http2: limit number of invalid incoming frames

Limit the number of invalid input frames, as they may be pointing towards a
misbehaving peer. The limit is currently set to 1000 but could be changed or
made configurable.

This is intended to mitigate CVE-2019-9514.

[This commit differs from the v12.x one due to the lack of
https://github.com/libuv/libuv/commit/ee24ce900e5714c950b248da2b.
See the comment in the test for more details.]

Backport-PR-URL: https://github.com/nodejs/node/pull/29123
PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

2 files changed, 6 insertions, 0 deletions

diff --git a/src/node_http2.cc b/src/node_http2.cc
index e0cedc49183..0a4fefb45a6 100644
--- a/src/node_http2.cc
+++ b/src/node_http2.cc
@@ -1018,6 +1018,10 @@ int Http2Session::OnInvalidFrame(nghttp2_session* handle,
   Http2Session* session = static_cast<Http2Session*>(user_data);
 
   Debug(session, "invalid frame received, code: %d", lib_error_code);
+  if (session->invalid_frame_count_++ > 1000 &&
+      !IsReverted(SECURITY_REVERT_CVE_2019_9514)) {
+    return 1;
+  }
 
   // If the error is fatal or if error code is ERR_STREAM_CLOSED... emit error
   if (nghttp2_is_fatal(lib_error_code) ||
diff --git a/src/node_http2.h b/src/node_http2.h
index ba8d06893a8..da2acbca2ca 100644
--- a/src/node_http2.h
+++ b/src/node_http2.h
@@ -1022,6 +1022,8 @@ class Http2Session : public AsyncWrap, public StreamListener {
   // misbehaving peer. This counter is reset once new streams are being
   // accepted again.
   int32_t rejected_stream_count_ = 0;
+  // Also use the invalid frame count as a measure for rejecting input frames.
+  int32_t invalid_frame_count_ = 0;
 
   void CopyDataIntoOutgoing(const uint8_t* src, size_t src_length);
   void ClearOutgoing(int status);