From ec60b625b66288cb63d63a51b115661a8503e19e Mon Sep 17 00:00:00 2001
From: Anna Henningsen <anna@addaleax.net>
Date: Mon, 12 Aug 2019 23:36:00 +0200
Subject: http2: allow security revert for Ping/Settings Flood

nghttp2 has updated its limit for outstanding Ping/Settings ACKs
to 1000. This commit allows reverting to the old default of 10000.

The associated CVEs are CVE-2019-9512/CVE-2019-9515.

PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
---
 src/node_http2.cc | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'src/node_http2.cc')

diff --git a/src/node_http2.cc b/src/node_http2.cc
index 7e32f7f14b..8cb1158b55 100644
--- a/src/node_http2.cc
+++ b/src/node_http2.cc
@@ -151,6 +151,9 @@ Http2Options::Http2Options(Environment* env, nghttp2_session_type type) {
         buffer[IDX_OPTIONS_PEER_MAX_CONCURRENT_STREAMS]);
   }
 
+  if (IsReverted(SECURITY_REVERT_CVE_2019_9512))
+    nghttp2_option_set_max_outbound_ack(options_, 10000);
+
   // The padding strategy sets the mechanism by which we determine how much
   // additional frame padding to apply to DATA and HEADERS frames. Currently
   // this is set on a per-session basis, but eventually we may switch to
-- 
cgit v1.2.3