghttp2_session.h          | 10 ++++++++++
 4 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
index fa22081..b394bde 100644
--- a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
+++ b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
@@ -440,7 +440,12 @@ typedef enum {
    * exhaustion on server side to send these frames forever and does
    * not read network.
    */
-  NGHTTP2_ERR_FLOODED = -904
+  NGHTTP2_ERR_FLOODED = -904,
+  /**
+   * When a local endpoint receives too many CONTINUATION frames
+   * following a HEADER frame.
+   */
+  NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
 } nghttp2_error;
 
 /**
diff --git a/deps/nghttp2/lib/nghttp2_helper.c b/deps/nghttp2/lib/nghttp2_helper.c
index 93dd475..b3563d9 100644
--- a/deps/nghttp2/lib/nghttp2_helper.c
+++ b/deps/nghttp2/lib/nghttp2_helper.c
@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) {
            "closed";
   case NGHTTP2_ERR_TOO_MANY_SETTINGS:
     return "SETTINGS frame contained more than the maximum allowed entries";
+  case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
+    return "Too many CONTINUATION frames following a HEADER frame";
   default:
     return "Unknown error code";
   }
diff --git a/deps/nghttp2/lib/nghttp2_session.c b/deps/nghttp2/lib/nghttp2_session.c
index ec5024d..8e4d2e7 100644
--- a/deps/nghttp2/lib/nghttp2_session.c
+++ b/deps/nghttp2/lib/nghttp2_session.c
@@ -496,6 +496,7 @@ static int session_new(nghttp2_session **session_ptr,
   (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
   (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
   (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
+  (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
 
   if (option) {
     if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
@@ -6778,6 +6779,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
           }
         }
         session_inbound_frame_reset(session);
+
+        session->num_continuations = 0;
       }
       break;
     }
@@ -6899,6 +6902,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
       }
 #endif /* DEBUGBUILD */
 
+      if (++session->num_continuations > session->max_continuations) {
+        return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
+      }
+
       readlen = inbound_frame_buf_read(iframe, in, last);
       in += readlen;
 
diff --git a/deps/nghttp2/lib/nghttp2_session.h b/deps/nghttp2/lib/nghttp2_session.h
index b119329..ef8f7b2 100644
--- a/deps/nghttp2/lib/nghttp2_session.h
+++ b/deps/nghttp2/lib/nghttp2_session.h
@@ -110,6 +110,10 @@ typedef struct {
 #define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
 #define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
 
+/* The default max number of CONTINUATION frames following an incoming
+   HEADER frame. */
+#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
+
 /* Internal state when receiving incoming frame */
 typedef enum {
   /* Receiving frame header */
@@ -290,6 +294,12 @@ struct nghttp2_session {
   size_t max_send_header_block_length;
   /* The maximum number of settings accepted per SETTINGS frame. */
   size_t max_settings;
+  /* The maximum number of CONTINUATION frames following an incoming
+     HEADER frame. */
+  size_t max_continuations;
+  /* The number of CONTINUATION frames following an incoming HEADER
+     frame.  This variable is reset when END_HEADERS flag is seen. */
+  size_t num_continuations;
   /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
   uint32_t next_stream_id;
   /* The last stream ID this session initiated.  For client session,
-- 
2.44.0
import UBI nodejs-16.20.2-8.el9_4 2024-05-20 02:29:43 +00:00			`From 132ad9e8a8f8e246e59744a7fed995ed396f6cb4 Mon Sep 17 00:00:00 2001`
			`From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>`
			`Date: Sat, 9 Mar 2024 16:26:42 +0900`
			`Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`Signed-off-by: Jan Staněk <jstanek@redhat.com>`
			`Fixes: CVE-2024-28182`
			`Signed-off-by: rpm-build <rpm-build>`
			`---`
			`deps/nghttp2/lib/includes/nghttp2/nghttp2.h \| 7 ++++++-`
			`deps/nghttp2/lib/nghttp2_helper.c \| 2 ++`
			`deps/nghttp2/lib/nghttp2_session.c \| 7 +++++++`
			`deps/nghttp2/lib/nghttp2_session.h \| 10 ++++++++++`
			`4 files changed, 25 insertions(+), 1 deletion(-)`

			`diff --git a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h`
			`index fa22081..b394bde 100644`
			`--- a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h`
			`+++ b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h`
			`@@ -440,7 +440,12 @@ typedef enum {`
			`* exhaustion on server side to send these frames forever and does`
			`* not read network.`
			`*/`
			`- NGHTTP2_ERR_FLOODED = -904`
			`+ NGHTTP2_ERR_FLOODED = -904,`
			`+ /**`
			`+ * When a local endpoint receives too many CONTINUATION frames`
			`+ * following a HEADER frame.`
			`+ */`
			`+ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,`
			`} nghttp2_error;`

			`/**`
			`diff --git a/deps/nghttp2/lib/nghttp2_helper.c b/deps/nghttp2/lib/nghttp2_helper.c`
			`index 93dd475..b3563d9 100644`
			`--- a/deps/nghttp2/lib/nghttp2_helper.c`
			`+++ b/deps/nghttp2/lib/nghttp2_helper.c`
			`@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) {`
			`"closed";`
			`case NGHTTP2_ERR_TOO_MANY_SETTINGS:`
			`return "SETTINGS frame contained more than the maximum allowed entries";`
			`+ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:`
			`+ return "Too many CONTINUATION frames following a HEADER frame";`
			`default:`
			`return "Unknown error code";`
			`}`
			`diff --git a/deps/nghttp2/lib/nghttp2_session.c b/deps/nghttp2/lib/nghttp2_session.c`
			`index ec5024d..8e4d2e7 100644`
			`--- a/deps/nghttp2/lib/nghttp2_session.c`
			`+++ b/deps/nghttp2/lib/nghttp2_session.c`
			`@@ -496,6 +496,7 @@ static int session_new(nghttp2_session **session_ptr,`
			`(*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;`
			`(*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;`
			`(*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;`
			`+ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;`

			`if (option) {`
			`if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&`
			`@@ -6778,6 +6779,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session session, const uint8_t in,`
			`}`
			`}`
			`session_inbound_frame_reset(session);`
			`+`
			`+ session->num_continuations = 0;`
			`}`
			`break;`
			`}`
			`@@ -6899,6 +6902,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session session, const uint8_t in,`
			`}`
			`#endif /* DEBUGBUILD */`

			`+ if (++session->num_continuations > session->max_continuations) {`
			`+ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;`
			`+ }`
			`+`
			`readlen = inbound_frame_buf_read(iframe, in, last);`
			`in += readlen;`

			`diff --git a/deps/nghttp2/lib/nghttp2_session.h b/deps/nghttp2/lib/nghttp2_session.h`
			`index b119329..ef8f7b2 100644`
			`--- a/deps/nghttp2/lib/nghttp2_session.h`
			`+++ b/deps/nghttp2/lib/nghttp2_session.h`
			`@@ -110,6 +110,10 @@ typedef struct {`
			`#define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000`
			`#define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33`

			`+/* The default max number of CONTINUATION frames following an incoming`
			`+ HEADER frame. */`
			`+#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8`
			`+`
			`/* Internal state when receiving incoming frame */`
			`typedef enum {`
			`/* Receiving frame header */`
			`@@ -290,6 +294,12 @@ struct nghttp2_session {`
			`size_t max_send_header_block_length;`
			`/* The maximum number of settings accepted per SETTINGS frame. */`
			`size_t max_settings;`
			`+ /* The maximum number of CONTINUATION frames following an incoming`
			`+ HEADER frame. */`
			`+ size_t max_continuations;`
			`+ /* The number of CONTINUATION frames following an incoming HEADER`
			`+ frame. This variable is reset when END_HEADERS flag is seen. */`
			`+ size_t num_continuations;`
			`/* Next Stream ID. Made unsigned int to detect >= (1 << 31). */`
			`uint32_t next_stream_id;`
			`/* The last stream ID this session initiated. For client session,`
			`--`
			`2.44.0`