Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http, net/textproto: denial of service from excessive memory allocation ​(CVE-2023-24534) [1.19 backport] #59267

Closed
gopherbot opened this issue Mar 27, 2023 · 3 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Milestone

Comments

@gopherbot
Copy link
Contributor

@julieqiu requested issue #58975 to be considered for backport to the next 1.19 minor release.

@gopherbot please open backport issues

@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/481976 mentions this issue: [release-branch.go1.19] net/textproto: avoid overpredicting the number of MIME header keys

@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/481982 mentions this issue: [release-branch.go1.19] net/textproto: avoid overpredicting the number of MIME header keys

@gopherbot
Copy link
Contributor Author

Closed by merging d6759e7 to release-branch.go1.19.

gopherbot pushed a commit that referenced this issue Apr 4, 2023
…r of MIME header keys

A parsed MIME header is a map[string][]string. In the common case,
a header contains many one-element []string slices. To avoid
allocating a separate slice for each key, ReadMIMEHeader looks
ahead in the input to predict the number of keys that will be
parsed, and allocates a single []string of that length.
The individual slices are then allocated out of the larger one.

The prediction of the number of header keys was done by counting
newlines in the input buffer, which does not take into account
header continuation lines (where a header key/value spans multiple
lines) or the end of the header block and the start of the body.
This could lead to a substantial amount of overallocation, for
example when the body consists of nothing but a large block of
newlines.

Fix header key count prediction to take into account the end of
the headers (indicated by a blank line) and continuation lines
(starting with whitespace).

Thanks to Jakob Ackermann (@das7pad) for reporting this issue.

Fixes CVE-2023-24534
For #58975
Fixes #59267

Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802452
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
(cherry picked from commit f739f080a72fd5b06d35c8e244165159645e2ed6)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802393
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Change-Id: I675451438d619a9130360c56daf529559004903f
Reviewed-on: https://go-review.googlesource.com/c/go/+/481982
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
@mknyszek mknyszek changed the title security: fix ​CVE-2023-24534 [1.19 backport] net/http, net/textproto: denial of service from excessive memory allocation ​(CVE-2023-24534) [1.19 backport] Apr 4, 2023
@mknyszek mknyszek added the CherryPickApproved Used during the release process for point releases label Apr 4, 2023
@gopherbot gopherbot removed the CherryPickCandidate Used during the release process for point releases label Apr 4, 2023
@golang golang locked and limited conversation to collaborators Apr 3, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Projects
None yet
Development

No branches or pull requests

3 participants