Skip to content

V8.16.1 proposal #29152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
BethGriggs merged 19 commits into from
Aug 15, 2019
Merged

V8.16.1 proposal #29152

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
b095e35
http2: improve http2 code a bit
jasnell Oct 30, 2018
5afc77b
deps: update nghttp2 to 1.34.0
jasnell Oct 5, 2018
0b44733
deps: update nghttp2 to 1.37.0
gengjiawen Mar 29, 2019
17fad97
deps: update nghttp2 to 1.38.0
gengjiawen Apr 18, 2019
33d4d91
deps: update nghttp2 to 1.39.1
gengjiawen Jun 27, 2019
6d42737
deps: update nghttp2 to 1.39.2
addaleax Aug 14, 2019
00f6846
http2: improve JS-side debug logging
addaleax Aug 5, 2019
dd60d35
http2: only call into JS when necessary for session events
addaleax Aug 9, 2019
7de642b
http2: do not create ArrayBuffers when no DATA received
addaleax Aug 9, 2019
11b4e2c
http2: limit number of rejected stream openings
addaleax Aug 10, 2019
ac28a62
http2: limit number of invalid incoming frames
addaleax Aug 12, 2019
10f05b6
http2: handle 0-length headers better
addaleax Aug 10, 2019
156f2f3
http2: shrink default `vector::reserve()` allocations
addaleax Aug 10, 2019
a319168
http2: consider 0-length non-end DATA frames an error
addaleax Aug 10, 2019
854dba6
http2: stop reading from socket if writes are in progress
addaleax Aug 10, 2019
6d687f7
http2: pause input processing if sending output
addaleax Aug 11, 2019
073108c
http2: allow security revert for Ping/Settings Flood
addaleax Aug 12, 2019
cc28223
test: apply test-http2-max-session-memory-leak from v12.x
addaleax Aug 13, 2019
5744b46
2019-08-15, Version 8.16.1 'Carbon' (LTS)
BethGriggs Aug 15, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
http2: consider 0-length non-end DATA frames an error 
This is intended to mitigate CVE-2019-9518.

Backport-PR-URL: #29124
PR-URL: #29122
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: James M Snell <[email protected]>
  • Loading branch information
@addaleax @BethGriggs
addaleax authored and BethGriggs committed Aug 15, 2019
commit a3191689ddd8ac7ade7b309840d87f99438f867f
15 changes: 7 additions & 8 deletions src/node_http2.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1031,8 +1031,7 @@ int Http2Session::OnFrameReceive(nghttp2_session* handle,
frame->hd.type);
switch (frame->hd.type) {
case NGHTTP2_DATA:
session->HandleDataFrame(frame);
break;
return session->HandleDataFrame(frame);
case NGHTTP2_PUSH_PROMISE:
// Intentional fall-through, handled just like headers frames
case NGHTTP2_HEADERS:
Expand Down Expand Up @@ -1408,18 +1407,18 @@ void Http2Session::HandlePriorityFrame(const nghttp2_frame* frame) {
// Called by OnFrameReceived when a complete DATA frame has been received.
// If we know that this was the last DATA frame (because the END_STREAM flag
// is set), then we'll terminate the readable side of the StreamBase.
inline void Http2Session::HandleDataFrame(const nghttp2_frame* frame) {
int Http2Session::HandleDataFrame(const nghttp2_frame* frame) {
int32_t id = GetFrameID(frame);
DEBUG_HTTP2SESSION2(this, "handling data frame for stream %d", id);
Http2Stream* stream = FindStream(id);

// If the stream has already been destroyed, do nothing
if (stream->IsDestroyed())
return;

if (frame->hd.flags & NGHTTP2_FLAG_END_STREAM) {
if (!stream->IsDestroyed() && frame->hd.flags & NGHTTP2_FLAG_END_STREAM) {
stream->EmitData(UV_EOF, Local<Object>(), Local<Object>());
} else if (frame->hd.length == 0 &&
!IsReverted(SECURITY_REVERT_CVE_2019_9518)) {
return 1; // Consider 0-length frame without END_STREAM an error.
}
return 0;
}


Expand Down
16 changes: 8 additions & 8 deletions src/node_http2.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -940,14 +940,14 @@ class Http2Session : public AsyncWrap {
size_t maxPayloadLen);

// Frame Handler
inline void HandleDataFrame(const nghttp2_frame* frame);
inline void HandleGoawayFrame(const nghttp2_frame* frame);
inline void HandleHeadersFrame(const nghttp2_frame* frame);
inline void HandlePriorityFrame(const nghttp2_frame* frame);
inline void HandleSettingsFrame(const nghttp2_frame* frame);
inline void HandlePingFrame(const nghttp2_frame* frame);
inline void HandleAltSvcFrame(const nghttp2_frame* frame);
inline void HandleOriginFrame(const nghttp2_frame* frame);
int HandleDataFrame(const nghttp2_frame* frame);
void HandleGoawayFrame(const nghttp2_frame* frame);
void HandleHeadersFrame(const nghttp2_frame* frame);
void HandlePriorityFrame(const nghttp2_frame* frame);
void HandleSettingsFrame(const nghttp2_frame* frame);
void HandlePingFrame(const nghttp2_frame* frame);
void HandleAltSvcFrame(const nghttp2_frame* frame);
void HandleOriginFrame(const nghttp2_frame* frame);

// nghttp2 callbacks
static inline int OnBeginHeadersCallback(
Expand Down
1 change: 1 addition & 0 deletions src/node_revert.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ namespace node {
XX(CVE_2018_12116, "CVE-2018-12116", "HTTP request splitting") \
XX(CVE_2019_9514, "CVE-2019-9514", "HTTP/2 Reset Flood") \
XX(CVE_2019_9516, "CVE-2019-9516", "HTTP/2 0-Length Headers Leak") \
XX(CVE_2019_9518, "CVE-2019-9518", "HTTP/2 Empty DATA Frame Flooding") \
// XX(CVE_2016_PEND, "CVE-2016-PEND", "Vulnerability Title")
// TODO(addaleax): Remove all of the above before Node.js 13 as the comment
// at the start of the file indicates.
Expand Down