Please sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
http2: limit number of control frames in server send queue
An attacker could cause servers to queue an unlimited number of PING ACKs or RST_STREAM frames by soliciting them and not reading them, until the program runs out of memory. Limit control frames in the queue to a few thousands (matching the limit imposed by other vendors) by counting as they enter and exit the scheduler, so the protection will work with any WriteScheduler. Once the limit is exceeded, close the connection, as we have no way to communicate with the peer. This addresses CVE-2019-9512 and CVE-2019-9514. Fixes golang/go#33606 Change-Id: I842968fc6ed3eac654b497ade8cea86f7267886b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/525552 Reviewed-by: Brad Fitzpatrick <email@example.com>
- Loading branch information
Showing with 71 additions and 9 deletions.