Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[v10.x] http2: mitigate reported DoS attacks #29123

Closed
wants to merge 19 commits into from
Closed
Changes from 1 commit
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
http2: allow security revert for Ping/Settings Flood
nghttp2 has updated its limit for outstanding Ping/Settings ACKs
to 1000. This commit allows reverting to the old default of 10000.

The associated CVEs are CVE-2019-9512/CVE-2019-9515.
  • Loading branch information
addaleax committed Aug 14, 2019

Verified

This commit was signed with the committer’s verified signature.
chenrui333 Rui Chen
commit e4e47e2cf848844740a02fa980baeecdfc061356
3 changes: 3 additions & 0 deletions src/node_http2.cc
Original file line number Diff line number Diff line change
@@ -152,6 +152,9 @@ Http2Options::Http2Options(Environment* env, nghttp2_session_type type) {
buffer[IDX_OPTIONS_PEER_MAX_CONCURRENT_STREAMS]);
}

if (IsReverted(SECURITY_REVERT_CVE_2019_9512))
nghttp2_option_set_max_outbound_ack(options_, 10000);

// The padding strategy sets the mechanism by which we determine how much
// additional frame padding to apply to DATA and HEADERS frames. Currently
// this is set on a per-session basis, but eventually we may switch to
1 change: 1 addition & 0 deletions src/node_revert.h
Original file line number Diff line number Diff line change
@@ -16,6 +16,7 @@
namespace node {

#define SECURITY_REVERSIONS(XX) \
XX(CVE_2019_9512, "CVE-2019-9512", "HTTP/2 Ping/Settings Flood") \
XX(CVE_2019_9514, "CVE-2019-9514", "HTTP/2 Reset Flood") \
XX(CVE_2019_9516, "CVE-2019-9516", "HTTP/2 0-Length Headers Leak") \
XX(CVE_2019_9518, "CVE-2019-9518", "HTTP/2 Empty DATA Frame Flooding") \