Stream stacking occurs when H2 processes HTTP2 RST_STREAM frames. As a result, the memory and CPU usage are high.

[qinyushun]

Version
hyper-0.13.7
h2-0.2.4

Platform
wsl

Description

Summary：

​ Stream stacking occurs when Hyper processes HTTP2 RST_STREAM frames. As a result, the memory and CPU usage are high.

Step：

1. Send an HEADERS frame to open the stream, followed by an RST_STREAM frame to request cancellation of the stream

   def reset_flood(h2_conn):
       for i in range(1, 20000):
           if i % 2 == 0:
               continue
           headers(h2_conn, i)
           rst_stream(h2_conn, i)
   

2. Create multiple threads for sending.

   if __name__ == '__main__':
       for i in range(0, 400):
           try:
               _thread.start_new_thread(send, ("Thread-" + str(i),))
           except:
               print("Error: Can not start thread")
       while 1:
           pass
   

Result：

The CPU usage of the Hyper server keeps increasing. As a result, the VM memory is used up.

Vulnerability analysis:

When receiving a HEADERS frame, the h2 stores the corresponding stream content in the slab and sets a frame index to the ids. When receiving an RST_STREAM frame, h2 sets the stream to Closed and resets the related statistics. However, the stream memory is released only when stream.is_released() is true . When the RST_STREAM frame is received, the release is not triggered immediately. As a result, the size of the slab increases continuously.

Test procedure:

Add the slab_len(),ids_len() method for Store to return the length of all flows and active flows.

Add the preceding two stream lengths to the recv_reset() method.

After the test, when the HEADERS frame is repeatedly sent to open a stream or the RST_STREAM frame is sent to cancel the stream, the length of the ids does not exceed the value of max_recv, but the SLAB increases .The stream in the Closed state in the SLAB is released only after all frames on the connection are sent.

The max_concurrent_streams configuration can limit max_recv_streams, but it appears that in this scenario, the size of Slab is much larger than the max_concurrent_streams value and stacks up.

I think it is necessary to limit the size of the Slab or ensure that streams in the Slab can be released quickly after the RST_STREAM frame is received to prevent such attacks.

[lidong14]

@seanmonstar What do you think of this issue? I think hyper has some problems in dealing with this scenario.

[seanmonstar]

Sounds like something we could try to fix. What is making the slab hold onto the memory? My guess is that it needs to hold the stream info while there is an Event that can be polled, so that a user accepting requests will see it was reset, is that it?

[lidong14]

@silence-coding thanks for your code.
@seanmonstar pls check , thandks

[Wang1921]

Please assign a CVE ID to this vulnerability.

[shirshak55]

CVE-2023-26964

[jqnatividad]

GH Dependabot is now also raising a Security alert

GHSA-f8vr-r385-rh5r

[SamTV12345]

Is there anything we could do as reqwest library users to mitigate the attack surface?

[seanmonstar]

Um. Ok. I'm sure you just wanted to see this fixed. But this is NOT how to do things. Filing a drive-by CVE like this is like seeing a lighter in a school and pulling the fire alarm.

There is a SECURITY policy if you ever feel something is a vulnerability. Then we can better coordinate.

Be Kind. That includes considering we're all humans contributing, and respecting time is part of being kind.

I'm also extremely disappointed that @github facilitated this.

That said, fire alarm time.

---

If you're here from a dependabot warning, or similar: I'll be working on this today. I will update this issue when there is a version you can upgrade to. Some things you can do to determine if you can just safely ignore the dependabot warning:

• If you're not using HTTP/2, ignore.
• If you're using a client, with HTTP/2, but you're talking to your own servers, or you at least control the URLs to talk to servers you trust to not attack your client (most businesses), ignore.

The fix will likely be an h2 version, hyper will not need to be changed.

[olix0r]

This CVE is going to cause a flurry of unnecessary emergency response work across the ecosystem--even for use cases that are totally un-impacted by the bug. Every application that depends on Hyper is now going to have to ship out-of-cycle fixes to address the CVE, even if the application has nothing to do with HTTP/2.

Going through the documented SECURITY process isn't a feel good exercise: it allows stakeholders to coordinate about the severity and breadth of an issue's impact.