Skip to content

V10.17.0 proposal #29150

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
BethGriggs wants to merge 19 commits into from
Closed

V10.17.0 proposal #29150

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
00f153d
http2: improve http2 code a bit
jasnell Oct 30, 2018
a0a14c8
src: pass along errors from http2 object creation
addaleax Jan 30, 2019
ab0f2ac
deps: update nghttp2 to 1.37.0
gengjiawen Mar 29, 2019
fedfa12
deps: update nghttp2 to 1.38.0
gengjiawen Apr 18, 2019
a397c88
deps: update nghttp2 to 1.39.1
gengjiawen Jun 27, 2019
74507fa
deps: update nghttp2 to 1.39.2
addaleax Aug 14, 2019
76a7ada
http2: improve JS-side debug logging
addaleax Aug 5, 2019
2eb914f
http2: only call into JS when necessary for session events
addaleax Aug 9, 2019
7f11465
http2: do not create ArrayBuffers when no DATA received
addaleax Aug 9, 2019
05dada4
http2: limit number of rejected stream openings
addaleax Aug 10, 2019
477461a
http2: limit number of invalid incoming frames
addaleax Aug 12, 2019
f4242e2
http2: handle 0-length headers better
addaleax Aug 10, 2019
460f896
http2: shrink default `vector::reserve()` allocations
addaleax Aug 10, 2019
17357d3
http2: consider 0-length non-end DATA frames an error
addaleax Aug 10, 2019
0ce699c
http2: stop reading from socket if writes are in progress
addaleax Aug 10, 2019
c152449
http2: pause input processing if sending output
addaleax Aug 11, 2019
0acbe05
http2: allow security revert for Ping/Settings Flood
addaleax Aug 12, 2019
d85e400
test: apply test-http2-max-session-memory-leak from v12.x
addaleax Aug 13, 2019
8994fff
2019-08-15, Version 10.17.0 'Dubnium' (LTS)
BethGriggs Aug 15, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
http2: consider 0-length non-end DATA frames an error 
This is intended to mitigate CVE-2019-9518.

Backport-PR-URL: #29123
PR-URL: #29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
  • Loading branch information
@addaleax @BethGriggs
addaleax authored and BethGriggs committed Aug 15, 2019
commit 17357d37a9eba4ac1cbafe8628bf12cc900bc642
12 changes: 8 additions & 4 deletions src/node_http2.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -980,8 +980,7 @@ int Http2Session::OnFrameReceive(nghttp2_session* handle,
frame->hd.type);
switch (frame->hd.type) {
case NGHTTP2_DATA:
session->HandleDataFrame(frame);
break;
return session->HandleDataFrame(frame);
case NGHTTP2_PUSH_PROMISE:
// Intentional fall-through, handled just like headers frames
case NGHTTP2_HEADERS:
Expand Down Expand Up @@ -1398,13 +1397,18 @@ void Http2Session::HandlePriorityFrame(const nghttp2_frame* frame) {
// Called by OnFrameReceived when a complete DATA frame has been received.
// If we know that this was the last DATA frame (because the END_STREAM flag
// is set), then we'll terminate the readable side of the StreamBase.
void Http2Session::HandleDataFrame(const nghttp2_frame* frame) {
int Http2Session::HandleDataFrame(const nghttp2_frame* frame) {
int32_t id = GetFrameID(frame);
Debug(this, "handling data frame for stream %d", id);
Http2Stream* stream = FindStream(id);

if (!stream->IsDestroyed() && frame->hd.flags & NGHTTP2_FLAG_END_STREAM)
if (!stream->IsDestroyed() && frame->hd.flags & NGHTTP2_FLAG_END_STREAM) {
stream->EmitRead(UV_EOF);
} else if (frame->hd.length == 0 &&
!IsReverted(SECURITY_REVERT_CVE_2019_9518)) {
return 1; // Consider 0-length frame without END_STREAM an error.
}
return 0;
}


Expand Down
2 changes: 1 addition & 1 deletion src/node_http2.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -889,7 +889,7 @@ class Http2Session : public AsyncWrap, public StreamListener {
size_t maxPayloadLen);

// Frame Handler
void HandleDataFrame(const nghttp2_frame* frame);
int HandleDataFrame(const nghttp2_frame* frame);
void HandleGoawayFrame(const nghttp2_frame* frame);
void HandleHeadersFrame(const nghttp2_frame* frame);
void HandlePriorityFrame(const nghttp2_frame* frame);
Expand Down
1 change: 1 addition & 0 deletions src/node_revert.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ namespace node {
#define SECURITY_REVERSIONS(XX) \
XX(CVE_2019_9514, "CVE-2019-9514", "HTTP/2 Reset Flood") \
XX(CVE_2019_9516, "CVE-2019-9516", "HTTP/2 0-Length Headers Leak") \
XX(CVE_2019_9518, "CVE-2019-9518", "HTTP/2 Empty DATA Frame Flooding") \
// XX(CVE_2016_PEND, "CVE-2016-PEND", "Vulnerability Title")
// TODO(addaleax): Remove all of the above before Node.js 13 as the comment
// at the start of the file indicates.
Expand Down