summaryrefslogtreecommitdiff
path: root/src/node_http2.cc
diff options
context:
space:
mode:
authorAnna Henningsen <anna@addaleax.net>2019-08-10 23:37:58 +0200
committerMichaƫl Zasso <targos@protonmail.com>2019-08-15 09:51:53 +0200
commit695e38be69a780417eef32db744528c3c78d6b0b (patch)
tree767cb1febfecda21bbfa5713497b114246a7d266 /src/node_http2.cc
parentb2c7c51d0bfa1b2165be409f1cedb7b1d4beaddf (diff)
downloadandroid-node-v8-695e38be69a780417eef32db744528c3c78d6b0b.tar.gz
android-node-v8-695e38be69a780417eef32db744528c3c78d6b0b.tar.bz2
android-node-v8-695e38be69a780417eef32db744528c3c78d6b0b.zip
http2: consider 0-length non-end DATA frames an error
This is intended to mitigate CVE-2019-9518. PR-URL: https://github.com/nodejs/node/pull/29122 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Diffstat (limited to 'src/node_http2.cc')
-rw-r--r--src/node_http2.cc12
1 files changed, 8 insertions, 4 deletions
diff --git a/src/node_http2.cc b/src/node_http2.cc
index d4b672a603..a0b87dd94a 100644
--- a/src/node_http2.cc
+++ b/src/node_http2.cc
@@ -979,8 +979,7 @@ int Http2Session::OnFrameReceive(nghttp2_session* handle,
frame->hd.type);
switch (frame->hd.type) {
case NGHTTP2_DATA:
- session->HandleDataFrame(frame);
- break;
+ return session->HandleDataFrame(frame);
case NGHTTP2_PUSH_PROMISE:
// Intentional fall-through, handled just like headers frames
case NGHTTP2_HEADERS:
@@ -1372,13 +1371,18 @@ void Http2Session::HandlePriorityFrame(const nghttp2_frame* frame) {
// Called by OnFrameReceived when a complete DATA frame has been received.
// If we know that this was the last DATA frame (because the END_STREAM flag
// is set), then we'll terminate the readable side of the StreamBase.
-void Http2Session::HandleDataFrame(const nghttp2_frame* frame) {
+int Http2Session::HandleDataFrame(const nghttp2_frame* frame) {
int32_t id = GetFrameID(frame);
Debug(this, "handling data frame for stream %d", id);
Http2Stream* stream = FindStream(id);
- if (!stream->IsDestroyed() && frame->hd.flags & NGHTTP2_FLAG_END_STREAM)
+ if (!stream->IsDestroyed() && frame->hd.flags & NGHTTP2_FLAG_END_STREAM) {
stream->EmitRead(UV_EOF);
+ } else if (frame->hd.length == 0 &&
+ !IsReverted(SECURITY_REVERT_CVE_2019_9518)) {
+ return 1; // Consider 0-length frame without END_STREAM an error.
+ }
+ return 0;
}