diff options
| author | Anna Henningsen <anna@addaleax.net> | 2019-08-12 23:36:00 +0200 |
|---|---|---|
| committer | Michaƫl Zasso <targos@protonmail.com> | 2019-08-15 09:51:53 +0200 |
| commit | ec60b625b66288cb63d63a51b115661a8503e19e (patch) | |
| tree | 1b7871cc36d0f3b4d85b2ab48a49ddb30aef7192 /src/node_http2.cc | |
| parent | 8a4a1931b8b98242abb590936c31f0c20dd2e08f (diff) | |
| download | android-node-v8-ec60b625b66288cb63d63a51b115661a8503e19e.tar.gz android-node-v8-ec60b625b66288cb63d63a51b115661a8503e19e.tar.bz2 android-node-v8-ec60b625b66288cb63d63a51b115661a8503e19e.zip | |
http2: allow security revert for Ping/Settings Flood
nghttp2 has updated its limit for outstanding Ping/Settings ACKs
to 1000. This commit allows reverting to the old default of 10000.
The associated CVEs are CVE-2019-9512/CVE-2019-9515.
PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Diffstat (limited to 'src/node_http2.cc')
| -rw-r--r-- | src/node_http2.cc | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/node_http2.cc b/src/node_http2.cc index 7e32f7f14b..8cb1158b55 100644 --- a/src/node_http2.cc +++ b/src/node_http2.cc @@ -151,6 +151,9 @@ Http2Options::Http2Options(Environment* env, nghttp2_session_type type) { buffer[IDX_OPTIONS_PEER_MAX_CONCURRENT_STREAMS]); } + if (IsReverted(SECURITY_REVERT_CVE_2019_9512)) + nghttp2_option_set_max_outbound_ack(options_, 10000); + // The padding strategy sets the mechanism by which we determine how much // additional frame padding to apply to DATA and HEADERS frames. Currently // this is set on a per-session basis, but eventually we may switch to |