http2: limit number of rejected stream openings

Limit the number of streams that are rejected upon creation. Since
each such rejection is associated with an `NGHTTP2_ENHANCE_YOUR_CALM`
error that should tell the peer to not open any more streams,
continuing to open streams should be read as a sign of a misbehaving
peer. The limit is currently set to 100 but could be changed or made
configurable.

This is intended to mitigate CVE-2019-9514.

PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

1 files changed, 7 insertions, 0 deletions

diff --git a/src/node_http2.cc b/src/node_http2.cc
index 3f24c3a25e..63617cfd9f 100644
--- a/src/node_http2.cc
+++ b/src/node_http2.cc
@@ -6,6 +6,7 @@
 #include "node_http2.h"
 #include "node_http2_state.h"
 #include "node_perf.h"
+#include "node_revert.h"
 #include "util-inl.h"
 
 #include <algorithm>
@@ -921,11 +922,17 @@ int Http2Session::OnBeginHeadersCallback(nghttp2_session* handle,
     if (UNLIKELY(!session->CanAddStream() ||
                  Http2Stream::New(session, id, frame->headers.cat) ==
                      nullptr)) {
+      if (session->rejected_stream_count_++ > 100 &&
+          !IsReverted(SECURITY_REVERT_CVE_2019_9514)) {
+        return NGHTTP2_ERR_CALLBACK_FAILURE;
+      }
       // Too many concurrent streams being opened
       nghttp2_submit_rst_stream(**session, NGHTTP2_FLAG_NONE, id,
                                 NGHTTP2_ENHANCE_YOUR_CALM);
       return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
     }
+
+    session->rejected_stream_count_ = 0;
   } else if (!stream->IsDestroyed()) {
     stream->StartHeaders(frame->headers.cat);
   }