From 474577cf54c3a5f48dec8ab88bd2d03881e2ac02 Mon Sep 17 00:00:00 2001
From: Anna Henningsen <anna@addaleax.net>
Date: Sat, 10 Aug 2019 22:27:48 +0200
Subject: http2: limit number of rejected stream openings

Limit the number of streams that are rejected upon creation. Since
each such rejection is associated with an `NGHTTP2_ENHANCE_YOUR_CALM`
error that should tell the peer to not open any more streams,
continuing to open streams should be read as a sign of a misbehaving
peer. The limit is currently set to 100 but could be changed or made
configurable.

This is intended to mitigate CVE-2019-9514.

PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
---
 src/node_revert.h | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'src/node_revert.h')

diff --git a/src/node_revert.h b/src/node_revert.h
index 38e2ba7105..b0853ee75f 100644
--- a/src/node_revert.h
+++ b/src/node_revert.h
@@ -15,8 +15,11 @@
  **/
 namespace node {
 
-#define SECURITY_REVERSIONS(XX)
+#define SECURITY_REVERSIONS(XX)                                            \
+  XX(CVE_2019_9514, "CVE-2019-9514", "HTTP/2 Reset Flood")                 \
 //  XX(CVE_2016_PEND, "CVE-2016-PEND", "Vulnerability Title")
+  // TODO(addaleax): Remove all of the above before Node.js 13 as the comment
+  // at the start of the file indicates.
 
 enum reversion {
 #define V(code, ...) SECURITY_REVERT_##code,
-- 
cgit v1.2.3