New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix stack overflow when sending huge request body to upstream (CVE-2017-10869) #1460

Closed
kazuho opened this Issue Oct 18, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@kazuho
Member

kazuho commented Oct 18, 2017

The worker process of H2O may crash (and automatically respawned depending on the configuration) while the reverse proxy module tries to forward a huge HTTP request body to the upstream server using HTTPS.

The crash disrupts other requests in-flight, and therefore is being classified as a DoS vulnerability.

Details TBD.

Affected systems: H2O up to version 2.2.2, used as a reverse proxy that connects to the origin server using HTTPS.
Resolution: upgrade to 2.2.3.

@kazuho kazuho changed the title from test to fix stack overflow when sending huge request body to upstream (CVE-2017-10869) Oct 19, 2017

@kazuho kazuho closed this Jan 12, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment