Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request from GHSA-xpw8-rcwv-8f8p
Motivation: It's possible for a remote peer to overload a remote system by issue a huge amount of RST frames. While this is completely valid in terms of the RFC we need to limit the amount to protect against DDOS attacks. Modifications: Add protection against RST floods which is enabled by default. Result: Protect against DDOS caused by RST floods (CVE-2023-44487)
- Loading branch information
1 parent
4911448
commit 58f75f6
Showing
9 changed files
with
316 additions
and
41 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
58 changes: 58 additions & 0 deletions
58
codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MaxRstFrameDecoder.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
/* | ||
* Copyright 2023 The Netty Project | ||
* | ||
* The Netty Project licenses this file to you under the Apache License, | ||
* version 2.0 (the "License"); you may not use this file except in compliance | ||
* with the License. You may obtain a copy of the License at: | ||
* | ||
* https://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
* License for the specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
package io.netty.handler.codec.http2; | ||
|
||
import static io.netty.util.internal.ObjectUtil.checkPositive; | ||
|
||
|
||
/** | ||
* Enforce a limit on the maximum number of RST frames that are allowed per a window | ||
* before the connection will be closed with a GO_AWAY frame. | ||
*/ | ||
final class Http2MaxRstFrameDecoder extends DecoratingHttp2ConnectionDecoder { | ||
private final int maxRstFramesPerWindow; | ||
private final int secondsPerWindow; | ||
|
||
Http2MaxRstFrameDecoder(Http2ConnectionDecoder delegate, int maxRstFramesPerWindow, int secondsPerWindow) { | ||
super(delegate); | ||
this.maxRstFramesPerWindow = checkPositive(maxRstFramesPerWindow, "maxRstFramesPerWindow"); | ||
this.secondsPerWindow = checkPositive(secondsPerWindow, "secondsPerWindow"); | ||
} | ||
|
||
@Override | ||
public void frameListener(Http2FrameListener listener) { | ||
if (listener != null) { | ||
super.frameListener(new Http2MaxRstFrameListener(listener, maxRstFramesPerWindow, secondsPerWindow)); | ||
} else { | ||
super.frameListener(null); | ||
} | ||
} | ||
|
||
@Override | ||
public Http2FrameListener frameListener() { | ||
Http2FrameListener frameListener = frameListener0(); | ||
// Unwrap the original Http2FrameListener as we add this decoder under the hood. | ||
if (frameListener instanceof Http2MaxRstFrameListener) { | ||
return ((Http2MaxRstFrameListener) frameListener).listener; | ||
} | ||
return frameListener; | ||
} | ||
|
||
// Package-private for testing | ||
Http2FrameListener frameListener0() { | ||
return super.frameListener(); | ||
} | ||
} |
58 changes: 58 additions & 0 deletions
58
codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MaxRstFrameListener.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
/* | ||
* Copyright 2023 The Netty Project | ||
* | ||
* The Netty Project licenses this file to you under the Apache License, | ||
* version 2.0 (the "License"); you may not use this file except in compliance | ||
* with the License. You may obtain a copy of the License at: | ||
* | ||
* https://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
* License for the specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
package io.netty.handler.codec.http2; | ||
|
||
import io.netty.channel.ChannelHandlerContext; | ||
import io.netty.util.internal.logging.InternalLogger; | ||
import io.netty.util.internal.logging.InternalLoggerFactory; | ||
|
||
import java.util.concurrent.TimeUnit; | ||
|
||
|
||
final class Http2MaxRstFrameListener extends Http2FrameListenerDecorator { | ||
private static final InternalLogger logger = InternalLoggerFactory.getInstance(Http2MaxRstFrameListener.class); | ||
|
||
private final long nanosPerWindow; | ||
private final int maxRstFramesPerWindow; | ||
private long lastRstFrameNano = System.nanoTime(); | ||
private int receivedRstInWindow; | ||
|
||
Http2MaxRstFrameListener(Http2FrameListener listener, int maxRstFramesPerWindow, int secondsPerWindow) { | ||
super(listener); | ||
this.maxRstFramesPerWindow = maxRstFramesPerWindow; | ||
this.nanosPerWindow = TimeUnit.SECONDS.toNanos(secondsPerWindow); | ||
} | ||
|
||
@Override | ||
public void onRstStreamRead(ChannelHandlerContext ctx, int streamId, long errorCode) throws Http2Exception { | ||
long currentNano = System.nanoTime(); | ||
if (currentNano - lastRstFrameNano >= nanosPerWindow) { | ||
lastRstFrameNano = currentNano; | ||
receivedRstInWindow = 1; | ||
} else { | ||
receivedRstInWindow++; | ||
if (receivedRstInWindow > maxRstFramesPerWindow) { | ||
Http2Exception exception = Http2Exception.connectionError(Http2Error.ENHANCE_YOUR_CALM, | ||
"Maximum number of RST frames reached"); | ||
logger.debug("{} Maximum number {} of RST frames reached within {} seconds, " + | ||
"closing connection with {} error", ctx.channel(), maxRstFramesPerWindow, | ||
TimeUnit.NANOSECONDS.toSeconds(nanosPerWindow), exception.error(), exception); | ||
throw exception; | ||
} | ||
} | ||
super.onRstStreamRead(ctx, streamId, errorCode); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
63 changes: 63 additions & 0 deletions
63
.../test/java/io/netty/handler/codec/http2/AbstractDecoratingHttp2ConnectionDecoderTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
/* | ||
* Copyright 2023 The Netty Project | ||
* | ||
* The Netty Project licenses this file to you under the Apache License, version 2.0 (the | ||
* "License"); you may not use this file except in compliance with the License. You may obtain a | ||
* copy of the License at: | ||
* | ||
* https://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software distributed under the License | ||
* is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express | ||
* or implied. See the License for the specific language governing permissions and limitations under | ||
* the License. | ||
*/ | ||
package io.netty.handler.codec.http2; | ||
|
||
import org.hamcrest.CoreMatchers; | ||
import org.junit.jupiter.api.Test; | ||
import org.mockito.ArgumentCaptor; | ||
import org.mockito.invocation.InvocationOnMock; | ||
import org.mockito.stubbing.Answer; | ||
|
||
import static org.junit.jupiter.api.Assertions.assertNull; | ||
import static org.hamcrest.MatcherAssert.assertThat; | ||
import static org.mockito.Mockito.mock; | ||
import static org.mockito.Mockito.verify; | ||
import static org.mockito.Mockito.when; | ||
|
||
public abstract class AbstractDecoratingHttp2ConnectionDecoderTest { | ||
|
||
protected abstract DecoratingHttp2ConnectionDecoder newDecoder(Http2ConnectionDecoder decoder); | ||
|
||
protected abstract Class<? extends Http2FrameListener> delegatingFrameListenerType(); | ||
|
||
@Test | ||
public void testDecoration() { | ||
Http2ConnectionDecoder delegate = mock(Http2ConnectionDecoder.class); | ||
final ArgumentCaptor<Http2FrameListener> listenerArgumentCaptor = | ||
ArgumentCaptor.forClass(Http2FrameListener.class); | ||
when(delegate.frameListener()).then(new Answer<Http2FrameListener>() { | ||
@Override | ||
public Http2FrameListener answer(InvocationOnMock invocationOnMock) { | ||
return listenerArgumentCaptor.getValue(); | ||
} | ||
}); | ||
Http2FrameListener listener = mock(Http2FrameListener.class); | ||
DecoratingHttp2ConnectionDecoder decoder = newDecoder(delegate); | ||
decoder.frameListener(listener); | ||
verify(delegate).frameListener(listenerArgumentCaptor.capture()); | ||
|
||
assertThat(decoder.frameListener(), | ||
CoreMatchers.not(CoreMatchers.instanceOf(delegatingFrameListenerType()))); | ||
} | ||
|
||
@Test | ||
public void testDecorationWithNull() { | ||
Http2ConnectionDecoder delegate = mock(Http2ConnectionDecoder.class); | ||
|
||
DecoratingHttp2ConnectionDecoder decoder = newDecoder(delegate); | ||
decoder.frameListener(null); | ||
assertNull(decoder.frameListener()); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
28 changes: 28 additions & 0 deletions
28
...tp2/src/test/java/io/netty/handler/codec/http2/Http2MaxRstFrameConnectionDecoderTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
/* | ||
* Copyright 2023 The Netty Project | ||
* | ||
* The Netty Project licenses this file to you under the Apache License, version 2.0 (the | ||
* "License"); you may not use this file except in compliance with the License. You may obtain a | ||
* copy of the License at: | ||
* | ||
* https://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software distributed under the License | ||
* is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express | ||
* or implied. See the License for the specific language governing permissions and limitations under | ||
* the License. | ||
*/ | ||
package io.netty.handler.codec.http2; | ||
|
||
public class Http2MaxRstFrameConnectionDecoderTest extends AbstractDecoratingHttp2ConnectionDecoderTest { | ||
|
||
@Override | ||
protected DecoratingHttp2ConnectionDecoder newDecoder(Http2ConnectionDecoder decoder) { | ||
return new Http2MaxRstFrameDecoder(decoder, 200, 30); | ||
} | ||
|
||
@Override | ||
protected Class<? extends Http2FrameListener> delegatingFrameListenerType() { | ||
return Http2MaxRstFrameListener.class; | ||
} | ||
} |
Oops, something went wrong.