Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/nodejs/node.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnna Henningsen <anna@addaleax.net>2019-08-13 00:36:00 +0300
committerMichaƫl Zasso <targos@protonmail.com>2019-08-15 11:04:15 +0300
commit08021fac59a3aae798d42f9b870012acc1e634c5 (patch)
tree1f12bdfb201d36bb0346cb5641150b85ed78981d
parentbbb4769cc12a285ff79a4fb7a344fdf0605e3298 (diff)
http2: allow security revert for Ping/Settings Flood
nghttp2 has updated its limit for outstanding Ping/Settings ACKs to 1000. This commit allows reverting to the old default of 10000. The associated CVEs are CVE-2019-9512/CVE-2019-9515. PR-URL: https://github.com/nodejs/node/pull/29122 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
-rw-r--r--src/node_http2.cc3
-rw-r--r--src/node_revert.h1
2 files changed, 4 insertions, 0 deletions
diff --git a/src/node_http2.cc b/src/node_http2.cc
index 7e32f7f14bc..8cb1158b559 100644
--- a/src/node_http2.cc
+++ b/src/node_http2.cc
@@ -151,6 +151,9 @@ Http2Options::Http2Options(Environment* env, nghttp2_session_type type) {
buffer[IDX_OPTIONS_PEER_MAX_CONCURRENT_STREAMS]);
}
+ if (IsReverted(SECURITY_REVERT_CVE_2019_9512))
+ nghttp2_option_set_max_outbound_ack(options_, 10000);
+
// The padding strategy sets the mechanism by which we determine how much
// additional frame padding to apply to DATA and HEADERS frames. Currently
// this is set on a per-session basis, but eventually we may switch to
diff --git a/src/node_revert.h b/src/node_revert.h
index 33b30a0dfe7..66161c9c9b2 100644
--- a/src/node_revert.h
+++ b/src/node_revert.h
@@ -16,6 +16,7 @@
namespace node {
#define SECURITY_REVERSIONS(XX) \
+ XX(CVE_2019_9512, "CVE-2019-9512", "HTTP/2 Ping/Settings Flood") \
XX(CVE_2019_9514, "CVE-2019-9514", "HTTP/2 Reset Flood") \
XX(CVE_2019_9516, "CVE-2019-9516", "HTTP/2 0-Length Headers Leak") \
XX(CVE_2019_9518, "CVE-2019-9518", "HTTP/2 Empty DATA Frame Flooding") \