Skip to content
Permalink
Browse files

http2: allow security revert for Ping/Settings Flood

nghttp2 has updated its limit for outstanding Ping/Settings ACKs
to 1000. This commit allows reverting to the old default of 10000.

The associated CVEs are CVE-2019-9512/CVE-2019-9515.

PR-URL: #29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
  • Loading branch information...
addaleax authored and targos committed Aug 12, 2019
1 parent bbb4769 commit 08021fac59a3aae798d42f9b870012acc1e634c5
Showing with 4 additions and 0 deletions.
  1. +3 −0 src/node_http2.cc
  2. +1 −0 src/node_revert.h
@@ -151,6 +151,9 @@ Http2Options::Http2Options(Environment* env, nghttp2_session_type type) {
buffer[IDX_OPTIONS_PEER_MAX_CONCURRENT_STREAMS]);
}

if (IsReverted(SECURITY_REVERT_CVE_2019_9512))
nghttp2_option_set_max_outbound_ack(options_, 10000);

// The padding strategy sets the mechanism by which we determine how much
// additional frame padding to apply to DATA and HEADERS frames. Currently
// this is set on a per-session basis, but eventually we may switch to
@@ -16,6 +16,7 @@
namespace node {

#define SECURITY_REVERSIONS(XX) \
XX(CVE_2019_9512, "CVE-2019-9512", "HTTP/2 Ping/Settings Flood") \
XX(CVE_2019_9514, "CVE-2019-9514", "HTTP/2 Reset Flood") \
XX(CVE_2019_9516, "CVE-2019-9516", "HTTP/2 0-Length Headers Leak") \
XX(CVE_2019_9518, "CVE-2019-9518", "HTTP/2 Empty DATA Frame Flooding") \

0 comments on commit 08021fa

Please sign in to comment.
You can’t perform that action at this time.