Sync from SUSE:SLFO:Main nghttp2 revision 2303cf99e914c2c93f3df1aca347d6c5
This commit is contained in:
parent
adf7b273e1
commit
05bc9efd8d
@ -46,11 +46,11 @@ into NGHTTP2_ERR_CALLBACK_FAILURE.
|
|||||||
tests/nghttp2_session_test.c | 34 ++++++++++++++++++++++++++++++++++
|
tests/nghttp2_session_test.c | 34 ++++++++++++++++++++++++++++++++++
|
||||||
2 files changed, 39 insertions(+), 5 deletions(-)
|
2 files changed, 39 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
|
Index: nghttp2-1.52.0/lib/nghttp2_session.c
|
||||||
index 7509ceb5..71858a39 100644
|
===================================================================
|
||||||
--- a/lib/nghttp2_session.c
|
--- nghttp2-1.52.0.orig/lib/nghttp2_session.c
|
||||||
+++ b/lib/nghttp2_session.c
|
+++ nghttp2-1.52.0/lib/nghttp2_session.c
|
||||||
@@ -3296,6 +3296,7 @@ static ssize_t nghttp2_session_mem_send_internal(nghttp2_session *session,
|
@@ -3300,6 +3300,7 @@ static ssize_t nghttp2_session_mem_send_
|
||||||
if (rv < 0) {
|
if (rv < 0) {
|
||||||
int32_t opened_stream_id = 0;
|
int32_t opened_stream_id = 0;
|
||||||
uint32_t error_code = NGHTTP2_INTERNAL_ERROR;
|
uint32_t error_code = NGHTTP2_INTERNAL_ERROR;
|
||||||
@ -58,7 +58,7 @@ index 7509ceb5..71858a39 100644
|
|||||||
|
|
||||||
DEBUGF("send: frame preparation failed with %s\n",
|
DEBUGF("send: frame preparation failed with %s\n",
|
||||||
nghttp2_strerror(rv));
|
nghttp2_strerror(rv));
|
||||||
@@ -3338,19 +3339,18 @@ static ssize_t nghttp2_session_mem_send_internal(nghttp2_session *session,
|
@@ -3342,19 +3343,18 @@ static ssize_t nghttp2_session_mem_send_
|
||||||
}
|
}
|
||||||
if (opened_stream_id) {
|
if (opened_stream_id) {
|
||||||
/* careful not to override rv */
|
/* careful not to override rv */
|
||||||
@ -82,11 +82,11 @@ index 7509ceb5..71858a39 100644
|
|||||||
if (rv == NGHTTP2_ERR_HEADER_COMP) {
|
if (rv == NGHTTP2_ERR_HEADER_COMP) {
|
||||||
/* If header compression error occurred, should terminiate
|
/* If header compression error occurred, should terminiate
|
||||||
connection. */
|
connection. */
|
||||||
diff --git a/tests/nghttp2_session_test.c b/tests/nghttp2_session_test.c
|
Index: nghttp2-1.52.0/tests/nghttp2_session_test.c
|
||||||
index b55ff534..74352426 100644
|
===================================================================
|
||||||
--- a/tests/nghttp2_session_test.c
|
--- nghttp2-1.52.0.orig/tests/nghttp2_session_test.c
|
||||||
+++ b/tests/nghttp2_session_test.c
|
+++ nghttp2-1.52.0/tests/nghttp2_session_test.c
|
||||||
@@ -584,6 +584,15 @@ static int on_stream_close_callback(nghttp2_session *session, int32_t stream_id,
|
@@ -585,6 +585,15 @@ static int on_stream_close_callback(nght
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -102,7 +102,7 @@ index b55ff534..74352426 100644
|
|||||||
static ssize_t pack_extension_callback(nghttp2_session *session, uint8_t *buf,
|
static ssize_t pack_extension_callback(nghttp2_session *session, uint8_t *buf,
|
||||||
size_t len, const nghttp2_frame *frame,
|
size_t len, const nghttp2_frame *frame,
|
||||||
void *user_data) {
|
void *user_data) {
|
||||||
@@ -4296,6 +4305,8 @@ void test_nghttp2_session_on_goaway_received(void) {
|
@@ -4297,6 +4306,8 @@ void test_nghttp2_session_on_goaway_rece
|
||||||
nghttp2_frame frame;
|
nghttp2_frame frame;
|
||||||
int i;
|
int i;
|
||||||
nghttp2_mem *mem;
|
nghttp2_mem *mem;
|
||||||
@ -111,7 +111,7 @@ index b55ff534..74352426 100644
|
|||||||
|
|
||||||
mem = nghttp2_mem_default();
|
mem = nghttp2_mem_default();
|
||||||
user_data.frame_recv_cb_called = 0;
|
user_data.frame_recv_cb_called = 0;
|
||||||
@@ -4337,6 +4348,29 @@ void test_nghttp2_session_on_goaway_received(void) {
|
@@ -4338,6 +4349,29 @@ void test_nghttp2_session_on_goaway_rece
|
||||||
|
|
||||||
nghttp2_frame_goaway_free(&frame.goaway, mem);
|
nghttp2_frame_goaway_free(&frame.goaway, mem);
|
||||||
nghttp2_session_del(session);
|
nghttp2_session_del(session);
|
||||||
@ -141,6 +141,3 @@ index b55ff534..74352426 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
void test_nghttp2_session_on_window_update_received(void) {
|
void test_nghttp2_session_on_window_update_received(void) {
|
||||||
--
|
|
||||||
2.35.3
|
|
||||||
|
|
||||||
|
103
nghttp2-CVE-2024-28182-1.patch
Normal file
103
nghttp2-CVE-2024-28182-1.patch
Normal file
@ -0,0 +1,103 @@
|
|||||||
|
From 00201ecd8f982da3b67d4f6868af72a1b03b14e0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
|
||||||
|
Date: Sat, 9 Mar 2024 16:26:42 +0900
|
||||||
|
Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame
|
||||||
|
|
||||||
|
---
|
||||||
|
lib/includes/nghttp2/nghttp2.h | 7 ++++++-
|
||||||
|
lib/nghttp2_helper.c | 2 ++
|
||||||
|
lib/nghttp2_session.c | 7 +++++++
|
||||||
|
lib/nghttp2_session.h | 10 ++++++++++
|
||||||
|
4 files changed, 25 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
Index: nghttp2-1.52.0/lib/includes/nghttp2/nghttp2.h
|
||||||
|
===================================================================
|
||||||
|
--- nghttp2-1.52.0.orig/lib/includes/nghttp2/nghttp2.h
|
||||||
|
+++ nghttp2-1.52.0/lib/includes/nghttp2/nghttp2.h
|
||||||
|
@@ -440,7 +440,12 @@ typedef enum {
|
||||||
|
* exhaustion on server side to send these frames forever and does
|
||||||
|
* not read network.
|
||||||
|
*/
|
||||||
|
- NGHTTP2_ERR_FLOODED = -904
|
||||||
|
+ NGHTTP2_ERR_FLOODED = -904,
|
||||||
|
+ /**
|
||||||
|
+ * When a local endpoint receives too many CONTINUATION frames
|
||||||
|
+ * following a HEADER frame.
|
||||||
|
+ */
|
||||||
|
+ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
|
||||||
|
} nghttp2_error;
|
||||||
|
|
||||||
|
/**
|
||||||
|
Index: nghttp2-1.52.0/lib/nghttp2_helper.c
|
||||||
|
===================================================================
|
||||||
|
--- nghttp2-1.52.0.orig/lib/nghttp2_helper.c
|
||||||
|
+++ nghttp2-1.52.0/lib/nghttp2_helper.c
|
||||||
|
@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_c
|
||||||
|
"closed";
|
||||||
|
case NGHTTP2_ERR_TOO_MANY_SETTINGS:
|
||||||
|
return "SETTINGS frame contained more than the maximum allowed entries";
|
||||||
|
+ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
|
||||||
|
+ return "Too many CONTINUATION frames following a HEADER frame";
|
||||||
|
default:
|
||||||
|
return "Unknown error code";
|
||||||
|
}
|
||||||
|
Index: nghttp2-1.52.0/lib/nghttp2_session.c
|
||||||
|
===================================================================
|
||||||
|
--- nghttp2-1.52.0.orig/lib/nghttp2_session.c
|
||||||
|
+++ nghttp2-1.52.0/lib/nghttp2_session.c
|
||||||
|
@@ -491,6 +491,7 @@ static int session_new(nghttp2_session *
|
||||||
|
(*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
|
||||||
|
(*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
|
||||||
|
(*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
|
||||||
|
+ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
|
||||||
|
|
||||||
|
if (option) {
|
||||||
|
if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
|
||||||
|
@@ -6838,6 +6839,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2
|
||||||
|
}
|
||||||
|
}
|
||||||
|
session_inbound_frame_reset(session);
|
||||||
|
+
|
||||||
|
+ session->num_continuations = 0;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
@@ -6959,6 +6962,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2
|
||||||
|
}
|
||||||
|
#endif /* DEBUGBUILD */
|
||||||
|
|
||||||
|
+ if (++session->num_continuations > session->max_continuations) {
|
||||||
|
+ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
readlen = inbound_frame_buf_read(iframe, in, last);
|
||||||
|
in += readlen;
|
||||||
|
|
||||||
|
Index: nghttp2-1.52.0/lib/nghttp2_session.h
|
||||||
|
===================================================================
|
||||||
|
--- nghttp2-1.52.0.orig/lib/nghttp2_session.h
|
||||||
|
+++ nghttp2-1.52.0/lib/nghttp2_session.h
|
||||||
|
@@ -105,6 +105,10 @@ typedef struct {
|
||||||
|
/* The default value of maximum number of concurrent streams. */
|
||||||
|
#define NGHTTP2_DEFAULT_MAX_CONCURRENT_STREAMS 0xffffffffu
|
||||||
|
|
||||||
|
+/* The default max number of CONTINUATION frames following an incoming
|
||||||
|
+ HEADER frame. */
|
||||||
|
+#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
|
||||||
|
+
|
||||||
|
/* Internal state when receiving incoming frame */
|
||||||
|
typedef enum {
|
||||||
|
/* Receiving frame header */
|
||||||
|
@@ -280,6 +284,12 @@ struct nghttp2_session {
|
||||||
|
size_t max_send_header_block_length;
|
||||||
|
/* The maximum number of settings accepted per SETTINGS frame. */
|
||||||
|
size_t max_settings;
|
||||||
|
+ /* The maximum number of CONTINUATION frames following an incoming
|
||||||
|
+ HEADER frame. */
|
||||||
|
+ size_t max_continuations;
|
||||||
|
+ /* The number of CONTINUATION frames following an incoming HEADER
|
||||||
|
+ frame. This variable is reset when END_HEADERS flag is seen. */
|
||||||
|
+ size_t num_continuations;
|
||||||
|
/* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
|
||||||
|
uint32_t next_stream_id;
|
||||||
|
/* The last stream ID this session initiated. For client session,
|
86
nghttp2-CVE-2024-28182-2.patch
Normal file
86
nghttp2-CVE-2024-28182-2.patch
Normal file
@ -0,0 +1,86 @@
|
|||||||
|
From d71a4668c6bead55805d18810d633fbb98315af9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
|
||||||
|
Date: Sat, 9 Mar 2024 16:48:10 +0900
|
||||||
|
Subject: [PATCH] Add nghttp2_option_set_max_continuations
|
||||||
|
|
||||||
|
---
|
||||||
|
doc/Makefile.am | 1 +
|
||||||
|
lib/includes/nghttp2/nghttp2.h | 11 +++++++++++
|
||||||
|
lib/nghttp2_option.c | 5 +++++
|
||||||
|
lib/nghttp2_option.h | 5 +++++
|
||||||
|
lib/nghttp2_session.c | 4 ++++
|
||||||
|
5 files changed, 26 insertions(+)
|
||||||
|
|
||||||
|
Index: nghttp2-1.52.0/lib/includes/nghttp2/nghttp2.h
|
||||||
|
===================================================================
|
||||||
|
--- nghttp2-1.52.0.orig/lib/includes/nghttp2/nghttp2.h
|
||||||
|
+++ nghttp2-1.52.0/lib/includes/nghttp2/nghttp2.h
|
||||||
|
@@ -3215,6 +3215,17 @@ nghttp2_session_set_stream_user_data(ngh
|
||||||
|
/**
|
||||||
|
* @function
|
||||||
|
*
|
||||||
|
+ * This function sets the maximum number of CONTINUATION frames
|
||||||
|
+ * following an incoming HEADER frame. If more than those frames are
|
||||||
|
+ * received, the remote endpoint is considered to be misbehaving and
|
||||||
|
+ * session will be closed. The default value is 8.
|
||||||
|
+ */
|
||||||
|
+NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option,
|
||||||
|
+ size_t val);
|
||||||
|
+
|
||||||
|
+/**
|
||||||
|
+ * @function
|
||||||
|
+ *
|
||||||
|
* Sets |user_data| to |session|, overwriting the existing user data
|
||||||
|
* specified in `nghttp2_session_client_new()`, or
|
||||||
|
* `nghttp2_session_server_new()`.
|
||||||
|
Index: nghttp2-1.52.0/lib/nghttp2_option.c
|
||||||
|
===================================================================
|
||||||
|
--- nghttp2-1.52.0.orig/lib/nghttp2_option.c
|
||||||
|
+++ nghttp2-1.52.0/lib/nghttp2_option.c
|
||||||
|
@@ -143,3 +143,8 @@ void nghttp2_option_set_no_rfc9113_leadi
|
||||||
|
NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION;
|
||||||
|
option->no_rfc9113_leading_and_trailing_ws_validation = val;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) {
|
||||||
|
+ option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS;
|
||||||
|
+ option->max_continuations = val;
|
||||||
|
+}
|
||||||
|
Index: nghttp2-1.52.0/lib/nghttp2_option.h
|
||||||
|
===================================================================
|
||||||
|
--- nghttp2-1.52.0.orig/lib/nghttp2_option.h
|
||||||
|
+++ nghttp2-1.52.0/lib/nghttp2_option.h
|
||||||
|
@@ -70,6 +70,7 @@ typedef enum {
|
||||||
|
NGHTTP2_OPT_MAX_SETTINGS = 1 << 12,
|
||||||
|
NGHTTP2_OPT_SERVER_FALLBACK_RFC7540_PRIORITIES = 1 << 13,
|
||||||
|
NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION = 1 << 14,
|
||||||
|
+ NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16,
|
||||||
|
} nghttp2_option_flag;
|
||||||
|
|
||||||
|
/**
|
||||||
|
@@ -93,6 +94,10 @@ struct nghttp2_option {
|
||||||
|
*/
|
||||||
|
size_t max_settings;
|
||||||
|
/**
|
||||||
|
+ * NGHTTP2_OPT_MAX_CONTINUATIONS
|
||||||
|
+ */
|
||||||
|
+ size_t max_continuations;
|
||||||
|
+ /**
|
||||||
|
* Bitwise OR of nghttp2_option_flag to determine that which fields
|
||||||
|
* are specified.
|
||||||
|
*/
|
||||||
|
Index: nghttp2-1.52.0/lib/nghttp2_session.c
|
||||||
|
===================================================================
|
||||||
|
--- nghttp2-1.52.0.orig/lib/nghttp2_session.c
|
||||||
|
+++ nghttp2-1.52.0/lib/nghttp2_session.c
|
||||||
|
@@ -574,6 +574,10 @@ static int session_new(nghttp2_session *
|
||||||
|
(*session_ptr)->opt_flags |=
|
||||||
|
NGHTTP2_OPTMASK_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) {
|
||||||
|
+ (*session_ptr)->max_continuations = option->max_continuations;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
|
@ -1,3 +1,13 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Apr 4 12:25:30 UTC 2024 - pgajdos@suse.com
|
||||||
|
|
||||||
|
- security update
|
||||||
|
- added patches
|
||||||
|
fix CVE-2024-28182 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
|
||||||
|
+ nghttp2-CVE-2024-28182-1.patch
|
||||||
|
fix CVE-2024-28182 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
|
||||||
|
+ nghttp2-CVE-2024-28182-2.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Sep 26 13:58:42 UTC 2023 - Valentin Lefebvre <valentin.lefebvre@suse.com>
|
Tue Sep 26 13:58:42 UTC 2023 - Valentin Lefebvre <valentin.lefebvre@suse.com>
|
||||||
|
|
||||||
|
@ -35,6 +35,10 @@ Source: https://github.com/nghttp2/nghttp2/releases/download/v%{version}
|
|||||||
Source1: baselibs.conf
|
Source1: baselibs.conf
|
||||||
# CVE-2023-35945 [bsc#1215713], Fixes leak memory
|
# CVE-2023-35945 [bsc#1215713], Fixes leak memory
|
||||||
Patch0: nghttp2-CVE-2023-35945.patch
|
Patch0: nghttp2-CVE-2023-35945.patch
|
||||||
|
# CVE-2024-28182 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
|
||||||
|
Patch1: nghttp2-CVE-2024-28182-1.patch
|
||||||
|
# CVE-2024-28182 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
|
||||||
|
Patch2: nghttp2-CVE-2024-28182-2.patch
|
||||||
BuildRequires: autoconf
|
BuildRequires: autoconf
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: gcc-c++
|
BuildRequires: gcc-c++
|
||||||
@ -123,8 +127,8 @@ Documentation for nghttp2, which includes a shared C library,
|
|||||||
HTTP/2 client, server and proxy.
|
HTTP/2 client, server and proxy.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n nghttp2-%{version}
|
%autosetup -p1 -n nghttp2-%{version}
|
||||||
%patch0 -p1
|
|
||||||
# fix python shebang
|
# fix python shebang
|
||||||
sed -i -e 's:#!%{_bindir}/env python:#!%{_bindir}/python3:g' script/fetch-ocsp-response
|
sed -i -e 's:#!%{_bindir}/env python:#!%{_bindir}/python3:g' script/fetch-ocsp-response
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user