diff options
author | Anna Henningsen <anna@addaleax.net> | 2019-08-10 22:27:48 +0200 |
---|---|---|
committer | Michaƫl Zasso <targos@protonmail.com> | 2019-08-15 09:50:30 +0200 |
commit | 474577cf54c3a5f48dec8ab88bd2d03881e2ac02 (patch) | |
tree | 606efc56dea8b0d39474490580746fb98a07f35b /src/node_http2.cc | |
parent | 599eee0990c98ef0e6cc32f1c9dbf2f35b63a923 (diff) | |
download | android-node-v8-474577cf54c3a5f48dec8ab88bd2d03881e2ac02.tar.gz android-node-v8-474577cf54c3a5f48dec8ab88bd2d03881e2ac02.tar.bz2 android-node-v8-474577cf54c3a5f48dec8ab88bd2d03881e2ac02.zip |
http2: limit number of rejected stream openings
Limit the number of streams that are rejected upon creation. Since
each such rejection is associated with an `NGHTTP2_ENHANCE_YOUR_CALM`
error that should tell the peer to not open any more streams,
continuing to open streams should be read as a sign of a misbehaving
peer. The limit is currently set to 100 but could be changed or made
configurable.
This is intended to mitigate CVE-2019-9514.
PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Diffstat (limited to 'src/node_http2.cc')
-rw-r--r-- | src/node_http2.cc | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/src/node_http2.cc b/src/node_http2.cc index 3f24c3a25e..63617cfd9f 100644 --- a/src/node_http2.cc +++ b/src/node_http2.cc @@ -6,6 +6,7 @@ #include "node_http2.h" #include "node_http2_state.h" #include "node_perf.h" +#include "node_revert.h" #include "util-inl.h" #include <algorithm> @@ -921,11 +922,17 @@ int Http2Session::OnBeginHeadersCallback(nghttp2_session* handle, if (UNLIKELY(!session->CanAddStream() || Http2Stream::New(session, id, frame->headers.cat) == nullptr)) { + if (session->rejected_stream_count_++ > 100 && + !IsReverted(SECURITY_REVERT_CVE_2019_9514)) { + return NGHTTP2_ERR_CALLBACK_FAILURE; + } // Too many concurrent streams being opened nghttp2_submit_rst_stream(**session, NGHTTP2_FLAG_NONE, id, NGHTTP2_ENHANCE_YOUR_CALM); return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; } + + session->rejected_stream_count_ = 0; } else if (!stream->IsDestroyed()) { stream->StartHeaders(frame->headers.cat); } |