Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

http2: backpressure incoming frames when too many outgoing control frames are buffered #2706

Merged
merged 2 commits into from Sep 13, 2019

Conversation

@jrudolph
Copy link
Member

commented Sep 12, 2019

Fixes CVE-2019-9512, CVE-2019-9514, CVE-2019-9515.

@jrudolph jrudolph requested a review from raboof Sep 12, 2019
@akka-ci

This comment has been minimized.

Copy link
Collaborator

commented Sep 12, 2019

Test FAILed.

@jrudolph

This comment has been minimized.

Copy link
Member Author

commented Sep 12, 2019

PLS BUILD

@akka-ci

This comment has been minimized.

Copy link
Collaborator

commented Sep 12, 2019

Test FAILed.

Pull request validation report

Mima Failures

Problems for akka-http-core:
akka-http-core: found 2 potential binary incompatibilities while checking against com.typesafe.akka:akka-http-core_2.12:10.1.4  (filtered 171)
 * abstract method withOutgoingControlFrameBufferSize(Int)akka.http.javadsl.settings.Http2ServerSettings in interface akka.http.javadsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.javadsl.settings.Http2ServerSettings.withOutgoingControlFrameBufferSize")
 * abstract method outgoingControlFrameBufferSize()Int in interface akka.http.scaladsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.scaladsl.settings.Http2ServerSettings.outgoingControlFrameBufferSize")

akka-http-core: found 2 potential binary incompatibilities while checking against com.typesafe.akka:akka-http-core_2.12:10.1.0  (filtered 277)
 * abstract method withOutgoingControlFrameBufferSize(Int)akka.http.javadsl.settings.Http2ServerSettings in interface akka.http.javadsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.javadsl.settings.Http2ServerSettings.withOutgoingControlFrameBufferSize")
 * abstract method outgoingControlFrameBufferSize()Int in interface akka.http.scaladsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.scaladsl.settings.Http2ServerSettings.outgoingControlFrameBufferSize")

akka-http-core: found 8 potential binary incompatibilities while checking against com.typesafe.akka:akka-http-core_2.12:10.1.9  (filtered 17)
 * abstract method withOutgoingControlFrameBufferSize(Int)akka.http.javadsl.settings.Http2ServerSettings in interface akka.http.javadsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.javadsl.settings.Http2ServerSettings.withOutgoingControlFrameBufferSize")
 * method apply(Int,Int,Int,Int,Boolean,scala.Option)akka.http.scaladsl.settings.Http2ServerSettings#Http2ServerSettingsImpl in object akka.http.scaladsl.settings.Http2ServerSettings#Http2ServerSettingsImpl does not have a correspondent in current version
   filter with: ProblemFilters.exclude[DirectMissingMethodProblem]("akka.http.scaladsl.settings.Http2ServerSettings#Http2ServerSettingsImpl.apply")
 * method unapply(akka.http.scaladsl.settings.Http2ServerSettings#Http2ServerSettingsImpl)scala.Option in object akka.http.scaladsl.settings.Http2ServerSettings#Http2ServerSettingsImpl has a different signature in current version, where it is (Lakka/http/scaladsl/settings/Http2ServerSettings$Http2ServerSettingsImpl;)Lscala/Option<Lscala/Tuple7<Ljava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;Lscala/Option<Lakka/http/scaladsl/settings/Http2InternalServerSettings;>;>;>; rather than (Lakka/http/scaladsl/settings/Http2ServerSettings$Http2ServerSettingsImpl;)Lscala/Option<Lscala/Tuple6<Ljava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;Lscala/Option<Lakka/http/scaladsl/settings/Http2InternalServerSettings;>;>;>;
   filter with: ProblemFilters.exclude[IncompatibleSignatureProblem]("akka.http.scaladsl.settings.Http2ServerSettings#Http2ServerSettingsImpl.unapply")
 * method copy(Int,Int,Int,Int,Boolean,scala.Option)akka.http.scaladsl.settings.Http2ServerSettings#Http2ServerSettingsImpl in class akka.http.scaladsl.settings.Http2ServerSettings#Http2ServerSettingsImpl does not have a correspondent in current version
   filter with: ProblemFilters.exclude[DirectMissingMethodProblem]("akka.http.scaladsl.settings.Http2ServerSettings#Http2ServerSettingsImpl.copy")
 * synthetic method copy$default$5()Boolean in class akka.http.scaladsl.settings.Http2ServerSettings#Http2ServerSettingsImpl has a different result type in current version, where it is Int rather than Boolean
   filter with: ProblemFilters.exclude[IncompatibleResultTypeProblem]("akka.http.scaladsl.settings.Http2ServerSettings#Http2ServerSettingsImpl.copy$default$5")
 * synthetic method copy$default$6()scala.Option in class akka.http.scaladsl.settings.Http2ServerSettings#Http2ServerSettingsImpl has a different result type in current version, where it is Boolean rather than scala.Option
   filter with: ProblemFilters.exclude[IncompatibleResultTypeProblem]("akka.http.scaladsl.settings.Http2ServerSettings#Http2ServerSettingsImpl.copy$default$6")
 * method this(Int,Int,Int,Int,Boolean,scala.Option)Unit in class akka.http.scaladsl.settings.Http2ServerSettings#Http2ServerSettingsImpl does not have a correspondent in current version
   filter with: ProblemFilters.exclude[DirectMissingMethodProblem]("akka.http.scaladsl.settings.Http2ServerSettings#Http2ServerSettingsImpl.this")
 * abstract method outgoingControlFrameBufferSize()Int in interface akka.http.scaladsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.scaladsl.settings.Http2ServerSettings.outgoingControlFrameBufferSize")

akka-http-core: found 2 potential binary incompatibilities while checking against com.typesafe.akka:akka-http-core_2.12:10.1.7  (filtered 119)
 * abstract method withOutgoingControlFrameBufferSize(Int)akka.http.javadsl.settings.Http2ServerSettings in interface akka.http.javadsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.javadsl.settings.Http2ServerSettings.withOutgoingControlFrameBufferSize")
 * abstract method outgoingControlFrameBufferSize()Int in interface akka.http.scaladsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.scaladsl.settings.Http2ServerSettings.outgoingControlFrameBufferSize")

akka-http-core: found 2 potential binary incompatibilities while checking against com.typesafe.akka:akka-http-core_2.12:10.1.6  (filtered 119)
 * abstract method withOutgoingControlFrameBufferSize(Int)akka.http.javadsl.settings.Http2ServerSettings in interface akka.http.javadsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.javadsl.settings.Http2ServerSettings.withOutgoingControlFrameBufferSize")
 * abstract method outgoingControlFrameBufferSize()Int in interface akka.http.scaladsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.scaladsl.settings.Http2ServerSettings.outgoingControlFrameBufferSize")

akka-http-core: found 2 potential binary incompatibilities while checking against com.typesafe.akka:akka-http-core_2.12:10.1.8  (filtered 30)
 * abstract method withOutgoingControlFrameBufferSize(Int)akka.http.javadsl.settings.Http2ServerSettings in interface akka.http.javadsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.javadsl.settings.Http2ServerSettings.withOutgoingControlFrameBufferSize")
 * abstract method outgoingControlFrameBufferSize()Int in interface akka.http.scaladsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.scaladsl.settings.Http2ServerSettings.outgoingControlFrameBufferSize")

akka-http-core: found 2 potential binary incompatibilities while checking against com.typesafe.akka:akka-http-core_2.12:10.0.13  (filtered 337)
 * abstract method withOutgoingControlFrameBufferSize(Int)akka.http.javadsl.settings.Http2ServerSettings in interface akka.http.javadsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.javadsl.settings.Http2ServerSettings.withOutgoingControlFrameBufferSize")
 * abstract method outgoingControlFrameBufferSize()Int in interface akka.http.scaladsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.scaladsl.settings.Http2ServerSettings.outgoingControlFrameBufferSize")

akka-http-core: found 2 potential binary incompatibilities while checking against com.typesafe.akka:akka-http-core_2.12:10.1.3  (filtered 176)
 * abstract method withOutgoingControlFrameBufferSize(Int)akka.http.javadsl.settings.Http2ServerSettings in interface akka.http.javadsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.javadsl.settings.Http2ServerSettings.withOutgoingControlFrameBufferSize")
 * abstract method outgoingControlFrameBufferSize()Int in interface akka.http.scaladsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.scaladsl.settings.Http2ServerSettings.outgoingControlFrameBufferSize")

akka-http-core: found 2 potential binary incompatibilities while checking against com.typesafe.akka:akka-http-core_2.12:10.0.11  (filtered 353)
 * abstract method withOutgoingControlFrameBufferSize(Int)akka.http.javadsl.settings.Http2ServerSettings in interface akka.http.javadsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.javadsl.settings.Http2ServerSettings.withOutgoingControlFrameBufferSize")
 * abstract method outgoingControlFrameBufferSize()Int in interface akka.http.scaladsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.scaladsl.settings.Http2ServerSettings.outgoingControlFrameBufferSize")

akka-http-core: found 2 potential binary incompatibilities while checking against com.typesafe.akka:akka-http-core_2.12:10.1.1  (filtered 231)
 * abstract method withOutgoingControlFrameBufferSize(Int)akka.http.javadsl.settings.Http2ServerSettings in interface akka.http.javadsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.javadsl.settings.Http2ServerSettings.withOutgoingControlFrameBufferSize")
 * abstract method outgoingControlFrameBufferSize()Int in interface akka.http.scaladsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.scaladsl.settings.Http2ServerSettings.outgoingControlFrameBufferSize")

akka-http-core: found 2 potential binary incompatibilities while checking against com.typesafe.akka:akka-http-core_2.12:10.0.15  (filtered 307)
 * abstract method withOutgoingControlFrameBufferSize(Int)akka.http.javadsl.settings.Http2ServerSettings in interface akka.http.javadsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.javadsl.settings.Http2ServerSettings.withOutgoingControlFrameBufferSize")
 * abstract method outgoingControlFrameBufferSize()Int in interface akka.http.scaladsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.scaladsl.settings.Http2ServerSettings.outgoingControlFrameBufferSize")

akka-http-core: found 2 potential binary incompatibilities while checking against com.typesafe.akka:akka-http-core_2.12:10.0.12  (filtered 337)
 * abstract method withOutgoingControlFrameBufferSize(Int)akka.http.javadsl.settings.Http2ServerSettings in interface akka.http.javadsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.javadsl.settings.Http2ServerSettings.withOutgoingControlFrameBufferSize")
 * abstract method outgoingControlFrameBufferSize()Int in interface akka.http.scaladsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.scaladsl.settings.Http2ServerSettings.outgoingControlFrameBufferSize")

akka-http-core: found 2 potential binary incompatibilities while checking against com.typesafe.akka:akka-http-core_2.12:10.0.10  (filtered 327)
 * abstract method withOutgoingControlFrameBufferSize(Int)akka.http.javadsl.settings.Http2ServerSettings in interface akka.http.javadsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.javadsl.settings.Http2ServerSettings.withOutgoingControlFrameBufferSize")
 * abstract method outgoingControlFrameBufferSize()Int in interface akka.http.scaladsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.scaladsl.settings.Http2ServerSettings.outgoingControlFrameBufferSize")

akka-http-core: found 2 potential binary incompatibilities while checking against com.typesafe.akka:akka-http-core_2.12:10.1.5  (filtered 148)
 * abstract method withOutgoingControlFrameBufferSize(Int)akka.http.javadsl.settings.Http2ServerSettings in interface akka.http.javadsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.javadsl.settings.Http2ServerSettings.withOutgoingControlFrameBufferSize")
 * abstract method outgoingControlFrameBufferSize()Int in interface akka.http.scaladsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.scaladsl.settings.Http2ServerSettings.outgoingControlFrameBufferSize")

akka-http-core: found 2 potential binary incompatibilities while checking against com.typesafe.akka:akka-http-core_2.12:10.0.14  (filtered 321)
 * abstract method withOutgoingControlFrameBufferSize(Int)akka.http.javadsl.settings.Http2ServerSettings in interface akka.http.javadsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.javadsl.settings.Http2ServerSettings.withOutgoingControlFrameBufferSize")
 * abstract method outgoingControlFrameBufferSize()Int in interface akka.http.scaladsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.scaladsl.settings.Http2ServerSettings.outgoingControlFrameBufferSize")

akka-http-core: found 2 potential binary incompatibilities while checking against com.typesafe.akka:akka-http-core_2.12:10.1.2  (filtered 176)
 * abstract method withOutgoingControlFrameBufferSize(Int)akka.http.javadsl.settings.Http2ServerSettings in interface akka.http.javadsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.javadsl.settings.Http2ServerSettings.withOutgoingControlFrameBufferSize")
 * abstract method outgoingControlFrameBufferSize()Int in interface akka.http.scaladsl.settings.Http2ServerSettings is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.scaladsl.settings.Http2ServerSettings.outgoingControlFrameBufferSize")


…ames are buffered

Fixes CVE-2019-9512, CVE-2019-9514, CVE-2019-9515.
@jrudolph jrudolph force-pushed the jrudolph:fix-control-frame-flood branch from 6ad07a7 to 8a864df Sep 12, 2019
@akka-ci

This comment has been minimized.

Copy link
Collaborator

commented Sep 12, 2019

Test PASSed.

Pull request validation report

@raboof
raboof approved these changes Sep 13, 2019
Copy link
Member

left a comment

LGTM

@johanandren johanandren merged commit 1f43536 into akka:master Sep 13, 2019
4 checks passed
4 checks passed
Jenkins PR Auto-Formatter Successful
Details
Jenkins PR Validation Test PASSed. 4171 tests run, 1074 skipped, 0 failed.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
typesafe-cla-validator All users have signed the CLA
Details
@johanandren johanandren added this to the 10.1.10 milestone Sep 13, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.