Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: handle server errors after sending GOAWAY [1.19 backport] #54376

Closed
neild opened this issue Aug 10, 2022 · 4 comments
Closed

net/http: handle server errors after sending GOAWAY [1.19 backport] #54376

neild opened this issue Aug 10, 2022 · 4 comments
Assignees
Labels
CherryPickApproved Used during the release process for point releases release-blocker Security
Milestone

Comments

@neild
Copy link
Contributor

neild commented Aug 10, 2022

A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service.

Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu for reporting this.

This was a PRIVATE issue for CVE-2022-27664 tracked in http://b/219507101 and fixed by http://tg/1413887.

@neild neild added Security release-blocker CherryPickCandidate Used during the release process for point releases labels Aug 10, 2022
@neild neild added this to the Go1.19.1 milestone Aug 10, 2022
@neild neild self-assigned this Aug 10, 2022
@joedian joedian added the CherryPickApproved Used during the release process for point releases label Aug 17, 2022
@gopherbot gopherbot removed the CherryPickCandidate Used during the release process for point releases label Aug 17, 2022
@gopherbot
Copy link

gopherbot commented Sep 6, 2022

Change https://go.dev/cl/428655 mentions this issue: [release-branch.go1.19] net/http: update bundled golang.org/x/net/http2

gopherbot pushed a commit that referenced this issue Sep 6, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.

Fixes CVE-2022-27664
Fixes #54376
For #54658

Change-Id: I747900a66d7276e7d0bd246cd8cd0da95305c3ca
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554417
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/428655
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@gopherbot
Copy link

gopherbot commented Sep 6, 2022

Closed by merging 9cfe4e2 to release-branch.go1.19.

@mknyszek mknyszek changed the title security: fix CVE-2022-27664 [1.19 backport] net/http: handle server errors after sending GOAWAY [1.19 backport] Sep 6, 2022
@gopherbot
Copy link

gopherbot commented Sep 7, 2022

Change https://go.dev/cl/428737 mentions this issue: [internal-branch.go1.19-vendor] http2: handle server errors after sending GOAWAY

gopherbot pushed a commit to golang/net that referenced this issue Sep 7, 2022
…ding GOAWAY

The HTTP/2 server uses serverConn.goAwayCode to track whether a
connection has encountered a fatal error. If an error is encountered
after sending a ErrCodeNo GOAWAY, upgrade goAwayCode to reflect the
error status of the connection.

Fixes an issue where a server connection could hang forever waiting
for a clean shutdown that was preempted by a subsequent fatal error.

Fixes CVE-2022-27664
For golang/go#54658
For golang/go#54376

Change-Id: I165b81ab53176c77a68c42976030499d57bb05d3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1413887
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/net/+/428735
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-on: https://go-review.googlesource.com/c/net/+/428737
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
@gopherbot
Copy link

gopherbot commented Sep 7, 2022

Change https://go.dev/cl/429317 mentions this issue: [release-branch.go1.19] all: upgrade golang.org/x/net to v0.0.0-20220907013720-d52c520e3766

bradfitz pushed a commit to tailscale/go that referenced this issue Sep 8, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.

Fixes CVE-2022-27664
Fixes golang#54376
For golang#54658

Change-Id: I747900a66d7276e7d0bd246cd8cd0da95305c3ca
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554417
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/428655
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
gopherbot pushed a commit that referenced this issue Sep 9, 2022
…907013720-d52c520e3766

Restore vendoring after go1.19.1 security release.

For #54376

Change-Id: Ie1512aa2bf77e5f448893c89e4841cb14896da9b
Reviewed-on: https://go-review.googlesource.com/c/go/+/429317
Reviewed-by: Carlos Amedee <carlos@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
bradfitz pushed a commit to tailscale/go that referenced this issue Oct 5, 2022
…907013720-d52c520e3766

Restore vendoring after go1.19.1 security release.

For golang#54376

Change-Id: Ie1512aa2bf77e5f448893c89e4841cb14896da9b
Reviewed-on: https://go-review.googlesource.com/c/go/+/429317
Reviewed-by: Carlos Amedee <carlos@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
bradfitz pushed a commit to tailscale/go that referenced this issue Oct 5, 2022
…907013720-d52c520e3766

Restore vendoring after go1.19.1 security release.

For golang#54376

Change-Id: Ie1512aa2bf77e5f448893c89e4841cb14896da9b
Reviewed-on: https://go-review.googlesource.com/c/go/+/429317
Reviewed-by: Carlos Amedee <carlos@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
bradfitz pushed a commit to tailscale/go that referenced this issue Oct 5, 2022
…907013720-d52c520e3766

Restore vendoring after go1.19.1 security release.

For golang#54376

Change-Id: Ie1512aa2bf77e5f448893c89e4841cb14896da9b
Reviewed-on: https://go-review.googlesource.com/c/go/+/429317
Reviewed-by: Carlos Amedee <carlos@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
CherryPickApproved Used during the release process for point releases release-blocker Security
Projects
Status: Done
Development

No branches or pull requests

4 participants