parent
b8d2507c04
commit
706337ab0e
@ -0,0 +1,42 @@
|
||||
From 2df9af7073929ab94b6dda040df08bc3ff7d8ab1 Mon Sep 17 00:00:00 2001
|
||||
From: RafaelGSS <rafael.nunu@hotmail.com>
|
||||
Date: Tue, 26 Mar 2024 15:55:13 -0300
|
||||
Subject: [PATCH] src: ensure to close stream when destroying session
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Co-Authored-By: Anna Henningsen <anna@addaleax.net>
|
||||
PR-URL: https://github.com/nodejs-private/node-private/pull/561
|
||||
Fixes: https://hackerone.com/reports/2319584
|
||||
Reviewed-By: Michael Dawson <midawson@redhat.com>
|
||||
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
|
||||
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
|
||||
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
|
||||
CVE-ID: CVE-2024-27983
|
||||
Signed-off-by: Jan Staněk <jstanek@redhat.com>
|
||||
Signed-off-by: rpm-build <rpm-build>
|
||||
---
|
||||
src/node_http2.cc | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/src/node_http2.cc b/src/node_http2.cc
|
||||
index 53216dc..9a6d63d 100644
|
||||
--- a/src/node_http2.cc
|
||||
+++ b/src/node_http2.cc
|
||||
@@ -529,6 +529,12 @@ Http2Session::Http2Session(Http2State* http2_state,
|
||||
Http2Session::~Http2Session() {
|
||||
CHECK(!is_in_scope());
|
||||
Debug(this, "freeing nghttp2 session");
|
||||
+ // Ensure that all `Http2Stream` instances and the memory they hold
|
||||
+ // on to are destroyed before the nghttp2 session is.
|
||||
+ for (const auto& [id, stream] : streams_) {
|
||||
+ stream->Detach();
|
||||
+ }
|
||||
+ streams_.clear();
|
||||
// Explicitly reset session_ so the subsequent
|
||||
// current_nghttp2_memory_ check passes.
|
||||
session_.reset();
|
||||
--
|
||||
2.44.0
|
||||
|
@ -0,0 +1,112 @@
|
||||
From 132ad9e8a8f8e246e59744a7fed995ed396f6cb4 Mon Sep 17 00:00:00 2001
|
||||
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
|
||||
Date: Sat, 9 Mar 2024 16:26:42 +0900
|
||||
Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Signed-off-by: Jan Staněk <jstanek@redhat.com>
|
||||
Fixes: CVE-2024-28182
|
||||
Signed-off-by: rpm-build <rpm-build>
|
||||
---
|
||||
deps/nghttp2/lib/includes/nghttp2/nghttp2.h | 7 ++++++-
|
||||
deps/nghttp2/lib/nghttp2_helper.c | 2 ++
|
||||
deps/nghttp2/lib/nghttp2_session.c | 7 +++++++
|
||||
deps/nghttp2/lib/nghttp2_session.h | 10 ++++++++++
|
||||
4 files changed, 25 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
|
||||
index fa22081..b394bde 100644
|
||||
--- a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
|
||||
+++ b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
|
||||
@@ -440,7 +440,12 @@ typedef enum {
|
||||
* exhaustion on server side to send these frames forever and does
|
||||
* not read network.
|
||||
*/
|
||||
- NGHTTP2_ERR_FLOODED = -904
|
||||
+ NGHTTP2_ERR_FLOODED = -904,
|
||||
+ /**
|
||||
+ * When a local endpoint receives too many CONTINUATION frames
|
||||
+ * following a HEADER frame.
|
||||
+ */
|
||||
+ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
|
||||
} nghttp2_error;
|
||||
|
||||
/**
|
||||
diff --git a/deps/nghttp2/lib/nghttp2_helper.c b/deps/nghttp2/lib/nghttp2_helper.c
|
||||
index 93dd475..b3563d9 100644
|
||||
--- a/deps/nghttp2/lib/nghttp2_helper.c
|
||||
+++ b/deps/nghttp2/lib/nghttp2_helper.c
|
||||
@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) {
|
||||
"closed";
|
||||
case NGHTTP2_ERR_TOO_MANY_SETTINGS:
|
||||
return "SETTINGS frame contained more than the maximum allowed entries";
|
||||
+ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
|
||||
+ return "Too many CONTINUATION frames following a HEADER frame";
|
||||
default:
|
||||
return "Unknown error code";
|
||||
}
|
||||
diff --git a/deps/nghttp2/lib/nghttp2_session.c b/deps/nghttp2/lib/nghttp2_session.c
|
||||
index ec5024d..8e4d2e7 100644
|
||||
--- a/deps/nghttp2/lib/nghttp2_session.c
|
||||
+++ b/deps/nghttp2/lib/nghttp2_session.c
|
||||
@@ -496,6 +496,7 @@ static int session_new(nghttp2_session **session_ptr,
|
||||
(*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
|
||||
(*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
|
||||
(*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
|
||||
+ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
|
||||
|
||||
if (option) {
|
||||
if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
|
||||
@@ -6778,6 +6779,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
|
||||
}
|
||||
}
|
||||
session_inbound_frame_reset(session);
|
||||
+
|
||||
+ session->num_continuations = 0;
|
||||
}
|
||||
break;
|
||||
}
|
||||
@@ -6899,6 +6902,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
|
||||
}
|
||||
#endif /* DEBUGBUILD */
|
||||
|
||||
+ if (++session->num_continuations > session->max_continuations) {
|
||||
+ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
|
||||
+ }
|
||||
+
|
||||
readlen = inbound_frame_buf_read(iframe, in, last);
|
||||
in += readlen;
|
||||
|
||||
diff --git a/deps/nghttp2/lib/nghttp2_session.h b/deps/nghttp2/lib/nghttp2_session.h
|
||||
index b119329..ef8f7b2 100644
|
||||
--- a/deps/nghttp2/lib/nghttp2_session.h
|
||||
+++ b/deps/nghttp2/lib/nghttp2_session.h
|
||||
@@ -110,6 +110,10 @@ typedef struct {
|
||||
#define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
|
||||
#define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
|
||||
|
||||
+/* The default max number of CONTINUATION frames following an incoming
|
||||
+ HEADER frame. */
|
||||
+#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
|
||||
+
|
||||
/* Internal state when receiving incoming frame */
|
||||
typedef enum {
|
||||
/* Receiving frame header */
|
||||
@@ -290,6 +294,12 @@ struct nghttp2_session {
|
||||
size_t max_send_header_block_length;
|
||||
/* The maximum number of settings accepted per SETTINGS frame. */
|
||||
size_t max_settings;
|
||||
+ /* The maximum number of CONTINUATION frames following an incoming
|
||||
+ HEADER frame. */
|
||||
+ size_t max_continuations;
|
||||
+ /* The number of CONTINUATION frames following an incoming HEADER
|
||||
+ frame. This variable is reset when END_HEADERS flag is seen. */
|
||||
+ size_t num_continuations;
|
||||
/* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
|
||||
uint32_t next_stream_id;
|
||||
/* The last stream ID this session initiated. For client session,
|
||||
--
|
||||
2.44.0
|
||||
|
@ -0,0 +1,94 @@
|
||||
From 625b03149d2ec68cdbcfe3f2801d6f0420d917cb Mon Sep 17 00:00:00 2001
|
||||
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
|
||||
Date: Sat, 9 Mar 2024 16:48:10 +0900
|
||||
Subject: [PATCH] Add nghttp2_option_set_max_continuations
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Signed-off-by: Jan Staněk <jstanek@redhat.com>
|
||||
Related: CVE-2024-28182
|
||||
Signed-off-by: rpm-build <rpm-build>
|
||||
---
|
||||
deps/nghttp2/lib/includes/nghttp2/nghttp2.h | 11 +++++++++++
|
||||
deps/nghttp2/lib/nghttp2_option.c | 5 +++++
|
||||
deps/nghttp2/lib/nghttp2_option.h | 5 +++++
|
||||
deps/nghttp2/lib/nghttp2_session.c | 4 ++++
|
||||
4 files changed, 25 insertions(+)
|
||||
|
||||
diff --git a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
|
||||
index b394bde..4d3339b 100644
|
||||
--- a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
|
||||
+++ b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
|
||||
@@ -2778,6 +2778,17 @@ NGHTTP2_EXTERN void
|
||||
nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
|
||||
uint64_t burst, uint64_t rate);
|
||||
|
||||
+/**
|
||||
+ * @function
|
||||
+ *
|
||||
+ * This function sets the maximum number of CONTINUATION frames
|
||||
+ * following an incoming HEADER frame. If more than those frames are
|
||||
+ * received, the remote endpoint is considered to be misbehaving and
|
||||
+ * session will be closed. The default value is 8.
|
||||
+ */
|
||||
+NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option,
|
||||
+ size_t val);
|
||||
+
|
||||
/**
|
||||
* @function
|
||||
*
|
||||
diff --git a/deps/nghttp2/lib/nghttp2_option.c b/deps/nghttp2/lib/nghttp2_option.c
|
||||
index 43d4e95..53144b9 100644
|
||||
--- a/deps/nghttp2/lib/nghttp2_option.c
|
||||
+++ b/deps/nghttp2/lib/nghttp2_option.c
|
||||
@@ -150,3 +150,8 @@ void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
|
||||
option->stream_reset_burst = burst;
|
||||
option->stream_reset_rate = rate;
|
||||
}
|
||||
+
|
||||
+void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) {
|
||||
+ option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS;
|
||||
+ option->max_continuations = val;
|
||||
+}
|
||||
diff --git a/deps/nghttp2/lib/nghttp2_option.h b/deps/nghttp2/lib/nghttp2_option.h
|
||||
index 2259e18..c89cb97 100644
|
||||
--- a/deps/nghttp2/lib/nghttp2_option.h
|
||||
+++ b/deps/nghttp2/lib/nghttp2_option.h
|
||||
@@ -71,6 +71,7 @@ typedef enum {
|
||||
NGHTTP2_OPT_SERVER_FALLBACK_RFC7540_PRIORITIES = 1 << 13,
|
||||
NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION = 1 << 14,
|
||||
NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15,
|
||||
+ NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16,
|
||||
} nghttp2_option_flag;
|
||||
|
||||
/**
|
||||
@@ -98,6 +99,10 @@ struct nghttp2_option {
|
||||
* NGHTTP2_OPT_MAX_SETTINGS
|
||||
*/
|
||||
size_t max_settings;
|
||||
+ /**
|
||||
+ * NGHTTP2_OPT_MAX_CONTINUATIONS
|
||||
+ */
|
||||
+ size_t max_continuations;
|
||||
/**
|
||||
* Bitwise OR of nghttp2_option_flag to determine that which fields
|
||||
* are specified.
|
||||
diff --git a/deps/nghttp2/lib/nghttp2_session.c b/deps/nghttp2/lib/nghttp2_session.c
|
||||
index 8e4d2e7..ced7517 100644
|
||||
--- a/deps/nghttp2/lib/nghttp2_session.c
|
||||
+++ b/deps/nghttp2/lib/nghttp2_session.c
|
||||
@@ -585,6 +585,10 @@ static int session_new(nghttp2_session **session_ptr,
|
||||
option->stream_reset_burst,
|
||||
option->stream_reset_rate);
|
||||
}
|
||||
+
|
||||
+ if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) {
|
||||
+ (*session_ptr)->max_continuations = option->max_continuations;
|
||||
+ }
|
||||
}
|
||||
|
||||
rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
|
||||
--
|
||||
2.44.0
|
||||
|
File diff suppressed because one or more lines are too long
@ -0,0 +1,39 @@
|
||||
From ec80a9196e2aedfd617d05964725f113000a41ea Mon Sep 17 00:00:00 2001
|
||||
From: Brad House <brad@brad-house.com>
|
||||
Date: Thu, 22 Feb 2024 16:23:33 -0500
|
||||
Subject: [PATCH] Address CVE-2024-25629
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Original commit title: Merge pull request from GHSA-mg26-v6qh-x48q
|
||||
|
||||
Signed-off-by: Jan Staněk <jstanek@redhat.com>
|
||||
Fixes: CVE-2024-25629
|
||||
Signed-off-by: rpm-build <rpm-build>
|
||||
---
|
||||
deps/cares/src/lib/ares__read_line.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/deps/cares/src/lib/ares__read_line.c b/deps/cares/src/lib/ares__read_line.c
|
||||
index c62ad2a..16627e4 100644
|
||||
--- a/deps/cares/src/lib/ares__read_line.c
|
||||
+++ b/deps/cares/src/lib/ares__read_line.c
|
||||
@@ -49,6 +49,14 @@ int ares__read_line(FILE *fp, char **buf, size_t *bufsize)
|
||||
if (!fgets(*buf + offset, bytestoread, fp))
|
||||
return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF;
|
||||
len = offset + strlen(*buf + offset);
|
||||
+
|
||||
+ /* Probably means there was an embedded NULL as the first character in
|
||||
+ * the line, throw away line */
|
||||
+ if (len == 0) {
|
||||
+ offset = 0;
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
if ((*buf)[len - 1] == '\n')
|
||||
{
|
||||
(*buf)[len - 1] = 0;
|
||||
--
|
||||
2.44.0
|
||||
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in new issue