|
| 1 | +Author: Damien Neil <dneil@google.com> |
| 2 | +AuthorDate: 2024-01-10 13:41:39 -0800 |
| 3 | +Commit: Gopher Robot <gobot@golang.org> |
| 4 | +CommitDate: 2024-04-03 17:06:00 +0000 |
| 5 | + |
| 6 | +[internal-branch.go1.21-vendor] http2: close connections when receiving too many headers |
| 7 | + |
| 8 | +Maintaining HPACK state requires that we parse and process |
| 9 | +all HEADERS and CONTINUATION frames on a connection. |
| 10 | +When a request's headers exceed MaxHeaderBytes, we don't |
| 11 | +allocate memory to store the excess headers but we do |
| 12 | +parse them. This permits an attacker to cause an HTTP/2 |
| 13 | +endpoint to read arbitrary amounts of data, all associated |
| 14 | +with a request which is going to be rejected. |
| 15 | + |
| 16 | +Set a limit on the amount of excess header frames we |
| 17 | +will process before closing a connection. |
| 18 | + |
| 19 | +Thanks to Bartek Nowotarski for reporting this issue. |
| 20 | + |
| 21 | +Fixes CVE-2023-45288 |
| 22 | +For golang/go#65051 |
| 23 | + |
| 24 | +Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6 |
| 25 | +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527 |
| 26 | +Reviewed-by: Roland Shoemaker <bracewell@google.com> |
| 27 | +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> |
| 28 | +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2197243 |
| 29 | +Run-TryBot: Damien Neil <dneil@google.com> |
| 30 | +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> |
| 31 | +Reviewed-on: https://go-review.googlesource.com/c/net/+/576057 |
| 32 | +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> |
| 33 | +Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> |
| 34 | + |
| 35 | +diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go |
| 36 | +index c1f6b90..175c154 100644 |
| 37 | +--- a/vendor/golang.org/x/net/http2/frame.go |
| 38 | ++++ b/vendor/golang.org/x/net/http2/frame.go |
| 39 | +@@ -1565,6 +1565,7 @@ |
| 40 | + if size > remainSize { |
| 41 | + hdec.SetEmitEnabled(false) |
| 42 | + mh.Truncated = true |
| 43 | ++ remainSize = 0 |
| 44 | + return |
| 45 | + } |
| 46 | + remainSize -= size |
| 47 | +@@ -1577,6 +1578,36 @@ |
| 48 | + var hc headersOrContinuation = hf |
| 49 | + for { |
| 50 | + frag := hc.HeaderBlockFragment() |
| 51 | ++ |
| 52 | ++ // Avoid parsing large amounts of headers that we will then discard. |
| 53 | ++ // If the sender exceeds the max header list size by too much, |
| 54 | ++ // skip parsing the fragment and close the connection. |
| 55 | ++ // |
| 56 | ++ // "Too much" is either any CONTINUATION frame after we've already |
| 57 | ++ // exceeded the max header list size (in which case remainSize is 0), |
| 58 | ++ // or a frame whose encoded size is more than twice the remaining |
| 59 | ++ // header list bytes we're willing to accept. |
| 60 | ++ if int64(len(frag)) > int64(2*remainSize) { |
| 61 | ++ if VerboseLogs { |
| 62 | ++ log.Printf("http2: header list too large") |
| 63 | ++ } |
| 64 | ++ // It would be nice to send a RST_STREAM before sending the GOAWAY, |
| 65 | ++ // but the struture of the server's frame writer makes this difficult. |
| 66 | ++ return nil, ConnectionError(ErrCodeProtocol) |
| 67 | ++ } |
| 68 | ++ |
| 69 | ++ // Also close the connection after any CONTINUATION frame following an |
| 70 | ++ // invalid header, since we stop tracking the size of the headers after |
| 71 | ++ // an invalid one. |
| 72 | ++ if invalid != nil { |
| 73 | ++ if VerboseLogs { |
| 74 | ++ log.Printf("http2: invalid header: %v", invalid) |
| 75 | ++ } |
| 76 | ++ // It would be nice to send a RST_STREAM before sending the GOAWAY, |
| 77 | ++ // but the struture of the server's frame writer makes this difficult. |
| 78 | ++ return nil, ConnectionError(ErrCodeProtocol) |
| 79 | ++ } |
| 80 | ++ |
| 81 | + if _, err := hdec.Write(frag); err != nil { |
| 82 | + return nil, ConnectionError(ErrCodeCompression) |
| 83 | + } |
0 commit comments