Skip to content

net/http: ReadRequest can stack overflow due to recursion with very large headers #45710

New issue
New issue
Closed
containerd/containerd
#5461
Closed
net/http: ReadRequest can stack overflow due to recursion with very large headers#45710
containerd/containerd
#5461
Labels
FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker
Milestone
Go1.17
@katiehockman

Description

@katiehockman
katiehockman
opened on Apr 22, 2021

ReadRequest and ReadResponse in net/http can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client.

This also affects golang.org/x/net/http2/h2c and HeaderValuesContainsToken in golang.org/x/net/http/httpguts, and is fixed in golang.org/x/net@v0.0.0-20210428140749-89ef3d95e781.

This is CVE-2021-31525.

According to the new security policy (#44918), this will be fixed as a PUBLIC track issue.

Credit to Guido Vranken who reported the crash as part of the Ethereum 2.0 bounty program.

/cc @golang/security

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions