diff options
author | Anna Henningsen <anna@addaleax.net> | 2019-08-10 23:37:58 +0200 |
---|---|---|
committer | Michaƫl Zasso <targos@protonmail.com> | 2019-08-15 09:51:53 +0200 |
commit | 695e38be69a780417eef32db744528c3c78d6b0b (patch) | |
tree | 767cb1febfecda21bbfa5713497b114246a7d266 /src/node_http2.cc | |
parent | b2c7c51d0bfa1b2165be409f1cedb7b1d4beaddf (diff) | |
download | android-node-v8-695e38be69a780417eef32db744528c3c78d6b0b.tar.gz android-node-v8-695e38be69a780417eef32db744528c3c78d6b0b.tar.bz2 android-node-v8-695e38be69a780417eef32db744528c3c78d6b0b.zip |
http2: consider 0-length non-end DATA frames an error
This is intended to mitigate CVE-2019-9518.
PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Diffstat (limited to 'src/node_http2.cc')
-rw-r--r-- | src/node_http2.cc | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/src/node_http2.cc b/src/node_http2.cc index d4b672a603..a0b87dd94a 100644 --- a/src/node_http2.cc +++ b/src/node_http2.cc @@ -979,8 +979,7 @@ int Http2Session::OnFrameReceive(nghttp2_session* handle, frame->hd.type); switch (frame->hd.type) { case NGHTTP2_DATA: - session->HandleDataFrame(frame); - break; + return session->HandleDataFrame(frame); case NGHTTP2_PUSH_PROMISE: // Intentional fall-through, handled just like headers frames case NGHTTP2_HEADERS: @@ -1372,13 +1371,18 @@ void Http2Session::HandlePriorityFrame(const nghttp2_frame* frame) { // Called by OnFrameReceived when a complete DATA frame has been received. // If we know that this was the last DATA frame (because the END_STREAM flag // is set), then we'll terminate the readable side of the StreamBase. -void Http2Session::HandleDataFrame(const nghttp2_frame* frame) { +int Http2Session::HandleDataFrame(const nghttp2_frame* frame) { int32_t id = GetFrameID(frame); Debug(this, "handling data frame for stream %d", id); Http2Stream* stream = FindStream(id); - if (!stream->IsDestroyed() && frame->hd.flags & NGHTTP2_FLAG_END_STREAM) + if (!stream->IsDestroyed() && frame->hd.flags & NGHTTP2_FLAG_END_STREAM) { stream->EmitRead(UV_EOF); + } else if (frame->hd.length == 0 && + !IsReverted(SECURITY_REVERT_CVE_2019_9518)) { + return 1; // Consider 0-length frame without END_STREAM an error. + } + return 0; } |