diff options
| author | Anna Henningsen <anna@addaleax.net> | 2019-08-10 23:27:48 +0300 |
|---|---|---|
| committer | Beth Griggs <Bethany.Griggs@uk.ibm.com> | 2019-08-15 17:19:52 +0300 |
| commit | 05dada46eea59c0bfdabe4f54d64cda2f315cec9 (patch) | |
| tree | aa2d928bef0282d39c931f91037848a906573092 /src | |
| parent | 7f11465572888340b4c7b399c1f46598d1c4ea50 (diff) | |
http2: limit number of rejected stream openings
Limit the number of streams that are rejected upon creation. Since
each such rejection is associated with an `NGHTTP2_ENHANCE_YOUR_CALM`
error that should tell the peer to not open any more streams,
continuing to open streams should be read as a sign of a misbehaving
peer. The limit is currently set to 100 but could be changed or made
configurable.
This is intended to mitigate CVE-2019-9514.
Backport-PR-URL: https://github.com/nodejs/node/pull/29123
PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/node_http2.cc | 8 | ||||
| -rw-r--r-- | src/node_http2.h | 5 | ||||
| -rw-r--r-- | src/node_revert.h | 5 |
3 files changed, 17 insertions, 1 deletions
diff --git a/src/node_http2.cc b/src/node_http2.cc index 7d3b117f441..e0cedc49183 100644 --- a/src/node_http2.cc +++ b/src/node_http2.cc @@ -6,6 +6,8 @@ #include "node_http2_state.h" #include "node_internals.h" #include "node_perf.h" +#include "node_revert.h" +#include "util-inl.h" #include <algorithm> @@ -921,11 +923,17 @@ int Http2Session::OnBeginHeadersCallback(nghttp2_session* handle, if (UNLIKELY(!session->CanAddStream() || Http2Stream::New(session, id, frame->headers.cat) == nullptr)) { + if (session->rejected_stream_count_++ > 100 && + !IsReverted(SECURITY_REVERT_CVE_2019_9514)) { + return NGHTTP2_ERR_CALLBACK_FAILURE; + } // Too many concurrent streams being opened nghttp2_submit_rst_stream(**session, NGHTTP2_FLAG_NONE, id, NGHTTP2_ENHANCE_YOUR_CALM); return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; } + + session->rejected_stream_count_ = 0; } else if (!stream->IsDestroyed()) { stream->StartHeaders(frame->headers.cat); } diff --git a/src/node_http2.h b/src/node_http2.h index 8424ffb8971..ba8d06893a8 100644 --- a/src/node_http2.h +++ b/src/node_http2.h @@ -1017,6 +1017,11 @@ class Http2Session : public AsyncWrap, public StreamListener { std::vector<nghttp2_stream_write> outgoing_buffers_; std::vector<uint8_t> outgoing_storage_; std::vector<int32_t> pending_rst_streams_; + // Count streams that have been rejected while being opened. Exceeding a fixed + // limit will result in the session being destroyed, as an indication of a + // misbehaving peer. This counter is reset once new streams are being + // accepted again. + int32_t rejected_stream_count_ = 0; void CopyDataIntoOutgoing(const uint8_t* src, size_t src_length); void ClearOutgoing(int status); diff --git a/src/node_revert.h b/src/node_revert.h index c5963afeafd..e98e583ec3c 100644 --- a/src/node_revert.h +++ b/src/node_revert.h @@ -15,8 +15,11 @@ **/ namespace node { -#define SECURITY_REVERSIONS(XX) +#define SECURITY_REVERSIONS(XX) \ + XX(CVE_2019_9514, "CVE-2019-9514", "HTTP/2 Reset Flood") \ // XX(CVE_2016_PEND, "CVE-2016-PEND", "Vulnerability Title") + // TODO(addaleax): Remove all of the above before Node.js 13 as the comment + // at the start of the file indicates. enum reversion { #define V(code, ...) SECURITY_REVERT_##code, |