Skip to content

Commit 4570ed1

Browse files
addaleaxtargos
authored andcommitted
http2: limit number of rejected stream openings
Limit the number of streams that are rejected upon creation. Since each such rejection is associated with an `NGHTTP2_ENHANCE_YOUR_CALM` error that should tell the peer to not open any more streams, continuing to open streams should be read as a sign of a misbehaving peer. The limit is currently set to 100 but could be changed or made configurable. This is intended to mitigate CVE-2019-9514. PR-URL: #29122 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
1 parent 88726f2 commit 4570ed1

File tree

3 files changed

+16
-1
lines changed

3 files changed

+16
-1
lines changed

src/node_http2.cc

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66
#include "node_http2.h"
77
#include "node_http2_state.h"
88
#include "node_perf.h"
9+
#include "node_revert.h"
910
#include "util-inl.h"
1011

1112
#include <algorithm>
@@ -921,11 +922,17 @@ int Http2Session::OnBeginHeadersCallback(nghttp2_session* handle,
921922
if (UNLIKELY(!session->CanAddStream() ||
922923
Http2Stream::New(session, id, frame->headers.cat) ==
923924
nullptr)) {
925+
if (session->rejected_stream_count_++ > 100 &&
926+
!IsReverted(SECURITY_REVERT_CVE_2019_9514)) {
927+
return NGHTTP2_ERR_CALLBACK_FAILURE;
928+
}
924929
// Too many concurrent streams being opened
925930
nghttp2_submit_rst_stream(**session, NGHTTP2_FLAG_NONE, id,
926931
NGHTTP2_ENHANCE_YOUR_CALM);
927932
return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
928933
}
934+
935+
session->rejected_stream_count_ = 0;
929936
} else if (!stream->IsDestroyed()) {
930937
stream->StartHeaders(frame->headers.cat);
931938
}

src/node_http2.h

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1005,6 +1005,11 @@ class Http2Session : public AsyncWrap, public StreamListener {
10051005
std::vector<nghttp2_stream_write> outgoing_buffers_;
10061006
std::vector<uint8_t> outgoing_storage_;
10071007
std::vector<int32_t> pending_rst_streams_;
1008+
// Count streams that have been rejected while being opened. Exceeding a fixed
1009+
// limit will result in the session being destroyed, as an indication of a
1010+
// misbehaving peer. This counter is reset once new streams are being
1011+
// accepted again.
1012+
int32_t rejected_stream_count_ = 0;
10081013

10091014
void CopyDataIntoOutgoing(const uint8_t* src, size_t src_length);
10101015
void ClearOutgoing(int status);

src/node_revert.h

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,8 +15,11 @@
1515
**/
1616
namespace node {
1717

18-
#define SECURITY_REVERSIONS(XX)
18+
#define SECURITY_REVERSIONS(XX) \
19+
XX(CVE_2019_9514, "CVE-2019-9514", "HTTP/2 Reset Flood") \
1920
// XX(CVE_2016_PEND, "CVE-2016-PEND", "Vulnerability Title")
21+
// TODO(addaleax): Remove all of the above before Node.js 13 as the comment
22+
// at the start of the file indicates.
2023

2124
enum reversion {
2225
#define V(code, ...) SECURITY_REVERT_##code,

0 commit comments

Comments
 (0)