Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTP2: Guard against empty DATA frames (without end_of_stream flag) set #9461

Merged
merged 1 commit into from Aug 13, 2019

Conversation

@normanmaurer
Copy link
Member

commented Aug 13, 2019

Motivation:

It is possible for a remote peer to flood the server / client with empty DATA frames (without end_of_stream flag) set and so cause high CPU usage without the possibility to ever hit a limit. We need to guard against this.

See CVE-2019-9518

Modifications:

  • Add a new config option to AbstractHttp2ConnectionBuilder and sub-classes which allows to set the max number of consecutive empty DATA frames (without end_of_stream flag). After this limit is hit we will close the connection. A limit of 10 is used by default.
  • Add unit tests

Result:

Guards against CVE-2019-9518

HTTP2: Guard against empty DATA frames (without end_of_stream flag) set
Motivation:

It is possible for a remote peer to flood the server / client with empty DATA frames (without end_of_stream flag) set and so cause high CPU usage without the possibility to ever hit a limit. We need to guard against this.

See CVE-2019-9518

Modifications:

- Add a new config option to AbstractHttp2ConnectionBuilder and sub-classes which allows to set the max number of consecutive empty DATA frames (without end_of_stream flag). After this limit is hit we will close the connection. A limit of 10 is used by default.
- Add unit tests

Result:

Guards against CVE-2019-9518

@normanmaurer normanmaurer merged commit 7003dbd into 4.1 Aug 13, 2019

@normanmaurer normanmaurer deleted the http2_protection_empty_data branch Aug 13, 2019

@normanmaurer

This comment has been minimized.

Copy link
Member Author

commented Aug 13, 2019

Reviewed privately by Netty core devs...

normanmaurer added a commit that referenced this pull request Aug 14, 2019

HTTP2: Guard against empty DATA frames (without end_of_stream flag) s…
…et (#9461)

Motivation:

It is possible for a remote peer to flood the server / client with empty DATA frames (without end_of_stream flag) set and so cause high CPU usage without the possibility to ever hit a limit. We need to guard against this.

See CVE-2019-9518

Modifications:

- Add a new config option to AbstractHttp2ConnectionBuilder and sub-classes which allows to set the max number of consecutive empty DATA frames (without end_of_stream flag). After this limit is hit we will close the connection. A limit of 10 is used by default.
- Add unit tests

Result:

Guards against CVE-2019-9518
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.