Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
devel:languages:nodejs
nodejs8
CVE-2020-11080.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2020-11080.patch of Package nodejs8
commit 881c244a4e1b857d883cd105cd035a1fd6ed3fa6 Author: James M Snell <jasnell@gmail.com> Date: Mon Apr 27 10:47:58 2020 -0700 http2: implement support for max settings entries Adds the maxSettings option to limit the number of settings entries allowed per SETTINGS frame. Default 32 Signed-off-by: James M Snell <jasnell@gmail.com> Fixes: https://hackerone.com/reports/446662 CVE-ID: CVE-2020-11080 PR-URL: https://github.com/nodejs-private/node-private/pull/204 Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/207 Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Index: node-v8.17.0/doc/api/http2.md =================================================================== --- node-v8.17.0.orig/doc/api/http2.md +++ node-v8.17.0/doc/api/http2.md @@ -1885,6 +1885,9 @@ error will be thrown. <!-- YAML added: v8.4.0 changes: + - version: REPLACEME + pr-url: https://github.com/nodejs-private/node-private/pull/204 + description: Added `maxSettings` option with a default of 32. - version: v8.9.3 pr-url: https://github.com/nodejs/node/pull/17105 description: Added the `maxOutstandingPings` option with a default limit of @@ -1902,6 +1905,8 @@ changes: * `options` {Object} * `maxDeflateDynamicTableSize` {number} Sets the maximum dynamic table size for deflating header fields. **Default:** `4Kib`. + * `maxSettings` {number} Sets the maximum number of settings entries per + `SETTINGS` frame. The minimum value allowed is `1`. **Default:** `32`. * `maxSessionMemory`{number} Sets the maximum memory that the `Http2Session` is permitted to use. The value is expressed in terms of number of megabytes, e.g. `1` equal 1 megabyte. The minimum value allowed is `1`. @@ -1995,6 +2000,9 @@ server.listen(80); <!-- YAML added: v8.4.0 changes: + - version: REPLACEME + pr-url: https://github.com/nodejs-private/node-private/pull/204 + description: Added `maxSettings` option with a default of 32. - version: v8.13.0 pr-url: https://github.com/nodejs/node/pull/22956 description: Added the `origins` option to automatically send an `ORIGIN` @@ -2016,6 +2024,8 @@ changes: **Default:** `false`. * `maxDeflateDynamicTableSize` {number} Sets the maximum dynamic table size for deflating header fields. **Default:** `4Kib`. + * `maxSettings` {number} Sets the maximum number of settings entries per + `SETTINGS` frame. The minimum value allowed is `1`. **Default:** `32`. * `maxSessionMemory`{number} Sets the maximum memory that the `Http2Session` is permitted to use. The value is expressed in terms of number of megabytes, e.g. `1` equal 1 megabyte. The minimum value allowed is `1`. This is a @@ -2097,6 +2107,9 @@ server.listen(80); <!-- YAML added: v8.4.0 changes: + - version: REPLACEME + pr-url: https://github.com/nodejs-private/node-private/pull/204 + description: Added `maxSettings` option with a default of 32. - version: v8.9.3 pr-url: https://github.com/nodejs/node/pull/17105 description: Added the `maxOutstandingPings` option with a default limit of @@ -2111,6 +2124,8 @@ changes: * `options` {Object} * `maxDeflateDynamicTableSize` {number} Sets the maximum dynamic table size for deflating header fields. **Default:** `4Kib`. + * `maxSettings` {number} Sets the maximum number of settings entries per + `SETTINGS` frame. The minimum value allowed is `1`. **Default:** `32`. * `maxSessionMemory`{number} Sets the maximum memory that the `Http2Session` is permitted to use. The value is expressed in terms of number of megabytes, e.g. `1` equal 1 megabyte. The minimum value allowed is `1`. Index: node-v8.17.0/lib/internal/http2/util.js =================================================================== --- node-v8.17.0.orig/lib/internal/http2/util.js +++ node-v8.17.0/lib/internal/http2/util.js @@ -176,7 +176,8 @@ const IDX_OPTIONS_MAX_HEADER_LIST_PAIRS const IDX_OPTIONS_MAX_OUTSTANDING_PINGS = 6; const IDX_OPTIONS_MAX_OUTSTANDING_SETTINGS = 7; const IDX_OPTIONS_MAX_SESSION_MEMORY = 8; -const IDX_OPTIONS_FLAGS = 9; +const IDX_OPTIONS_MAX_SETTINGS = 9; +const IDX_OPTIONS_FLAGS = 10; function updateOptionsBuffer(options) { var flags = 0; @@ -225,6 +226,11 @@ function updateOptionsBuffer(options) { optionsBuffer[IDX_OPTIONS_MAX_SESSION_MEMORY] = Math.max(1, options.maxSessionMemory); } + if (typeof options.maxSettings === 'number') { + flags |= (1 << IDX_OPTIONS_MAX_SETTINGS); + optionsBuffer[IDX_OPTIONS_MAX_SETTINGS] = + Math.max(1, options.maxSettings); + } optionsBuffer[IDX_OPTIONS_FLAGS] = flags; } Index: node-v8.17.0/src/node_http2.cc =================================================================== --- node-v8.17.0.orig/src/node_http2.cc +++ node-v8.17.0/src/node_http2.cc @@ -195,6 +195,12 @@ Http2Options::Http2Options(Environment* if (flags & (1 << IDX_OPTIONS_MAX_SESSION_MEMORY)) { SetMaxSessionMemory(buffer[IDX_OPTIONS_MAX_SESSION_MEMORY] * 1e6); } + + if (flags & (1 << IDX_OPTIONS_MAX_SETTINGS)) { + nghttp2_option_set_max_settings( + options_, + static_cast<size_t>(buffer[IDX_OPTIONS_MAX_SETTINGS])); + } } void Http2Session::Http2Settings::Init() { Index: node-v8.17.0/src/node_http2_state.h =================================================================== --- node-v8.17.0.orig/src/node_http2_state.h +++ node-v8.17.0/src/node_http2_state.h @@ -51,6 +51,7 @@ namespace http2 { IDX_OPTIONS_MAX_OUTSTANDING_PINGS, IDX_OPTIONS_MAX_OUTSTANDING_SETTINGS, IDX_OPTIONS_MAX_SESSION_MEMORY, + IDX_OPTIONS_MAX_SETTINGS, IDX_OPTIONS_FLAGS }; Index: node-v8.17.0/test/parallel/test-http2-max-settings.js =================================================================== --- /dev/null +++ node-v8.17.0/test/parallel/test-http2-max-settings.js @@ -0,0 +1,35 @@ +'use strict'; + +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const http2 = require('http2'); + +const server = http2.createServer({ maxSettings: 1 }); + +// TODO(@jasnell): There is still a session event +// emitted on the server side but it will be destroyed +// immediately after creation and there will be no +// stream created. +server.on('session', common.mustCall((session) => { + session.on('stream', common.mustNotCall()); + session.on('remoteSettings', common.mustNotCall()); +})); +server.on('stream', common.mustNotCall()); + +server.listen(0, common.mustCall(() => { + // Specify two settings entries when a max of 1 is allowed. + // Connection should error immediately. + const client = http2.connect( + `http://localhost:${server.address().port}`, { + settings: { + // The actual settings values do not matter. + headerTableSize: 1000, + enablePush: false, + } }); + + client.on('error', common.mustCall(() => { + server.close(); + })); +})); Index: node-v8.17.0/test/parallel/test-http2-util-update-options-buffer.js =================================================================== --- node-v8.17.0.orig/test/parallel/test-http2-util-update-options-buffer.js +++ node-v8.17.0/test/parallel/test-http2-util-update-options-buffer.js @@ -21,7 +21,8 @@ const IDX_OPTIONS_MAX_HEADER_LIST_PAIRS const IDX_OPTIONS_MAX_OUTSTANDING_PINGS = 6; const IDX_OPTIONS_MAX_OUTSTANDING_SETTINGS = 7; const IDX_OPTIONS_MAX_SESSION_MEMORY = 8; -const IDX_OPTIONS_FLAGS = 9; +const IDX_OPTIONS_MAX_SETTINGS = 9; +const IDX_OPTIONS_FLAGS = 10; { updateOptionsBuffer({ @@ -33,7 +34,8 @@ const IDX_OPTIONS_FLAGS = 9; maxHeaderListPairs: 6, maxOutstandingPings: 7, maxOutstandingSettings: 8, - maxSessionMemory: 9 + maxSessionMemory: 9, + maxSettings: 10, }); strictEqual(optionsBuffer[IDX_OPTIONS_MAX_DEFLATE_DYNAMIC_TABLE_SIZE], 1); @@ -45,6 +47,7 @@ const IDX_OPTIONS_FLAGS = 9; strictEqual(optionsBuffer[IDX_OPTIONS_MAX_OUTSTANDING_PINGS], 7); strictEqual(optionsBuffer[IDX_OPTIONS_MAX_OUTSTANDING_SETTINGS], 8); strictEqual(optionsBuffer[IDX_OPTIONS_MAX_SESSION_MEMORY], 9); + strictEqual(optionsBuffer[IDX_OPTIONS_MAX_SETTINGS], 10); const flags = optionsBuffer[IDX_OPTIONS_FLAGS]; @@ -56,6 +59,7 @@ const IDX_OPTIONS_FLAGS = 9; ok(flags & (1 << IDX_OPTIONS_MAX_HEADER_LIST_PAIRS)); ok(flags & (1 << IDX_OPTIONS_MAX_OUTSTANDING_PINGS)); ok(flags & (1 << IDX_OPTIONS_MAX_OUTSTANDING_SETTINGS)); + ok(flags & (1 << IDX_OPTIONS_MAX_SETTINGS)); } {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor