net/http: imperva HTTP/2 attack vectors report

[dlsniper]

Hello,

I've just seen the issues highlighted by this report: https://www.nginx.com/blog/the-imperva-http2-vulnerability-report-and-nginx/ (download shortcut: http://www.imperva.com/docs/Imperva_HII_HTTP2.pdf) with regards to HTTP/2 implementation in web servers and I'd like to ask if this is something that the Go team is aware of and if Go itself is vulnerable to the issues described there.
Sorry if this is the wrong place to ask, I wasn't sure if I should ask here or on golang-dev.

Thank you.

[bradfitz]

Can I reply in text or do I need to generate a PDF?

[dlsniper]

I couldn't see a text version of it, aside from this rather useless link: http://investors.imperva.com/phoenix.zhtml?c=247116&p=irol-newsArticle&ID=2192322 , sorry.
I understand that the issues are in the specific implementations not the protocol itself.

Thank you.

[as]

The PDF is wordy, so here's a summary of the article's contents. None of the specific issues mentioned are about Go, and some do not even seem possible (1 thread per stream, buffer overflow, etc).

(page 7) HTTP/2 Stream Multiplexing

• CVE-2016-0150 Microsoft's HTTP/2 kernel driver crashes after seeing two requests for the same stream

(page 9) HTTP/2 Flow Control

• CVE-2016-1546 "Slow Read Attack." Four non-Go implementations (IIS, Apache, Nginx, Jetty) affected. Paper mentions one-thread-per-stream.

(page 12) Dependency and Priority

• CVE-2015-8659 Implementation-specific (Nginx) use-after-free bug

(page 16) HPACK Bomb

• CVE-2016-1544 Nghttp2 out of memory
• CVE-2016-2525 Wireshark "dissector" out-of-memory crash due to large header

[bradfitz]

The only one I'd want to double-check is the HPACK bomb (haven't read the details yet). But golang/net@6050c11 and golang/net@21c3935 and golang/net@59e870b and golang/net@d8f3c68 and golang/net@29704b8 seem to cover it.

[bradfitz]

Yeah, I think we're fine here. Please file a bug if you find a problem in Go's implementation.