Skip to content

Commit

Permalink
http2: close connections when receiving too many headers (#1)
Browse files Browse the repository at this point in the history 
Maintaining HPACK state requires that we parse and process
all HEADERS and CONTINUATION frames on a connection.
When a request's headers exceed MaxHeaderBytes, we don't
allocate memory to store the excess headers but we do
parse them. This permits an attacker to cause an HTTP/2
endpoint to read arbitrary amounts of data, all associated
with a request which is going to be rejected.

Set a limit on the amount of excess header frames we
will process before closing a connection.

Thanks to Bartek Nowotarski for reporting this issue.

Fixes CVE-2023-45288
Fixes bsc#1236507

This is a backport of
https://go.googlesource.com/net/+/ba872109ef2dc8f1da778651bd1fd3792d0e4587%5E%21/#F0
  • Loading branch information
@dcermak
dcermak authored Feb 12, 2025
1 parent 58d787d commit f8b2315
Showing 1 changed file with 31 additions and 0 deletions.
31 changes: 31 additions & 0 deletions vendor/golang.org/x/net/http2/frame.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit f8b2315

Please sign in to comment.