Compare commits
No commits in common. 'c9' and 'i9c-stream-18' have entirely different histories.
c9
...
i9c-stream
@ -1,6 +1,5 @@
|
|||||||
SOURCES/cjs-module-lexer-1.2.2.tar.gz
|
SOURCES/cjs-module-lexer-1.2.2.tar.gz
|
||||||
SOURCES/icu4c-71_1-src.tgz
|
SOURCES/icu4c-74_2-src.tgz
|
||||||
SOURCES/node-v16.20.2-stripped.tar.gz
|
SOURCES/node-v18.20.4-stripped.tar.gz
|
||||||
SOURCES/undici-5.20.0.tar.gz
|
SOURCES/undici-5.28.4.tar.gz
|
||||||
SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
|
SOURCES/wasi-sdk-11.0-linux.tar.gz
|
||||||
SOURCES/wasi-sdk-wasi-sdk-14.tar.gz
|
|
||||||
|
@ -1,6 +1,5 @@
|
|||||||
b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz
|
164f7f39841415284b0280a648c43bd7ea1615ac SOURCES/cjs-module-lexer-1.2.2.tar.gz
|
||||||
406b0c8635288b772913b6ff646451e69748878a SOURCES/icu4c-71_1-src.tgz
|
43a8d688a3a6bc8f0f8c5e699d0ef7a905d24314 SOURCES/icu4c-74_2-src.tgz
|
||||||
0024086ed6090aaea422fb2bd329f898bf924df6 SOURCES/node-v16.20.2-stripped.tar.gz
|
1865285a5bf26669d5fadbc5eb78e97f4adad612 SOURCES/node-v18.20.4-stripped.tar.gz
|
||||||
0b3e890fd45200fb3a2fdc14408cc51e23990480 SOURCES/undici-5.20.0.tar.gz
|
d38d72bec82e3c41a4de73d6ee56d9c9eff5f403 SOURCES/undici-5.28.4.tar.gz
|
||||||
8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
|
ff114dd45b4efeeae7afe4621bfc6f886a475b4b SOURCES/wasi-sdk-11.0-linux.tar.gz
|
||||||
900a50a32f0079d53c299db92b88bb3c5d2022b8 SOURCES/wasi-sdk-wasi-sdk-14.tar.gz
|
|
||||||
|
@ -1,26 +0,0 @@
|
|||||||
From b7d979b5f7d28114050d1cdc43f39e6e83bd80d5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Honza Horak <hhorak@redhat.com>
|
|
||||||
Date: Thu, 12 Oct 2023 13:52:59 +0200
|
|
||||||
Subject: [PATCH] disable fips options
|
|
||||||
|
|
||||||
Signed-off-by: rpm-build <rpm-build>
|
|
||||||
---
|
|
||||||
src/crypto/crypto_util.cc | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
|
|
||||||
index 59ae7f8..7343396 100644
|
|
||||||
--- a/src/crypto/crypto_util.cc
|
|
||||||
+++ b/src/crypto/crypto_util.cc
|
|
||||||
@@ -111,6 +111,8 @@ bool ProcessFipsOptions() {
|
|
||||||
/* Override FIPS settings in configuration file, if needed. */
|
|
||||||
if (per_process::cli_options->enable_fips_crypto ||
|
|
||||||
per_process::cli_options->force_fips_crypto) {
|
|
||||||
+ fprintf(stderr, "ERROR: Using options related to FIPS is not recommended, configure FIPS in openssl instead. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n");
|
|
||||||
+ return false;
|
|
||||||
#if OPENSSL_VERSION_MAJOR >= 3
|
|
||||||
OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
|
|
||||||
if (fips_provider == nullptr)
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -1,581 +0,0 @@
|
|||||||
From fb8b050abf63459eb83cad4d4bf695c56db2790a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Honza Horak <hhorak@redhat.com>
|
|
||||||
Date: Mon, 15 Apr 2024 15:21:35 +0200
|
|
||||||
Subject: [PATCH] Fix CVE-2024-22019
|
|
||||||
|
|
||||||
Resolves: RHEL-28064
|
|
||||||
|
|
||||||
This is a combination of the upstream commit from v18:
|
|
||||||
https://github.com/nodejs/node/commit/911cb33cdadab57a75f97186290ea8f3903a6171
|
|
||||||
|
|
||||||
and necessary rebase of llhttp from 6.0.11 to 6.1.0 that has the needed
|
|
||||||
chunk features.
|
|
||||||
|
|
||||||
Original patch:
|
|
||||||
> From 11bd886e0a4eadd7e55502758fff6486a3fa3a4e Mon Sep 17 00:00:00 2001
|
|
||||||
> From: Paolo Insogna <paolo@cowtech.it>
|
|
||||||
> Date: Tue, 9 Jan 2024 18:10:04 +0100
|
|
||||||
> Subject: [PATCH] http: add maximum chunk extension size
|
|
||||||
>
|
|
||||||
> Cherry-picked from v18 patch:
|
|
||||||
> https://github.com/nodejs/node/commit/911cb33cdadab57a75f97186290ea8f3903a6171
|
|
||||||
>
|
|
||||||
> PR-URL: https://github.com/nodejs-private/node-private/pull/520
|
|
||||||
> Refs: https://github.com/nodejs-private/node-private/pull/518
|
|
||||||
> CVE-ID: CVE-2024-22019
|
|
||||||
|
|
||||||
Signed-off-by: rpm-build <rpm-build>
|
|
||||||
---
|
|
||||||
deps/llhttp/.gitignore | 1 +
|
|
||||||
deps/llhttp/CMakeLists.txt | 2 +-
|
|
||||||
deps/llhttp/include/llhttp.h | 7 +-
|
|
||||||
deps/llhttp/src/api.c | 7 +
|
|
||||||
deps/llhttp/src/llhttp.c | 122 ++++++++++++++--
|
|
||||||
doc/api/errors.md | 12 ++
|
|
||||||
lib/_http_server.js | 9 ++
|
|
||||||
src/node_http_parser.cc | 20 ++-
|
|
||||||
.../test-http-chunk-extensions-limit.js | 131 ++++++++++++++++++
|
|
||||||
tools/update-llhttp.sh | 2 +-
|
|
||||||
10 files changed, 294 insertions(+), 19 deletions(-)
|
|
||||||
create mode 100644 deps/llhttp/.gitignore
|
|
||||||
create mode 100644 test/parallel/test-http-chunk-extensions-limit.js
|
|
||||||
|
|
||||||
diff --git a/deps/llhttp/.gitignore b/deps/llhttp/.gitignore
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..98438a2
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/deps/llhttp/.gitignore
|
|
||||||
@@ -0,0 +1 @@
|
|
||||||
+libllhttp.pc
|
|
||||||
diff --git a/deps/llhttp/CMakeLists.txt b/deps/llhttp/CMakeLists.txt
|
|
||||||
index d038203..747564a 100644
|
|
||||||
--- a/deps/llhttp/CMakeLists.txt
|
|
||||||
+++ b/deps/llhttp/CMakeLists.txt
|
|
||||||
@@ -1,7 +1,7 @@
|
|
||||||
cmake_minimum_required(VERSION 3.5.1)
|
|
||||||
cmake_policy(SET CMP0069 NEW)
|
|
||||||
|
|
||||||
-project(llhttp VERSION 6.0.11)
|
|
||||||
+project(llhttp VERSION 6.1.0)
|
|
||||||
include(GNUInstallDirs)
|
|
||||||
|
|
||||||
set(CMAKE_C_STANDARD 99)
|
|
||||||
diff --git a/deps/llhttp/include/llhttp.h b/deps/llhttp/include/llhttp.h
|
|
||||||
index 2da66f1..78f27ab 100644
|
|
||||||
--- a/deps/llhttp/include/llhttp.h
|
|
||||||
+++ b/deps/llhttp/include/llhttp.h
|
|
||||||
@@ -2,8 +2,8 @@
|
|
||||||
#define INCLUDE_LLHTTP_H_
|
|
||||||
|
|
||||||
#define LLHTTP_VERSION_MAJOR 6
|
|
||||||
-#define LLHTTP_VERSION_MINOR 0
|
|
||||||
-#define LLHTTP_VERSION_PATCH 11
|
|
||||||
+#define LLHTTP_VERSION_MINOR 1
|
|
||||||
+#define LLHTTP_VERSION_PATCH 0
|
|
||||||
|
|
||||||
#ifndef LLHTTP_STRICT_MODE
|
|
||||||
# define LLHTTP_STRICT_MODE 0
|
|
||||||
@@ -348,6 +348,9 @@ struct llhttp_settings_s {
|
|
||||||
*/
|
|
||||||
llhttp_cb on_headers_complete;
|
|
||||||
|
|
||||||
+ /* Possible return values 0, -1, HPE_USER */
|
|
||||||
+ llhttp_data_cb on_chunk_parameters;
|
|
||||||
+
|
|
||||||
/* Possible return values 0, -1, HPE_USER */
|
|
||||||
llhttp_data_cb on_body;
|
|
||||||
|
|
||||||
diff --git a/deps/llhttp/src/api.c b/deps/llhttp/src/api.c
|
|
||||||
index c4ce197..d3065b3 100644
|
|
||||||
--- a/deps/llhttp/src/api.c
|
|
||||||
+++ b/deps/llhttp/src/api.c
|
|
||||||
@@ -355,6 +355,13 @@ int llhttp__on_chunk_header(llhttp_t* s, const char* p, const char* endp) {
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
+int llhttp__on_chunk_parameters(llhttp_t* s, const char* p, const char* endp) {
|
|
||||||
+ int err;
|
|
||||||
+ SPAN_CALLBACK_MAYBE(s, on_chunk_parameters, p, endp - p);
|
|
||||||
+ return err;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+
|
|
||||||
int llhttp__on_chunk_complete(llhttp_t* s, const char* p, const char* endp) {
|
|
||||||
int err;
|
|
||||||
CALLBACK_MAYBE(s, on_chunk_complete);
|
|
||||||
diff --git a/deps/llhttp/src/llhttp.c b/deps/llhttp/src/llhttp.c
|
|
||||||
index 5e7c5d1..46f86a0 100644
|
|
||||||
--- a/deps/llhttp/src/llhttp.c
|
|
||||||
+++ b/deps/llhttp/src/llhttp.c
|
|
||||||
@@ -340,6 +340,8 @@ enum llparse_state_e {
|
|
||||||
s_n_llhttp__internal__n_invoke_is_equal_content_length,
|
|
||||||
s_n_llhttp__internal__n_chunk_size_almost_done,
|
|
||||||
s_n_llhttp__internal__n_chunk_parameters,
|
|
||||||
+ s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters,
|
|
||||||
+ s_n_llhttp__internal__n_chunk_parameters_ows,
|
|
||||||
s_n_llhttp__internal__n_chunk_size_otherwise,
|
|
||||||
s_n_llhttp__internal__n_chunk_size,
|
|
||||||
s_n_llhttp__internal__n_chunk_size_digit,
|
|
||||||
@@ -539,6 +541,10 @@ int llhttp__on_body(
|
|
||||||
llhttp__internal_t* s, const unsigned char* p,
|
|
||||||
const unsigned char* endp);
|
|
||||||
|
|
||||||
+int llhttp__on_chunk_parameters(
|
|
||||||
+ llhttp__internal_t* s, const unsigned char* p,
|
|
||||||
+ const unsigned char* endp);
|
|
||||||
+
|
|
||||||
int llhttp__on_status(
|
|
||||||
llhttp__internal_t* s, const unsigned char* p,
|
|
||||||
const unsigned char* endp);
|
|
||||||
@@ -1226,8 +1232,7 @@ static llparse_state_t llhttp__internal__run(
|
|
||||||
goto s_n_llhttp__internal__n_chunk_parameters;
|
|
||||||
}
|
|
||||||
case 2: {
|
|
||||||
- p++;
|
|
||||||
- goto s_n_llhttp__internal__n_chunk_size_almost_done;
|
|
||||||
+ goto s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters;
|
|
||||||
}
|
|
||||||
default: {
|
|
||||||
goto s_n_llhttp__internal__n_error_10;
|
|
||||||
@@ -1236,6 +1241,34 @@ static llparse_state_t llhttp__internal__run(
|
|
||||||
/* UNREACHABLE */;
|
|
||||||
abort();
|
|
||||||
}
|
|
||||||
+ case s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters:
|
|
||||||
+ s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters: {
|
|
||||||
+ if (p == endp) {
|
|
||||||
+ return s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters;
|
|
||||||
+ }
|
|
||||||
+ state->_span_pos0 = (void*) p;
|
|
||||||
+ state->_span_cb0 = llhttp__on_chunk_parameters;
|
|
||||||
+ goto s_n_llhttp__internal__n_chunk_parameters;
|
|
||||||
+ /* UNREACHABLE */;
|
|
||||||
+ abort();
|
|
||||||
+ }
|
|
||||||
+ case s_n_llhttp__internal__n_chunk_parameters_ows:
|
|
||||||
+ s_n_llhttp__internal__n_chunk_parameters_ows: {
|
|
||||||
+ if (p == endp) {
|
|
||||||
+ return s_n_llhttp__internal__n_chunk_parameters_ows;
|
|
||||||
+ }
|
|
||||||
+ switch (*p) {
|
|
||||||
+ case ' ': {
|
|
||||||
+ p++;
|
|
||||||
+ goto s_n_llhttp__internal__n_chunk_parameters_ows;
|
|
||||||
+ }
|
|
||||||
+ default: {
|
|
||||||
+ goto s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ /* UNREACHABLE */;
|
|
||||||
+ abort();
|
|
||||||
+ }
|
|
||||||
case s_n_llhttp__internal__n_chunk_size_otherwise:
|
|
||||||
s_n_llhttp__internal__n_chunk_size_otherwise: {
|
|
||||||
if (p == endp) {
|
|
||||||
@@ -1246,13 +1279,9 @@ static llparse_state_t llhttp__internal__run(
|
|
||||||
p++;
|
|
||||||
goto s_n_llhttp__internal__n_chunk_size_almost_done;
|
|
||||||
}
|
|
||||||
- case ' ': {
|
|
||||||
- p++;
|
|
||||||
- goto s_n_llhttp__internal__n_chunk_parameters;
|
|
||||||
- }
|
|
||||||
case ';': {
|
|
||||||
p++;
|
|
||||||
- goto s_n_llhttp__internal__n_chunk_parameters;
|
|
||||||
+ goto s_n_llhttp__internal__n_chunk_parameters_ows;
|
|
||||||
}
|
|
||||||
default: {
|
|
||||||
goto s_n_llhttp__internal__n_error_11;
|
|
||||||
@@ -6074,6 +6103,24 @@ static llparse_state_t llhttp__internal__run(
|
|
||||||
/* UNREACHABLE */;
|
|
||||||
abort();
|
|
||||||
}
|
|
||||||
+ s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters: {
|
|
||||||
+ const unsigned char* start;
|
|
||||||
+ int err;
|
|
||||||
+
|
|
||||||
+ start = state->_span_pos0;
|
|
||||||
+ state->_span_pos0 = NULL;
|
|
||||||
+ err = llhttp__on_chunk_parameters(state, start, p);
|
|
||||||
+ if (err != 0) {
|
|
||||||
+ state->error = err;
|
|
||||||
+ state->error_pos = (const char*) (p + 1);
|
|
||||||
+ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_chunk_size_almost_done;
|
|
||||||
+ return s_error;
|
|
||||||
+ }
|
|
||||||
+ p++;
|
|
||||||
+ goto s_n_llhttp__internal__n_chunk_size_almost_done;
|
|
||||||
+ /* UNREACHABLE */;
|
|
||||||
+ abort();
|
|
||||||
+ }
|
|
||||||
s_n_llhttp__internal__n_error_10: {
|
|
||||||
state->error = 0x2;
|
|
||||||
state->reason = "Invalid character in chunk parameters";
|
|
||||||
@@ -8441,6 +8488,8 @@ enum llparse_state_e {
|
|
||||||
s_n_llhttp__internal__n_invoke_is_equal_content_length,
|
|
||||||
s_n_llhttp__internal__n_chunk_size_almost_done,
|
|
||||||
s_n_llhttp__internal__n_chunk_parameters,
|
|
||||||
+ s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters,
|
|
||||||
+ s_n_llhttp__internal__n_chunk_parameters_ows,
|
|
||||||
s_n_llhttp__internal__n_chunk_size_otherwise,
|
|
||||||
s_n_llhttp__internal__n_chunk_size,
|
|
||||||
s_n_llhttp__internal__n_chunk_size_digit,
|
|
||||||
@@ -8635,6 +8684,10 @@ int llhttp__on_body(
|
|
||||||
llhttp__internal_t* s, const unsigned char* p,
|
|
||||||
const unsigned char* endp);
|
|
||||||
|
|
||||||
+int llhttp__on_chunk_parameters(
|
|
||||||
+ llhttp__internal_t* s, const unsigned char* p,
|
|
||||||
+ const unsigned char* endp);
|
|
||||||
+
|
|
||||||
int llhttp__on_status(
|
|
||||||
llhttp__internal_t* s, const unsigned char* p,
|
|
||||||
const unsigned char* endp);
|
|
||||||
@@ -9299,8 +9352,7 @@ static llparse_state_t llhttp__internal__run(
|
|
||||||
goto s_n_llhttp__internal__n_chunk_parameters;
|
|
||||||
}
|
|
||||||
case 2: {
|
|
||||||
- p++;
|
|
||||||
- goto s_n_llhttp__internal__n_chunk_size_almost_done;
|
|
||||||
+ goto s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters;
|
|
||||||
}
|
|
||||||
default: {
|
|
||||||
goto s_n_llhttp__internal__n_error_6;
|
|
||||||
@@ -9309,6 +9361,34 @@ static llparse_state_t llhttp__internal__run(
|
|
||||||
/* UNREACHABLE */;
|
|
||||||
abort();
|
|
||||||
}
|
|
||||||
+ case s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters:
|
|
||||||
+ s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters: {
|
|
||||||
+ if (p == endp) {
|
|
||||||
+ return s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters;
|
|
||||||
+ }
|
|
||||||
+ state->_span_pos0 = (void*) p;
|
|
||||||
+ state->_span_cb0 = llhttp__on_chunk_parameters;
|
|
||||||
+ goto s_n_llhttp__internal__n_chunk_parameters;
|
|
||||||
+ /* UNREACHABLE */;
|
|
||||||
+ abort();
|
|
||||||
+ }
|
|
||||||
+ case s_n_llhttp__internal__n_chunk_parameters_ows:
|
|
||||||
+ s_n_llhttp__internal__n_chunk_parameters_ows: {
|
|
||||||
+ if (p == endp) {
|
|
||||||
+ return s_n_llhttp__internal__n_chunk_parameters_ows;
|
|
||||||
+ }
|
|
||||||
+ switch (*p) {
|
|
||||||
+ case ' ': {
|
|
||||||
+ p++;
|
|
||||||
+ goto s_n_llhttp__internal__n_chunk_parameters_ows;
|
|
||||||
+ }
|
|
||||||
+ default: {
|
|
||||||
+ goto s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ /* UNREACHABLE */;
|
|
||||||
+ abort();
|
|
||||||
+ }
|
|
||||||
case s_n_llhttp__internal__n_chunk_size_otherwise:
|
|
||||||
s_n_llhttp__internal__n_chunk_size_otherwise: {
|
|
||||||
if (p == endp) {
|
|
||||||
@@ -9319,13 +9399,9 @@ static llparse_state_t llhttp__internal__run(
|
|
||||||
p++;
|
|
||||||
goto s_n_llhttp__internal__n_chunk_size_almost_done;
|
|
||||||
}
|
|
||||||
- case ' ': {
|
|
||||||
- p++;
|
|
||||||
- goto s_n_llhttp__internal__n_chunk_parameters;
|
|
||||||
- }
|
|
||||||
case ';': {
|
|
||||||
p++;
|
|
||||||
- goto s_n_llhttp__internal__n_chunk_parameters;
|
|
||||||
+ goto s_n_llhttp__internal__n_chunk_parameters_ows;
|
|
||||||
}
|
|
||||||
default: {
|
|
||||||
goto s_n_llhttp__internal__n_error_7;
|
|
||||||
@@ -13951,6 +14027,24 @@ static llparse_state_t llhttp__internal__run(
|
|
||||||
/* UNREACHABLE */;
|
|
||||||
abort();
|
|
||||||
}
|
|
||||||
+ s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters: {
|
|
||||||
+ const unsigned char* start;
|
|
||||||
+ int err;
|
|
||||||
+
|
|
||||||
+ start = state->_span_pos0;
|
|
||||||
+ state->_span_pos0 = NULL;
|
|
||||||
+ err = llhttp__on_chunk_parameters(state, start, p);
|
|
||||||
+ if (err != 0) {
|
|
||||||
+ state->error = err;
|
|
||||||
+ state->error_pos = (const char*) (p + 1);
|
|
||||||
+ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_chunk_size_almost_done;
|
|
||||||
+ return s_error;
|
|
||||||
+ }
|
|
||||||
+ p++;
|
|
||||||
+ goto s_n_llhttp__internal__n_chunk_size_almost_done;
|
|
||||||
+ /* UNREACHABLE */;
|
|
||||||
+ abort();
|
|
||||||
+ }
|
|
||||||
s_n_llhttp__internal__n_error_6: {
|
|
||||||
state->error = 0x2;
|
|
||||||
state->reason = "Invalid character in chunk parameters";
|
|
||||||
diff --git a/doc/api/errors.md b/doc/api/errors.md
|
|
||||||
index dcf8744..a76bfe5 100644
|
|
||||||
--- a/doc/api/errors.md
|
|
||||||
+++ b/doc/api/errors.md
|
|
||||||
@@ -3043,6 +3043,18 @@ malconfigured clients, if more than 8 KiB of HTTP header data is received then
|
|
||||||
HTTP parsing will abort without a request or response object being created, and
|
|
||||||
an `Error` with this code will be emitted.
|
|
||||||
|
|
||||||
+<a id="HPE_CHUNK_EXTENSIONS_OVERFLOW"></a>
|
|
||||||
+
|
|
||||||
+### `HPE_CHUNK_EXTENSIONS_OVERFLOW`
|
|
||||||
+
|
|
||||||
+<!-- YAML
|
|
||||||
+added: REPLACEME
|
|
||||||
+-->
|
|
||||||
+
|
|
||||||
+Too much data was received for a chunk extensions. In order to protect against
|
|
||||||
+malicious or malconfigured clients, if more than 16 KiB of data is received
|
|
||||||
+then an `Error` with this code will be emitted.
|
|
||||||
+
|
|
||||||
<a id="HPE_UNEXPECTED_CONTENT_LENGTH"></a>
|
|
||||||
|
|
||||||
### `HPE_UNEXPECTED_CONTENT_LENGTH`
|
|
||||||
diff --git a/lib/_http_server.js b/lib/_http_server.js
|
|
||||||
index 4e23266..325bce6 100644
|
|
||||||
--- a/lib/_http_server.js
|
|
||||||
+++ b/lib/_http_server.js
|
|
||||||
@@ -706,6 +706,12 @@ const requestHeaderFieldsTooLargeResponse = Buffer.from(
|
|
||||||
`HTTP/1.1 431 ${STATUS_CODES[431]}\r\n` +
|
|
||||||
'Connection: close\r\n\r\n', 'ascii'
|
|
||||||
);
|
|
||||||
+
|
|
||||||
+const requestChunkExtensionsTooLargeResponse = Buffer.from(
|
|
||||||
+ `HTTP/1.1 413 ${STATUS_CODES[413]}\r\n` +
|
|
||||||
+ 'Connection: close\r\n\r\n', 'ascii',
|
|
||||||
+);
|
|
||||||
+
|
|
||||||
function socketOnError(e) {
|
|
||||||
// Ignore further errors
|
|
||||||
this.removeListener('error', socketOnError);
|
|
||||||
@@ -719,6 +725,9 @@ function socketOnError(e) {
|
|
||||||
case 'HPE_HEADER_OVERFLOW':
|
|
||||||
response = requestHeaderFieldsTooLargeResponse;
|
|
||||||
break;
|
|
||||||
+ case 'HPE_CHUNK_EXTENSIONS_OVERFLOW':
|
|
||||||
+ response = requestChunkExtensionsTooLargeResponse;
|
|
||||||
+ break;
|
|
||||||
case 'ERR_HTTP_REQUEST_TIMEOUT':
|
|
||||||
response = requestTimeoutResponse;
|
|
||||||
break;
|
|
||||||
diff --git a/src/node_http_parser.cc b/src/node_http_parser.cc
|
|
||||||
index 74f3248..b92e848 100644
|
|
||||||
--- a/src/node_http_parser.cc
|
|
||||||
+++ b/src/node_http_parser.cc
|
|
||||||
@@ -79,6 +79,8 @@ const uint32_t kOnExecute = 5;
|
|
||||||
const uint32_t kOnTimeout = 6;
|
|
||||||
// Any more fields than this will be flushed into JS
|
|
||||||
const size_t kMaxHeaderFieldsCount = 32;
|
|
||||||
+// Maximum size of chunk extensions
|
|
||||||
+const size_t kMaxChunkExtensionsSize = 16384;
|
|
||||||
|
|
||||||
const uint32_t kLenientNone = 0;
|
|
||||||
const uint32_t kLenientHeaders = 1 << 0;
|
|
||||||
@@ -206,6 +208,7 @@ class Parser : public AsyncWrap, public StreamListener {
|
|
||||||
|
|
||||||
int on_message_begin() {
|
|
||||||
num_fields_ = num_values_ = 0;
|
|
||||||
+ chunk_extensions_nread_ = 0;
|
|
||||||
url_.Reset();
|
|
||||||
status_message_.Reset();
|
|
||||||
header_parsing_start_time_ = uv_hrtime();
|
|
||||||
@@ -443,9 +446,22 @@ class Parser : public AsyncWrap, public StreamListener {
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
- // Reset nread for the next chunk
|
|
||||||
+ int on_chunk_extension(const char* at, size_t length) {
|
|
||||||
+ chunk_extensions_nread_ += length;
|
|
||||||
+
|
|
||||||
+ if (chunk_extensions_nread_ > kMaxChunkExtensionsSize) {
|
|
||||||
+ llhttp_set_error_reason(&parser_,
|
|
||||||
+ "HPE_CHUNK_EXTENSIONS_OVERFLOW:Chunk extensions overflow");
|
|
||||||
+ return HPE_USER;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ // Reset nread for the next chunk and also reset the extensions counter
|
|
||||||
int on_chunk_header() {
|
|
||||||
header_nread_ = 0;
|
|
||||||
+ chunk_extensions_nread_ = 0;
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -887,6 +903,7 @@ class Parser : public AsyncWrap, public StreamListener {
|
|
||||||
const char* current_buffer_data_;
|
|
||||||
bool pending_pause_ = false;
|
|
||||||
uint64_t header_nread_ = 0;
|
|
||||||
+ uint64_t chunk_extensions_nread_ = 0;
|
|
||||||
uint64_t max_http_header_size_;
|
|
||||||
uint64_t headers_timeout_;
|
|
||||||
uint64_t header_parsing_start_time_ = 0;
|
|
||||||
@@ -921,6 +938,7 @@ const llhttp_settings_t Parser::settings = {
|
|
||||||
Proxy<DataCall, &Parser::on_header_field>::Raw,
|
|
||||||
Proxy<DataCall, &Parser::on_header_value>::Raw,
|
|
||||||
Proxy<Call, &Parser::on_headers_complete>::Raw,
|
|
||||||
+ Proxy<DataCall, &Parser::on_chunk_extension>::Raw,
|
|
||||||
Proxy<DataCall, &Parser::on_body>::Raw,
|
|
||||||
Proxy<Call, &Parser::on_message_complete>::Raw,
|
|
||||||
Proxy<Call, &Parser::on_chunk_header>::Raw,
|
|
||||||
diff --git a/test/parallel/test-http-chunk-extensions-limit.js b/test/parallel/test-http-chunk-extensions-limit.js
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..6868b3d
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/test/parallel/test-http-chunk-extensions-limit.js
|
|
||||||
@@ -0,0 +1,131 @@
|
|
||||||
+'use strict';
|
|
||||||
+
|
|
||||||
+const common = require('../common');
|
|
||||||
+const http = require('http');
|
|
||||||
+const net = require('net');
|
|
||||||
+const assert = require('assert');
|
|
||||||
+
|
|
||||||
+// Verify that chunk extensions are limited in size when sent all together.
|
|
||||||
+{
|
|
||||||
+ const server = http.createServer((req, res) => {
|
|
||||||
+ req.on('end', () => {
|
|
||||||
+ res.writeHead(200, { 'Content-Type': 'text/plain' });
|
|
||||||
+ res.end('bye');
|
|
||||||
+ });
|
|
||||||
+
|
|
||||||
+ req.resume();
|
|
||||||
+ });
|
|
||||||
+
|
|
||||||
+ server.listen(0, () => {
|
|
||||||
+ const sock = net.connect(server.address().port);
|
|
||||||
+ let data = '';
|
|
||||||
+
|
|
||||||
+ sock.on('data', (chunk) => data += chunk.toString('utf-8'));
|
|
||||||
+
|
|
||||||
+ sock.on('end', common.mustCall(function() {
|
|
||||||
+ assert.strictEqual(data, 'HTTP/1.1 413 Payload Too Large\r\nConnection: close\r\n\r\n');
|
|
||||||
+ server.close();
|
|
||||||
+ }));
|
|
||||||
+
|
|
||||||
+ sock.end('' +
|
|
||||||
+ 'GET / HTTP/1.1\r\n' +
|
|
||||||
+ 'Host: localhost:8080\r\n' +
|
|
||||||
+ 'Transfer-Encoding: chunked\r\n\r\n' +
|
|
||||||
+ '2;' + 'A'.repeat(20000) + '=bar\r\nAA\r\n' +
|
|
||||||
+ '0\r\n\r\n'
|
|
||||||
+ );
|
|
||||||
+ });
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+// Verify that chunk extensions are limited in size when sent in intervals.
|
|
||||||
+{
|
|
||||||
+ const server = http.createServer((req, res) => {
|
|
||||||
+ req.on('end', () => {
|
|
||||||
+ res.writeHead(200, { 'Content-Type': 'text/plain' });
|
|
||||||
+ res.end('bye');
|
|
||||||
+ });
|
|
||||||
+
|
|
||||||
+ req.resume();
|
|
||||||
+ });
|
|
||||||
+
|
|
||||||
+ server.listen(0, () => {
|
|
||||||
+ const sock = net.connect(server.address().port);
|
|
||||||
+ let remaining = 20000;
|
|
||||||
+ let data = '';
|
|
||||||
+
|
|
||||||
+ const interval = setInterval(
|
|
||||||
+ () => {
|
|
||||||
+ if (remaining > 0) {
|
|
||||||
+ sock.write('A'.repeat(1000));
|
|
||||||
+ } else {
|
|
||||||
+ sock.write('=bar\r\nAA\r\n0\r\n\r\n');
|
|
||||||
+ clearInterval(interval);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ remaining -= 1000;
|
|
||||||
+ },
|
|
||||||
+ common.platformTimeout(20),
|
|
||||||
+ ).unref();
|
|
||||||
+
|
|
||||||
+ sock.on('data', (chunk) => data += chunk.toString('utf-8'));
|
|
||||||
+
|
|
||||||
+ sock.on('end', common.mustCall(function() {
|
|
||||||
+ assert.strictEqual(data, 'HTTP/1.1 413 Payload Too Large\r\nConnection: close\r\n\r\n');
|
|
||||||
+ server.close();
|
|
||||||
+ }));
|
|
||||||
+
|
|
||||||
+ sock.write('' +
|
|
||||||
+ 'GET / HTTP/1.1\r\n' +
|
|
||||||
+ 'Host: localhost:8080\r\n' +
|
|
||||||
+ 'Transfer-Encoding: chunked\r\n\r\n' +
|
|
||||||
+ '2;'
|
|
||||||
+ );
|
|
||||||
+ });
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+// Verify the chunk extensions is correctly reset after a chunk
|
|
||||||
+{
|
|
||||||
+ const server = http.createServer((req, res) => {
|
|
||||||
+ req.on('end', () => {
|
|
||||||
+ res.writeHead(200, { 'content-type': 'text/plain', 'connection': 'close', 'date': 'now' });
|
|
||||||
+ res.end('bye');
|
|
||||||
+ });
|
|
||||||
+
|
|
||||||
+ req.resume();
|
|
||||||
+ });
|
|
||||||
+
|
|
||||||
+ server.listen(0, () => {
|
|
||||||
+ const sock = net.connect(server.address().port);
|
|
||||||
+ let data = '';
|
|
||||||
+
|
|
||||||
+ sock.on('data', (chunk) => data += chunk.toString('utf-8'));
|
|
||||||
+
|
|
||||||
+ sock.on('end', common.mustCall(function() {
|
|
||||||
+ assert.strictEqual(
|
|
||||||
+ data,
|
|
||||||
+ 'HTTP/1.1 200 OK\r\n' +
|
|
||||||
+ 'content-type: text/plain\r\n' +
|
|
||||||
+ 'connection: close\r\n' +
|
|
||||||
+ 'date: now\r\n' +
|
|
||||||
+ 'Transfer-Encoding: chunked\r\n' +
|
|
||||||
+ '\r\n' +
|
|
||||||
+ '3\r\n' +
|
|
||||||
+ 'bye\r\n' +
|
|
||||||
+ '0\r\n' +
|
|
||||||
+ '\r\n',
|
|
||||||
+ );
|
|
||||||
+
|
|
||||||
+ server.close();
|
|
||||||
+ }));
|
|
||||||
+
|
|
||||||
+ sock.end('' +
|
|
||||||
+ 'GET / HTTP/1.1\r\n' +
|
|
||||||
+ 'Host: localhost:8080\r\n' +
|
|
||||||
+ 'Transfer-Encoding: chunked\r\n\r\n' +
|
|
||||||
+ '2;' + 'A'.repeat(10000) + '=bar\r\nAA\r\n' +
|
|
||||||
+ '2;' + 'A'.repeat(10000) + '=bar\r\nAA\r\n' +
|
|
||||||
+ '2;' + 'A'.repeat(10000) + '=bar\r\nAA\r\n' +
|
|
||||||
+ '0\r\n\r\n'
|
|
||||||
+ );
|
|
||||||
+ });
|
|
||||||
+}
|
|
||||||
diff --git a/tools/update-llhttp.sh b/tools/update-llhttp.sh
|
|
||||||
index 12e2f46..a95eef1 100755
|
|
||||||
--- a/tools/update-llhttp.sh
|
|
||||||
+++ b/tools/update-llhttp.sh
|
|
||||||
@@ -59,5 +59,5 @@ echo ""
|
|
||||||
echo "Please git add llhttp, commit the new version:"
|
|
||||||
echo ""
|
|
||||||
echo "$ git add -A deps/llhttp"
|
|
||||||
-echo "$ git commit -m \"deps: update nghttp2 to $LLHTTP_VERSION\""
|
|
||||||
+echo "$ git commit -m \"deps: update llhttp to $LLHTTP_VERSION\""
|
|
||||||
echo ""
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
@ -1,42 +0,0 @@
|
|||||||
From 2df9af7073929ab94b6dda040df08bc3ff7d8ab1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: RafaelGSS <rafael.nunu@hotmail.com>
|
|
||||||
Date: Tue, 26 Mar 2024 15:55:13 -0300
|
|
||||||
Subject: [PATCH] src: ensure to close stream when destroying session
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Co-Authored-By: Anna Henningsen <anna@addaleax.net>
|
|
||||||
PR-URL: https://github.com/nodejs-private/node-private/pull/561
|
|
||||||
Fixes: https://hackerone.com/reports/2319584
|
|
||||||
Reviewed-By: Michael Dawson <midawson@redhat.com>
|
|
||||||
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
|
|
||||||
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
|
|
||||||
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
|
|
||||||
CVE-ID: CVE-2024-27983
|
|
||||||
Signed-off-by: Jan Staněk <jstanek@redhat.com>
|
|
||||||
Signed-off-by: rpm-build <rpm-build>
|
|
||||||
---
|
|
||||||
src/node_http2.cc | 6 ++++++
|
|
||||||
1 file changed, 6 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/node_http2.cc b/src/node_http2.cc
|
|
||||||
index 53216dc..9a6d63d 100644
|
|
||||||
--- a/src/node_http2.cc
|
|
||||||
+++ b/src/node_http2.cc
|
|
||||||
@@ -529,6 +529,12 @@ Http2Session::Http2Session(Http2State* http2_state,
|
|
||||||
Http2Session::~Http2Session() {
|
|
||||||
CHECK(!is_in_scope());
|
|
||||||
Debug(this, "freeing nghttp2 session");
|
|
||||||
+ // Ensure that all `Http2Stream` instances and the memory they hold
|
|
||||||
+ // on to are destroyed before the nghttp2 session is.
|
|
||||||
+ for (const auto& [id, stream] : streams_) {
|
|
||||||
+ stream->Detach();
|
|
||||||
+ }
|
|
||||||
+ streams_.clear();
|
|
||||||
// Explicitly reset session_ so the subsequent
|
|
||||||
// current_nghttp2_memory_ check passes.
|
|
||||||
session_.reset();
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
@ -1,112 +0,0 @@
|
|||||||
From 132ad9e8a8f8e246e59744a7fed995ed396f6cb4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
|
|
||||||
Date: Sat, 9 Mar 2024 16:26:42 +0900
|
|
||||||
Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Signed-off-by: Jan Staněk <jstanek@redhat.com>
|
|
||||||
Fixes: CVE-2024-28182
|
|
||||||
Signed-off-by: rpm-build <rpm-build>
|
|
||||||
---
|
|
||||||
deps/nghttp2/lib/includes/nghttp2/nghttp2.h | 7 ++++++-
|
|
||||||
deps/nghttp2/lib/nghttp2_helper.c | 2 ++
|
|
||||||
deps/nghttp2/lib/nghttp2_session.c | 7 +++++++
|
|
||||||
deps/nghttp2/lib/nghttp2_session.h | 10 ++++++++++
|
|
||||||
4 files changed, 25 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
|
|
||||||
index fa22081..b394bde 100644
|
|
||||||
--- a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
|
|
||||||
+++ b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
|
|
||||||
@@ -440,7 +440,12 @@ typedef enum {
|
|
||||||
* exhaustion on server side to send these frames forever and does
|
|
||||||
* not read network.
|
|
||||||
*/
|
|
||||||
- NGHTTP2_ERR_FLOODED = -904
|
|
||||||
+ NGHTTP2_ERR_FLOODED = -904,
|
|
||||||
+ /**
|
|
||||||
+ * When a local endpoint receives too many CONTINUATION frames
|
|
||||||
+ * following a HEADER frame.
|
|
||||||
+ */
|
|
||||||
+ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
|
|
||||||
} nghttp2_error;
|
|
||||||
|
|
||||||
/**
|
|
||||||
diff --git a/deps/nghttp2/lib/nghttp2_helper.c b/deps/nghttp2/lib/nghttp2_helper.c
|
|
||||||
index 93dd475..b3563d9 100644
|
|
||||||
--- a/deps/nghttp2/lib/nghttp2_helper.c
|
|
||||||
+++ b/deps/nghttp2/lib/nghttp2_helper.c
|
|
||||||
@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) {
|
|
||||||
"closed";
|
|
||||||
case NGHTTP2_ERR_TOO_MANY_SETTINGS:
|
|
||||||
return "SETTINGS frame contained more than the maximum allowed entries";
|
|
||||||
+ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
|
|
||||||
+ return "Too many CONTINUATION frames following a HEADER frame";
|
|
||||||
default:
|
|
||||||
return "Unknown error code";
|
|
||||||
}
|
|
||||||
diff --git a/deps/nghttp2/lib/nghttp2_session.c b/deps/nghttp2/lib/nghttp2_session.c
|
|
||||||
index ec5024d..8e4d2e7 100644
|
|
||||||
--- a/deps/nghttp2/lib/nghttp2_session.c
|
|
||||||
+++ b/deps/nghttp2/lib/nghttp2_session.c
|
|
||||||
@@ -496,6 +496,7 @@ static int session_new(nghttp2_session **session_ptr,
|
|
||||||
(*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
|
|
||||||
(*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
|
|
||||||
(*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
|
|
||||||
+ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
|
|
||||||
|
|
||||||
if (option) {
|
|
||||||
if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
|
|
||||||
@@ -6778,6 +6779,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
session_inbound_frame_reset(session);
|
|
||||||
+
|
|
||||||
+ session->num_continuations = 0;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
@@ -6899,6 +6902,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
|
|
||||||
}
|
|
||||||
#endif /* DEBUGBUILD */
|
|
||||||
|
|
||||||
+ if (++session->num_continuations > session->max_continuations) {
|
|
||||||
+ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
readlen = inbound_frame_buf_read(iframe, in, last);
|
|
||||||
in += readlen;
|
|
||||||
|
|
||||||
diff --git a/deps/nghttp2/lib/nghttp2_session.h b/deps/nghttp2/lib/nghttp2_session.h
|
|
||||||
index b119329..ef8f7b2 100644
|
|
||||||
--- a/deps/nghttp2/lib/nghttp2_session.h
|
|
||||||
+++ b/deps/nghttp2/lib/nghttp2_session.h
|
|
||||||
@@ -110,6 +110,10 @@ typedef struct {
|
|
||||||
#define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
|
|
||||||
#define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
|
|
||||||
|
|
||||||
+/* The default max number of CONTINUATION frames following an incoming
|
|
||||||
+ HEADER frame. */
|
|
||||||
+#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
|
|
||||||
+
|
|
||||||
/* Internal state when receiving incoming frame */
|
|
||||||
typedef enum {
|
|
||||||
/* Receiving frame header */
|
|
||||||
@@ -290,6 +294,12 @@ struct nghttp2_session {
|
|
||||||
size_t max_send_header_block_length;
|
|
||||||
/* The maximum number of settings accepted per SETTINGS frame. */
|
|
||||||
size_t max_settings;
|
|
||||||
+ /* The maximum number of CONTINUATION frames following an incoming
|
|
||||||
+ HEADER frame. */
|
|
||||||
+ size_t max_continuations;
|
|
||||||
+ /* The number of CONTINUATION frames following an incoming HEADER
|
|
||||||
+ frame. This variable is reset when END_HEADERS flag is seen. */
|
|
||||||
+ size_t num_continuations;
|
|
||||||
/* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
|
|
||||||
uint32_t next_stream_id;
|
|
||||||
/* The last stream ID this session initiated. For client session,
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
@ -1,94 +0,0 @@
|
|||||||
From 625b03149d2ec68cdbcfe3f2801d6f0420d917cb Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
|
|
||||||
Date: Sat, 9 Mar 2024 16:48:10 +0900
|
|
||||||
Subject: [PATCH] Add nghttp2_option_set_max_continuations
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Signed-off-by: Jan Staněk <jstanek@redhat.com>
|
|
||||||
Related: CVE-2024-28182
|
|
||||||
Signed-off-by: rpm-build <rpm-build>
|
|
||||||
---
|
|
||||||
deps/nghttp2/lib/includes/nghttp2/nghttp2.h | 11 +++++++++++
|
|
||||||
deps/nghttp2/lib/nghttp2_option.c | 5 +++++
|
|
||||||
deps/nghttp2/lib/nghttp2_option.h | 5 +++++
|
|
||||||
deps/nghttp2/lib/nghttp2_session.c | 4 ++++
|
|
||||||
4 files changed, 25 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
|
|
||||||
index b394bde..4d3339b 100644
|
|
||||||
--- a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
|
|
||||||
+++ b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
|
|
||||||
@@ -2778,6 +2778,17 @@ NGHTTP2_EXTERN void
|
|
||||||
nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
|
|
||||||
uint64_t burst, uint64_t rate);
|
|
||||||
|
|
||||||
+/**
|
|
||||||
+ * @function
|
|
||||||
+ *
|
|
||||||
+ * This function sets the maximum number of CONTINUATION frames
|
|
||||||
+ * following an incoming HEADER frame. If more than those frames are
|
|
||||||
+ * received, the remote endpoint is considered to be misbehaving and
|
|
||||||
+ * session will be closed. The default value is 8.
|
|
||||||
+ */
|
|
||||||
+NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option,
|
|
||||||
+ size_t val);
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* @function
|
|
||||||
*
|
|
||||||
diff --git a/deps/nghttp2/lib/nghttp2_option.c b/deps/nghttp2/lib/nghttp2_option.c
|
|
||||||
index 43d4e95..53144b9 100644
|
|
||||||
--- a/deps/nghttp2/lib/nghttp2_option.c
|
|
||||||
+++ b/deps/nghttp2/lib/nghttp2_option.c
|
|
||||||
@@ -150,3 +150,8 @@ void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
|
|
||||||
option->stream_reset_burst = burst;
|
|
||||||
option->stream_reset_rate = rate;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) {
|
|
||||||
+ option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS;
|
|
||||||
+ option->max_continuations = val;
|
|
||||||
+}
|
|
||||||
diff --git a/deps/nghttp2/lib/nghttp2_option.h b/deps/nghttp2/lib/nghttp2_option.h
|
|
||||||
index 2259e18..c89cb97 100644
|
|
||||||
--- a/deps/nghttp2/lib/nghttp2_option.h
|
|
||||||
+++ b/deps/nghttp2/lib/nghttp2_option.h
|
|
||||||
@@ -71,6 +71,7 @@ typedef enum {
|
|
||||||
NGHTTP2_OPT_SERVER_FALLBACK_RFC7540_PRIORITIES = 1 << 13,
|
|
||||||
NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION = 1 << 14,
|
|
||||||
NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15,
|
|
||||||
+ NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16,
|
|
||||||
} nghttp2_option_flag;
|
|
||||||
|
|
||||||
/**
|
|
||||||
@@ -98,6 +99,10 @@ struct nghttp2_option {
|
|
||||||
* NGHTTP2_OPT_MAX_SETTINGS
|
|
||||||
*/
|
|
||||||
size_t max_settings;
|
|
||||||
+ /**
|
|
||||||
+ * NGHTTP2_OPT_MAX_CONTINUATIONS
|
|
||||||
+ */
|
|
||||||
+ size_t max_continuations;
|
|
||||||
/**
|
|
||||||
* Bitwise OR of nghttp2_option_flag to determine that which fields
|
|
||||||
* are specified.
|
|
||||||
diff --git a/deps/nghttp2/lib/nghttp2_session.c b/deps/nghttp2/lib/nghttp2_session.c
|
|
||||||
index 8e4d2e7..ced7517 100644
|
|
||||||
--- a/deps/nghttp2/lib/nghttp2_session.c
|
|
||||||
+++ b/deps/nghttp2/lib/nghttp2_session.c
|
|
||||||
@@ -585,6 +585,10 @@ static int session_new(nghttp2_session **session_ptr,
|
|
||||||
option->stream_reset_burst,
|
|
||||||
option->stream_reset_rate);
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) {
|
|
||||||
+ (*session_ptr)->max_continuations = option->max_continuations;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
File diff suppressed because one or more lines are too long
@ -1,39 +0,0 @@
|
|||||||
From ec80a9196e2aedfd617d05964725f113000a41ea Mon Sep 17 00:00:00 2001
|
|
||||||
From: Brad House <brad@brad-house.com>
|
|
||||||
Date: Thu, 22 Feb 2024 16:23:33 -0500
|
|
||||||
Subject: [PATCH] Address CVE-2024-25629
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Original commit title: Merge pull request from GHSA-mg26-v6qh-x48q
|
|
||||||
|
|
||||||
Signed-off-by: Jan Staněk <jstanek@redhat.com>
|
|
||||||
Fixes: CVE-2024-25629
|
|
||||||
Signed-off-by: rpm-build <rpm-build>
|
|
||||||
---
|
|
||||||
deps/cares/src/lib/ares__read_line.c | 8 ++++++++
|
|
||||||
1 file changed, 8 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/deps/cares/src/lib/ares__read_line.c b/deps/cares/src/lib/ares__read_line.c
|
|
||||||
index c62ad2a..16627e4 100644
|
|
||||||
--- a/deps/cares/src/lib/ares__read_line.c
|
|
||||||
+++ b/deps/cares/src/lib/ares__read_line.c
|
|
||||||
@@ -49,6 +49,14 @@ int ares__read_line(FILE *fp, char **buf, size_t *bufsize)
|
|
||||||
if (!fgets(*buf + offset, bytestoread, fp))
|
|
||||||
return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF;
|
|
||||||
len = offset + strlen(*buf + offset);
|
|
||||||
+
|
|
||||||
+ /* Probably means there was an embedded NULL as the first character in
|
|
||||||
+ * the line, throw away line */
|
|
||||||
+ if (len == 0) {
|
|
||||||
+ offset = 0;
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if ((*buf)[len - 1] == '\n')
|
|
||||||
{
|
|
||||||
(*buf)[len - 1] = 0;
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,82 @@
|
|||||||
|
From 98738d27288bd9ca634e29181ef665e812e7bbd3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michael Dawson <midawson@redhat.com>
|
||||||
|
Date: Fri, 23 Feb 2024 13:43:56 +0100
|
||||||
|
Subject: [PATCH] Disable FIPS options
|
||||||
|
|
||||||
|
On RHEL, FIPS should be configured only on system level.
|
||||||
|
Additionally, the related options may cause segfault when used on RHEL.
|
||||||
|
|
||||||
|
This patch causes the option processing to end sooner
|
||||||
|
than the problematic code gets executed.
|
||||||
|
Additionally, the JS-level options to mess with FIPS settings
|
||||||
|
are similarly disabled.
|
||||||
|
|
||||||
|
Upstream report: https://github.com/nodejs/node/pull/48950
|
||||||
|
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726
|
||||||
|
---
|
||||||
|
lib/crypto.js | 10 ++++++++++
|
||||||
|
lib/internal/errors.js | 6 ++++++
|
||||||
|
src/crypto/crypto_util.cc | 2 ++
|
||||||
|
3 files changed, 18 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/crypto.js b/lib/crypto.js
|
||||||
|
index 41adecc..b2627ac 100644
|
||||||
|
--- a/lib/crypto.js
|
||||||
|
+++ b/lib/crypto.js
|
||||||
|
@@ -36,6 +36,9 @@ const {
|
||||||
|
assertCrypto();
|
||||||
|
|
||||||
|
const {
|
||||||
|
+ // RHEL specific error
|
||||||
|
+ ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED,
|
||||||
|
+
|
||||||
|
ERR_CRYPTO_FIPS_FORCED,
|
||||||
|
} = require('internal/errors').codes;
|
||||||
|
const constants = internalBinding('constants').crypto;
|
||||||
|
@@ -251,6 +254,13 @@ function getFips() {
|
||||||
|
}
|
||||||
|
|
||||||
|
function setFips(val) {
|
||||||
|
+ // in RHEL FIPS enable/disable should only be done at system level
|
||||||
|
+ if (getFips() != val) {
|
||||||
|
+ throw new ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED();
|
||||||
|
+ } else {
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (getOptionValue('--force-fips')) {
|
||||||
|
if (val) return;
|
||||||
|
throw new ERR_CRYPTO_FIPS_FORCED();
|
||||||
|
diff --git a/lib/internal/errors.js b/lib/internal/errors.js
|
||||||
|
index a722360..04d8a53 100644
|
||||||
|
--- a/lib/internal/errors.js
|
||||||
|
+++ b/lib/internal/errors.js
|
||||||
|
@@ -1060,6 +1060,12 @@ module.exports = {
|
||||||
|
//
|
||||||
|
// Note: Node.js specific errors must begin with the prefix ERR_
|
||||||
|
|
||||||
|
+// insert RHEL specific erro
|
||||||
|
+E('ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED',
|
||||||
|
+ 'Cannot set FIPS mode. FIPS should be enabled/disabled at system level. See' +
|
||||||
|
+ 'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n',
|
||||||
|
+ Error);
|
||||||
|
+
|
||||||
|
E('ERR_ACCESS_DENIED',
|
||||||
|
'Access to this API has been restricted. Permission: %s',
|
||||||
|
Error);
|
||||||
|
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
|
||||||
|
index 5734d8f..ef9d1b1 100644
|
||||||
|
--- a/src/crypto/crypto_util.cc
|
||||||
|
+++ b/src/crypto/crypto_util.cc
|
||||||
|
@@ -121,6 +121,8 @@ bool ProcessFipsOptions() {
|
||||||
|
/* Override FIPS settings in configuration file, if needed. */
|
||||||
|
if (per_process::cli_options->enable_fips_crypto ||
|
||||||
|
per_process::cli_options->force_fips_crypto) {
|
||||||
|
+ fprintf(stderr, "ERROR: Using options related to FIPS is not recommended, configure FIPS in openssl instead. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n");
|
||||||
|
+ return false;
|
||||||
|
#if OPENSSL_VERSION_MAJOR >= 3
|
||||||
|
OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
|
||||||
|
if (fips_provider == nullptr)
|
||||||
|
--
|
||||||
|
2.43.2
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in new issue