Skip to content

[v8.x] http2: mitigate reported DoS attacks #29124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 19 commits into from
Closed

[v8.x] http2: mitigate reported DoS attacks #29124

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
4d09a44
http2: improve http2 code a bit
jasnell Oct 30, 2018
b8b4ba5
deps: update nghttp2 to 1.34.0
jasnell Oct 5, 2018
6251b50
deps: update nghttp2 to 1.37.0
gengjiawen Mar 29, 2019
68a44ab
deps: update nghttp2 to 1.38.0
gengjiawen Apr 18, 2019
6a1278b
deps: update nghttp2 to 1.39.1
gengjiawen Jun 27, 2019
6deff8a
deps: update nghttp2 to 1.39.2
addaleax Aug 14, 2019
14fd420
http2: improve JS-side debug logging
addaleax Aug 5, 2019
dd6b143
http2: only call into JS when necessary for session events
addaleax Aug 9, 2019
f717523
http2: do not create ArrayBuffers when no DATA received
addaleax Aug 9, 2019
7652406
http2: limit number of rejected stream openings
addaleax Aug 10, 2019
871393f
http2: limit number of invalid incoming frames
addaleax Aug 12, 2019
a722e8c
http2: handle 0-length headers better
addaleax Aug 10, 2019
cda3bad
http2: shrink default `vector::reserve()` allocations
addaleax Aug 10, 2019
4993fa7
http2: consider 0-length non-end DATA frames an error
addaleax Aug 10, 2019
6a341af
http2: stop reading from socket if writes are in progress
addaleax Aug 10, 2019
bc112af
http2: pause input processing if sending output
addaleax Aug 11, 2019
6912e21
http2: allow security revert for Ping/Settings Flood
addaleax Aug 12, 2019
320fbea
test: apply test-http2-max-session-memory-leak from v12.x
addaleax Aug 13, 2019
5db3a94
fixup! deps: update nghttp2 to 1.39.2
addaleax Aug 14, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
http2: allow security revert for Ping/Settings Flood 
nghttp2 has updated its limit for outstanding Ping/Settings ACKs
to 1000. This commit allows reverting to the old default of 10000.

The associated CVEs are CVE-2019-9512/CVE-2019-9515.
  • Loading branch information
@addaleax
addaleax committed Aug 14, 2019
commit 6912e21ffa75d967df668aa87098ecb10deaf21d
3 changes: 3 additions & 0 deletions src/node_http2.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,9 @@ Http2Options::Http2Options(Environment* env, nghttp2_session_type type) {
buffer[IDX_OPTIONS_PEER_MAX_CONCURRENT_STREAMS]);
}

if (IsReverted(SECURITY_REVERT_CVE_2019_9512))
nghttp2_option_set_max_outbound_ack(options_, 10000);

// The padding strategy sets the mechanism by which we determine how much
// additional frame padding to apply to DATA and HEADERS frames. Currently
// this is set on a per-session basis, but eventually we may switch to
Expand Down
1 change: 1 addition & 0 deletions src/node_revert.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ namespace node {

#define SECURITY_REVERSIONS(XX) \
XX(CVE_2018_12116, "CVE-2018-12116", "HTTP request splitting") \
XX(CVE_2019_9512, "CVE-2019-9512", "HTTP/2 Ping/Settings Flood") \
XX(CVE_2019_9514, "CVE-2019-9514", "HTTP/2 Reset Flood") \
XX(CVE_2019_9516, "CVE-2019-9516", "HTTP/2 0-Length Headers Leak") \
XX(CVE_2019_9518, "CVE-2019-9518", "HTTP/2 Empty DATA Frame Flooding") \
Expand Down