From 4d3fa5c1655a71d62a71301c9b75e5838369e749 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
Date: Tue, 16 Apr 2024 15:46:43 +0200
Subject: [PATCH] Backport nghttp2 patch for CVE-2024-28182

Resolves: RHEL-32312
---
 0001-Disable-running-gyp-on-shared-deps.patch |  10 +-
 ...s.patch => 0002-Disable-FIPS-options.patch |  13 ++-
 ...ON-frames-following-an-incoming-HEAD.patch | 107 ++++++++++++++++++
 ...nghttp2_option_set_max_continuations.patch |  89 +++++++++++++++
 nodejs.spec                                   |   9 +-
 5 files changed, 215 insertions(+), 13 deletions(-)
 rename nodejs-fips-disable-options.patch => 0002-Disable-FIPS-options.patch (92%)
 create mode 100644 0003-Limit-CONTINUATION-frames-following-an-incoming-HEAD.patch
 create mode 100644 0004-Add-nghttp2_option_set_max_continuations.patch

diff --git a/0001-Disable-running-gyp-on-shared-deps.patch b/0001-Disable-running-gyp-on-shared-deps.patch
index 87acfb9..39eb75f 100644
--- a/0001-Disable-running-gyp-on-shared-deps.patch
+++ b/0001-Disable-running-gyp-on-shared-deps.patch
@@ -1,4 +1,4 @@
-From c73e0892eb1d0aa2df805618c019dc5c96b79705 Mon Sep 17 00:00:00 2001
+From 2da7f25d9311bdea702b4b435830c02ce78b3ab9 Mon Sep 17 00:00:00 2001
 From: rpm-build <rpm-build>
 Date: Tue, 30 May 2023 13:12:35 +0200
 Subject: [PATCH] Disable running gyp on shared deps
@@ -10,7 +10,7 @@ Signed-off-by: rpm-build <rpm-build>
  2 files changed, 1 insertion(+), 18 deletions(-)
 
 diff --git a/Makefile b/Makefile
-index 0be0659..3c44201 100644
+index 7bd80d0..c43a50f 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -169,7 +169,7 @@ with-code-cache test-code-cache:
@@ -23,10 +23,10 @@ index 0be0659..3c44201 100644
  	tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
  	tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
 diff --git a/node.gyp b/node.gyp
-index cf52281..c33b57b 100644
+index 4aac640..aa0ba88 100644
 --- a/node.gyp
 +++ b/node.gyp
-@@ -430,23 +430,6 @@
+@@ -775,23 +775,6 @@
                ],
              },
            ],
@@ -51,5 +51,5 @@ index cf52281..c33b57b 100644
        ],
      }, # node_core_target_name
 -- 
-2.41.0
+2.44.0
 
diff --git a/nodejs-fips-disable-options.patch b/0002-Disable-FIPS-options.patch
similarity index 92%
rename from nodejs-fips-disable-options.patch
rename to 0002-Disable-FIPS-options.patch
index da9808f..4750f3b 100644
--- a/nodejs-fips-disable-options.patch
+++ b/0002-Disable-FIPS-options.patch
@@ -1,4 +1,4 @@
-From 98738d27288bd9ca634e29181ef665e812e7bbd3 Mon Sep 17 00:00:00 2001
+From 4caaf9c19d3c058f5b89ecd9fc721ee49370651a Mon Sep 17 00:00:00 2001
 From: Michael Dawson <midawson@redhat.com>
 Date: Fri, 23 Feb 2024 13:43:56 +0100
 Subject: [PATCH] Disable FIPS options
@@ -22,7 +22,7 @@ Signed-off-by: rpm-build <rpm-build>
  3 files changed, 18 insertions(+)
 
 diff --git a/lib/crypto.js b/lib/crypto.js
-index 41adecc..b2627ac 100644
+index 1216f3a..fbfcb26 100644
 --- a/lib/crypto.js
 +++ b/lib/crypto.js
 @@ -36,6 +36,9 @@ const {
@@ -35,7 +35,7 @@ index 41adecc..b2627ac 100644
    ERR_CRYPTO_FIPS_FORCED,
    ERR_WORKER_UNSUPPORTED_OPERATION,
  } = require('internal/errors').codes;
-@@ -251,6 +254,13 @@ function getFips() {
+@@ -253,6 +256,13 @@ function getFips() {
  }
  
  function setFips(val) {
@@ -50,10 +50,10 @@ index 41adecc..b2627ac 100644
      if (val) return;
      throw new ERR_CRYPTO_FIPS_FORCED();
 diff --git a/lib/internal/errors.js b/lib/internal/errors.js
-index a722360..04d8a53 100644
+index def4949..580ca7a 100644
 --- a/lib/internal/errors.js
 +++ b/lib/internal/errors.js
-@@ -1060,6 +1060,12 @@ module.exports = {
+@@ -1112,6 +1112,12 @@ module.exports = {
  //
  // Note: Node.js specific errors must begin with the prefix ERR_
  
@@ -80,4 +80,5 @@ index 5734d8f..ef9d1b1 100644
      OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
      if (fips_provider == nullptr)
 -- 
-2.43.2
+2.44.0
+
diff --git a/0003-Limit-CONTINUATION-frames-following-an-incoming-HEAD.patch b/0003-Limit-CONTINUATION-frames-following-an-incoming-HEAD.patch
new file mode 100644
index 0000000..257705d
--- /dev/null
+++ b/0003-Limit-CONTINUATION-frames-following-an-incoming-HEAD.patch
@@ -0,0 +1,107 @@
+From d9a06fe94439d9f103aeffe597441c0a2c0a4eb3 Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
+Date: Sat, 9 Mar 2024 16:26:42 +0900
+Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/nghttp2/lib/includes/nghttp2/nghttp2.h |  7 ++++++-
+ deps/nghttp2/lib/nghttp2_helper.c           |  2 ++
+ deps/nghttp2/lib/nghttp2_session.c          |  7 +++++++
+ deps/nghttp2/lib/nghttp2_session.h          | 10 ++++++++++
+ 4 files changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
+index 8891760..a9629c7 100644
+--- a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
++++ b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
+@@ -466,7 +466,12 @@ typedef enum {
+    * exhaustion on server side to send these frames forever and does
+    * not read network.
+    */
+-  NGHTTP2_ERR_FLOODED = -904
++  NGHTTP2_ERR_FLOODED = -904,
++  /**
++   * When a local endpoint receives too many CONTINUATION frames
++   * following a HEADER frame.
++   */
++  NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
+ } nghttp2_error;
+ 
+ /**
+diff --git a/deps/nghttp2/lib/nghttp2_helper.c b/deps/nghttp2/lib/nghttp2_helper.c
+index 93dd475..b3563d9 100644
+--- a/deps/nghttp2/lib/nghttp2_helper.c
++++ b/deps/nghttp2/lib/nghttp2_helper.c
+@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) {
+            "closed";
+   case NGHTTP2_ERR_TOO_MANY_SETTINGS:
+     return "SETTINGS frame contained more than the maximum allowed entries";
++  case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
++    return "Too many CONTINUATION frames following a HEADER frame";
+   default:
+     return "Unknown error code";
+   }
+diff --git a/deps/nghttp2/lib/nghttp2_session.c b/deps/nghttp2/lib/nghttp2_session.c
+index 226cdd5..e343365 100644
+--- a/deps/nghttp2/lib/nghttp2_session.c
++++ b/deps/nghttp2/lib/nghttp2_session.c
+@@ -497,6 +497,7 @@ static int session_new(nghttp2_session **session_ptr,
+   (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
+   (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
+   (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
++  (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
+ 
+   if (option) {
+     if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
+@@ -6812,6 +6813,8 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
+           }
+         }
+         session_inbound_frame_reset(session);
++
++        session->num_continuations = 0;
+       }
+       break;
+     }
+@@ -6933,6 +6936,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
+       }
+ #endif /* DEBUGBUILD */
+ 
++      if (++session->num_continuations > session->max_continuations) {
++        return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
++      }
++
+       readlen = inbound_frame_buf_read(iframe, in, last);
+       in += readlen;
+ 
+diff --git a/deps/nghttp2/lib/nghttp2_session.h b/deps/nghttp2/lib/nghttp2_session.h
+index b119329..ef8f7b2 100644
+--- a/deps/nghttp2/lib/nghttp2_session.h
++++ b/deps/nghttp2/lib/nghttp2_session.h
+@@ -110,6 +110,10 @@ typedef struct {
+ #define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
+ #define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
+ 
++/* The default max number of CONTINUATION frames following an incoming
++   HEADER frame. */
++#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
++
+ /* Internal state when receiving incoming frame */
+ typedef enum {
+   /* Receiving frame header */
+@@ -290,6 +294,12 @@ struct nghttp2_session {
+   size_t max_send_header_block_length;
+   /* The maximum number of settings accepted per SETTINGS frame. */
+   size_t max_settings;
++  /* The maximum number of CONTINUATION frames following an incoming
++     HEADER frame. */
++  size_t max_continuations;
++  /* The number of CONTINUATION frames following an incoming HEADER
++     frame.  This variable is reset when END_HEADERS flag is seen. */
++  size_t num_continuations;
+   /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
+   uint32_t next_stream_id;
+   /* The last stream ID this session initiated.  For client session,
+-- 
+2.44.0
+
diff --git a/0004-Add-nghttp2_option_set_max_continuations.patch b/0004-Add-nghttp2_option_set_max_continuations.patch
new file mode 100644
index 0000000..87b490f
--- /dev/null
+++ b/0004-Add-nghttp2_option_set_max_continuations.patch
@@ -0,0 +1,89 @@
+From ca0a0b02da4db1d65eca8169c6e27bb635924dfb Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
+Date: Sat, 9 Mar 2024 16:48:10 +0900
+Subject: [PATCH] Add nghttp2_option_set_max_continuations
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/nghttp2/lib/includes/nghttp2/nghttp2.h | 11 +++++++++++
+ deps/nghttp2/lib/nghttp2_option.c           |  5 +++++
+ deps/nghttp2/lib/nghttp2_option.h           |  5 +++++
+ deps/nghttp2/lib/nghttp2_session.c          |  4 ++++
+ 4 files changed, 25 insertions(+)
+
+diff --git a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
+index a9629c7..92c3ccc 100644
+--- a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
++++ b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
+@@ -3210,6 +3210,17 @@ NGHTTP2_EXTERN void
+ nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
+                                            uint64_t burst, uint64_t rate);
+ 
++/**
++ * @function
++ *
++ * This function sets the maximum number of CONTINUATION frames
++ * following an incoming HEADER frame.  If more than those frames are
++ * received, the remote endpoint is considered to be misbehaving and
++ * session will be closed.  The default value is 8.
++ */
++NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option,
++                                                         size_t val);
++
+ /**
+  * @function
+  *
+diff --git a/deps/nghttp2/lib/nghttp2_option.c b/deps/nghttp2/lib/nghttp2_option.c
+index 43d4e95..53144b9 100644
+--- a/deps/nghttp2/lib/nghttp2_option.c
++++ b/deps/nghttp2/lib/nghttp2_option.c
+@@ -150,3 +150,8 @@ void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
+   option->stream_reset_burst = burst;
+   option->stream_reset_rate = rate;
+ }
++
++void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) {
++  option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS;
++  option->max_continuations = val;
++}
+diff --git a/deps/nghttp2/lib/nghttp2_option.h b/deps/nghttp2/lib/nghttp2_option.h
+index 2259e18..c89cb97 100644
+--- a/deps/nghttp2/lib/nghttp2_option.h
++++ b/deps/nghttp2/lib/nghttp2_option.h
+@@ -71,6 +71,7 @@ typedef enum {
+   NGHTTP2_OPT_SERVER_FALLBACK_RFC7540_PRIORITIES = 1 << 13,
+   NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION = 1 << 14,
+   NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15,
++  NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16,
+ } nghttp2_option_flag;
+ 
+ /**
+@@ -98,6 +99,10 @@ struct nghttp2_option {
+    * NGHTTP2_OPT_MAX_SETTINGS
+    */
+   size_t max_settings;
++  /**
++   * NGHTTP2_OPT_MAX_CONTINUATIONS
++   */
++  size_t max_continuations;
+   /**
+    * Bitwise OR of nghttp2_option_flag to determine that which fields
+    * are specified.
+diff --git a/deps/nghttp2/lib/nghttp2_session.c b/deps/nghttp2/lib/nghttp2_session.c
+index e343365..555032d 100644
+--- a/deps/nghttp2/lib/nghttp2_session.c
++++ b/deps/nghttp2/lib/nghttp2_session.c
+@@ -586,6 +586,10 @@ static int session_new(nghttp2_session **session_ptr,
+                            option->stream_reset_burst,
+                            option->stream_reset_rate);
+     }
++
++    if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) {
++      (*session_ptr)->max_continuations = option->max_continuations;
++    }
+   }
+ 
+   rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
+-- 
+2.44.0
+
diff --git a/nodejs.spec b/nodejs.spec
index e3e8d16..9ab27a1 100644
--- a/nodejs.spec
+++ b/nodejs.spec
@@ -33,7 +33,7 @@
 # This is used by both the nodejs package and the npm subpackage that
 # has a separate version - the name is special so that rpmdev-bumpspec
 # will bump this rather than adding .1 to the end.
-%global baserelease 1
+%global baserelease 2
 
 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
 
@@ -191,7 +191,9 @@ Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-16/wasi-sdk-
 
 # Disable running gyp on bundled deps we don't use
 Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
-Patch3: nodejs-fips-disable-options.patch
+Patch2: 0002-Disable-FIPS-options.patch
+Patch3: 0003-Limit-CONTINUATION-frames-following-an-incoming-HEAD.patch
+Patch4: 0004-Add-nghttp2_option_set_max_continuations.patch
 
 BuildRequires: make
 BuildRequires: python3-devel
@@ -722,6 +724,9 @@ end
 
 
 %changelog
+* Tue Apr 16 2024 Jan Staněk <jstanek@redhat.com> - 1:20.12.2-2
+- Backport nghttp2 patch for CVE-2024-28182
+
 * Tue Apr 16 2024 Jan Staněk <jstanek@redhat.com> - 1:20.12.2-1
 - Rebase to version 20.12.0
   Addresses CVE-2024-27983 CVE-2024-27982 CVE-2024-22025 (node)