nghttp2: Add fix for CVE-2020-11080

Added below two patches to fix CVE-2020-11080: 1. CVE-2020-11080-1.patch 2. CVE-2020-11080-2.patch Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com> [Refreshed patches to apply] Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Rahul Taya <Rahul.Taya@kpit.com> 2021-02-25 13:02:59 +0530
committer: Armin Kuster <akuster808@gmail.com> 2021-03-16 08:40:06 -0700
commit: a8e3b20df3e1a97601bc54da9b2f1405c2056f7b (patch)
tree: de5142ff7be827982f4cd45e632212bb8aec5e2b
parent: 453bd7845fb4f9f67937b93bc7fd2275ca8f203b (diff)
download: meta-openembedded-a8e3b20df3e1a97601bc54da9b2f1405c2056f7b.tar.gz
3 files changed, 341 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-1.patch b/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-1.patch
new file mode 100644
index 0000000000..ca181bb4b2
--- /dev/null
+++ b/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-1.patch
@@ -0,0 +1,31 @@
+From f8da73bd042f810f34d19f9eae02b46d870af394 Mon Sep 17 00:00:00 2001
+From: James M Snell <jasnell@gmail.com>
+Date: Sun, 19 Apr 2020 09:12:24 -0700
+Subject: [PATCH] Earlier check for settings flood
+CVE: CVE-2020-11080
+Upstream-Status: Backport [https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394.patch]
+Comment: No hunk refreshed
+Affects-version: < v1.41.0
+Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com>
+---
+ lib/nghttp2_session.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+Index: nghttp2-1.40.0/lib/nghttp2_session.c
+===================================================================
+--- nghttp2-1.40.0.orig/lib/nghttp2_session.c
+++ nghttp2-1.40.0/lib/nghttp2_session.c
+@@ -5678,6 +5678,12 @@ ssize_t nghttp2_session_mem_recv(nghttp2
+           break;
+         }
+ 
+        /* Check the settings flood counter early to be safe */
+        if (session->obq_flood_counter_ >= session->max_outbound_ack &&
+            !(iframe->frame.hd.flags & NGHTTP2_FLAG_ACK)) {
+          return NGHTTP2_ERR_FLOODED;
+        }
+
+         iframe->state = NGHTTP2_IB_READ_SETTINGS;
+ 
+         if (iframe->payloadleft) {
diff --git a/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-2.patch b/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-2.patch
new file mode 100644
index 0000000000..d3c57e9a80
--- /dev/null
+++ b/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-2.patch
@@ -0,0 +1,308 @@
+From 336a98feb0d56b9ac54e12736b18785c27f75090 Mon Sep 17 00:00:00 2001
+From: James M Snell <jasnell@gmail.com>
+Date: Fri, 17 Apr 2020 16:53:51 -0700
+Subject: [PATCH] Implement max settings option
+CVE: CVE-2020-11080
+Upstream-Status: Backport [https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090.patch]
+Comment: No hunks refreshed
+Affects-version: < v1.41.0
+Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com>
+---
+ doc/CMakeLists.txt             |  1 +
+ doc/Makefile.am                |  1 +
+ lib/includes/nghttp2/nghttp2.h | 23 +++++++++++++
+ lib/nghttp2_helper.c           |  2 ++
+ lib/nghttp2_option.c           |  5 +++
+ lib/nghttp2_option.h           |  5 +++
+ lib/nghttp2_session.c          | 21 ++++++++++++
+ lib/nghttp2_session.h          |  2 ++
+ tests/main.c                   |  2 ++
+ tests/nghttp2_session_test.c   | 61 ++++++++++++++++++++++++++++++++++
+ tests/nghttp2_session_test.h   |  1 +
+ 11 files changed, 124 insertions(+)
+Index: nghttp2-1.40.0/doc/CMakeLists.txt
+===================================================================
+--- nghttp2-1.40.0.orig/doc/CMakeLists.txt
+++ nghttp2-1.40.0/doc/CMakeLists.txt
+@@ -42,6 +42,7 @@ set(APIDOCS
+   nghttp2_option_set_no_recv_client_magic.rst
+   nghttp2_option_set_peer_max_concurrent_streams.rst
+   nghttp2_option_set_user_recv_extension_type.rst
+  nghttp2_option_set_max_settings.rst
+   nghttp2_pack_settings_payload.rst
+   nghttp2_priority_spec_check_default.rst
+   nghttp2_priority_spec_default_init.rst
+Index: nghttp2-1.40.0/lib/includes/nghttp2/nghttp2.h
+===================================================================
+--- nghttp2-1.40.0.orig/lib/includes/nghttp2/nghttp2.h
+++ nghttp2-1.40.0/lib/includes/nghttp2/nghttp2.h
+@@ -229,6 +229,13 @@ typedef struct {
+ #define NGHTTP2_CLIENT_MAGIC_LEN 24
+ 
+ /**
+ * @macro
+ *
+ * The default max number of settings per SETTINGS frame
+ */
+#define NGHTTP2_DEFAULT_MAX_SETTINGS 32
+
+/**
+  * @enum
+  *
+  * Error codes used in this library.  The code range is [-999, -500],
+@@ -399,6 +406,11 @@ typedef enum {
+    */
+   NGHTTP2_ERR_SETTINGS_EXPECTED = -536,
+   /**
+   * When a local endpoint receives too many settings entries
+   * in a single SETTINGS frame.
+   */
+  NGHTTP2_ERR_TOO_MANY_SETTINGS = -537,
+  /**
+    * The errors < :enum:`NGHTTP2_ERR_FATAL` mean that the library is
+    * under unexpected condition and processing was terminated (e.g.,
+    * out of memory).  If application receives this error code, it must
+@@ -2661,6 +2673,17 @@ NGHTTP2_EXTERN void nghttp2_option_set_m
+ 
+ /**
+  * @function
+ *
+ * This function sets the maximum number of SETTINGS entries per
+ * SETTINGS frame that will be accepted. If more than those entries
+ * are received, the peer is considered to be misbehaving and session
+ * will be closed. The default value is 32.
+ */
+NGHTTP2_EXTERN void nghttp2_option_set_max_settings(nghttp2_option *option,
+                                                    size_t val);
+
+/**
+ * @function
+  *
+  * Initializes |*session_ptr| for client use.  The all members of
+  * |callbacks| are copied to |*session_ptr|.  Therefore |*session_ptr|
+Index: nghttp2-1.40.0/lib/nghttp2_helper.c
+===================================================================
+--- nghttp2-1.40.0.orig/lib/nghttp2_helper.c
+++ nghttp2-1.40.0/lib/nghttp2_helper.c
+@@ -334,6 +334,8 @@ const char *nghttp2_strerror(int error_c
+   case NGHTTP2_ERR_FLOODED:
+     return "Flooding was detected in this HTTP/2 session, and it must be "
+            "closed";
+  case NGHTTP2_ERR_TOO_MANY_SETTINGS:
+    return "SETTINGS frame contained more than the maximum allowed entries";
+   default:
+     return "Unknown error code";
+   }
+Index: nghttp2-1.40.0/lib/nghttp2_option.c
+===================================================================
+--- nghttp2-1.40.0.orig/lib/nghttp2_option.c
+++ nghttp2-1.40.0/lib/nghttp2_option.c
+@@ -121,3 +121,8 @@ void nghttp2_option_set_max_outbound_ack
+   option->opt_set_mask |= NGHTTP2_OPT_MAX_OUTBOUND_ACK;
+   option->max_outbound_ack = val;
+ }
+
+void nghttp2_option_set_max_settings(nghttp2_option *option, size_t val) {
+  option->opt_set_mask |= NGHTTP2_OPT_MAX_SETTINGS;
+  option->max_settings = val;
+}
+Index: nghttp2-1.40.0/lib/nghttp2_option.h
+===================================================================
+--- nghttp2-1.40.0.orig/lib/nghttp2_option.h
+++ nghttp2-1.40.0/lib/nghttp2_option.h
+@@ -67,6 +67,7 @@ typedef enum {
+   NGHTTP2_OPT_MAX_DEFLATE_DYNAMIC_TABLE_SIZE = 1 << 9,
+   NGHTTP2_OPT_NO_CLOSED_STREAMS = 1 << 10,
+   NGHTTP2_OPT_MAX_OUTBOUND_ACK = 1 << 11,
+  NGHTTP2_OPT_MAX_SETTINGS = 1 << 12,
+ } nghttp2_option_flag;
+ 
+ /**
+@@ -86,6 +87,10 @@ struct nghttp2_option {
+    */
+   size_t max_outbound_ack;
+   /**
+   * NGHTTP2_OPT_MAX_SETTINGS
+   */
+  size_t max_settings;
+  /**
+    * Bitwise OR of nghttp2_option_flag to determine that which fields
+    * are specified.
+    */
+Index: nghttp2-1.40.0/lib/nghttp2_session.c
+===================================================================
+--- nghttp2-1.40.0.orig/lib/nghttp2_session.c
+++ nghttp2-1.40.0/lib/nghttp2_session.c
+@@ -458,6 +458,7 @@ static int session_new(nghttp2_session *
+ 
+   (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
+   (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
+  (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
+ 
+   if (option) {
+     if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
+@@ -521,6 +522,11 @@ static int session_new(nghttp2_session *
+     if (option->opt_set_mask & NGHTTP2_OPT_MAX_OUTBOUND_ACK) {
+       (*session_ptr)->max_outbound_ack = option->max_outbound_ack;
+     }
+
+    if ((option->opt_set_mask & NGHTTP2_OPT_MAX_SETTINGS) &&
+        option->max_settings) {
+      (*session_ptr)->max_settings = option->max_settings;
+    }
+   }
+ 
+   rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
+@@ -5694,6 +5700,16 @@ ssize_t nghttp2_session_mem_recv(nghttp2
+           iframe->max_niv =
+               iframe->frame.hd.length / NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH + 1;
+ 
+          if (iframe->max_niv - 1 > session->max_settings) {
+            rv = nghttp2_session_terminate_session_with_reason(
+                session, NGHTTP2_ENHANCE_YOUR_CALM,
+                "SETTINGS: too many setting entries");
+            if (nghttp2_is_fatal(rv)) {
+              return rv;
+            }
+            return (ssize_t)inlen;
+          }
+
+           iframe->iv = nghttp2_mem_malloc(mem, sizeof(nghttp2_settings_entry) *
+                                                    iframe->max_niv);
+ 
+@@ -7460,6 +7476,11 @@ static int nghttp2_session_upgrade_inter
+   if (settings_payloadlen % NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH) {
+     return NGHTTP2_ERR_INVALID_ARGUMENT;
+   }
+  /* SETTINGS frame contains too many settings */
+  if (settings_payloadlen / NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH
+        > session->max_settings) {
+    return NGHTTP2_ERR_TOO_MANY_SETTINGS;
+  }
+   rv = nghttp2_frame_unpack_settings_payload2(&iv, &niv, settings_payload,
+                                               settings_payloadlen, mem);
+   if (rv != 0) {
+Index: nghttp2-1.40.0/lib/nghttp2_session.h
+===================================================================
+--- nghttp2-1.40.0.orig/lib/nghttp2_session.h
+++ nghttp2-1.40.0/lib/nghttp2_session.h
+@@ -267,6 +267,8 @@ struct nghttp2_session {
+   /* The maximum length of header block to send.  Calculated by the
+      same way as nghttp2_hd_deflate_bound() does. */
+   size_t max_send_header_block_length;
+  /* The maximum number of settings accepted per SETTINGS frame. */
+  size_t max_settings;
+   /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
+   uint32_t next_stream_id;
+   /* The last stream ID this session initiated.  For client session,
+Index: nghttp2-1.40.0/tests/main.c
+===================================================================
+--- nghttp2-1.40.0.orig/tests/main.c
+++ nghttp2-1.40.0/tests/main.c
+@@ -315,6 +315,8 @@ int main() {
+                    test_nghttp2_session_set_local_window_size) ||
+       !CU_add_test(pSuite, "session_cancel_from_before_frame_send",
+                    test_nghttp2_session_cancel_from_before_frame_send) ||
+      !CU_add_test(pSuite, "session_too_many_settings",
+                   test_nghttp2_session_too_many_settings) ||
+       !CU_add_test(pSuite, "session_removed_closed_stream",
+                    test_nghttp2_session_removed_closed_stream) ||
+       !CU_add_test(pSuite, "session_pause_data",
+Index: nghttp2-1.40.0/tests/nghttp2_session_test.c
+===================================================================
+--- nghttp2-1.40.0.orig/tests/nghttp2_session_test.c
+++ nghttp2-1.40.0/tests/nghttp2_session_test.c
+@@ -10558,6 +10558,67 @@ void test_nghttp2_session_cancel_from_be
+   nghttp2_session_del(session);
+ }
+ 
+void test_nghttp2_session_too_many_settings(void) {
+  nghttp2_session *session;
+  nghttp2_option *option;
+  nghttp2_session_callbacks callbacks;
+  nghttp2_frame frame;
+  nghttp2_bufs bufs;
+  nghttp2_buf *buf;
+  ssize_t rv;
+  my_user_data ud;
+  nghttp2_settings_entry iv[3];
+  nghttp2_mem *mem;
+  nghttp2_outbound_item *item;
+
+  mem = nghttp2_mem_default();
+  frame_pack_bufs_init(&bufs);
+
+  memset(&callbacks, 0, sizeof(nghttp2_session_callbacks));
+  callbacks.on_frame_recv_callback = on_frame_recv_callback;
+  callbacks.send_callback = null_send_callback;
+
+  nghttp2_option_new(&option);
+  nghttp2_option_set_max_settings(option, 1);
+
+  nghttp2_session_client_new2(&session, &callbacks, &ud, option);
+
+  CU_ASSERT(1 == session->max_settings);
+
+  nghttp2_option_del(option);
+
+  iv[0].settings_id = NGHTTP2_SETTINGS_HEADER_TABLE_SIZE;
+  iv[0].value = 3000;
+
+  iv[1].settings_id = NGHTTP2_SETTINGS_INITIAL_WINDOW_SIZE;
+  iv[1].value = 16384;
+
+  nghttp2_frame_settings_init(&frame.settings, NGHTTP2_FLAG_NONE, dup_iv(iv, 2),
+                              2);
+
+  rv = nghttp2_frame_pack_settings(&bufs, &frame.settings);
+
+  CU_ASSERT(0 == rv);
+  CU_ASSERT(nghttp2_bufs_len(&bufs) > 0);
+
+  nghttp2_frame_settings_free(&frame.settings, mem);
+
+  buf = &bufs.head->buf;
+  assert(nghttp2_bufs_len(&bufs) == nghttp2_buf_len(buf));
+
+  ud.frame_recv_cb_called = 0;
+
+  rv = nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf));
+  CU_ASSERT((ssize_t)nghttp2_buf_len(buf) == rv);
+
+  item = nghttp2_session_get_next_ob_item(session);
+  CU_ASSERT(NGHTTP2_GOAWAY == item->frame.hd.type);
+
+  nghttp2_bufs_reset(&bufs);
+  nghttp2_bufs_free(&bufs);
+  nghttp2_session_del(session);
+}
+
+ static void
+ prepare_session_removed_closed_stream(nghttp2_session *session,
+                                       nghttp2_hd_deflater *deflater) {
+Index: nghttp2-1.40.0/tests/nghttp2_session_test.h
+===================================================================
+--- nghttp2-1.40.0.orig/tests/nghttp2_session_test.h
+++ nghttp2-1.40.0/tests/nghttp2_session_test.h
+@@ -156,6 +156,7 @@ void test_nghttp2_session_repeated_prior
+ void test_nghttp2_session_repeated_priority_submission(void);
+ void test_nghttp2_session_set_local_window_size(void);
+ void test_nghttp2_session_cancel_from_before_frame_send(void);
+void test_nghttp2_session_too_many_settings(void);
+ void test_nghttp2_session_removed_closed_stream(void);
+ void test_nghttp2_session_pause_data(void);
+ void test_nghttp2_session_no_closed_streams(void);
+Index: nghttp2-1.40.0/doc/Makefile.am
+===================================================================
+--- nghttp2-1.40.0.orig/doc/Makefile.am
+++ nghttp2-1.40.0/doc/Makefile.am
+@@ -69,6 +69,7 @@ APIDOCS= \
+        nghttp2_option_set_peer_max_concurrent_streams.rst \
+        nghttp2_option_set_user_recv_extension_type.rst \
+        nghttp2_option_set_max_outbound_ack.rst \
+    nghttp2_option_set_max_settings.rst \
+        nghttp2_pack_settings_payload.rst \
+        nghttp2_priority_spec_check_default.rst \
+        nghttp2_priority_spec_default_init.rst \
diff --git a/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb b/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb
index 9ed8c56420..b497058ca6 100644
--- a/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb
+++ b/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb
@@ -10,6 +10,8 @@ UPSTREAM_CHECK_URI = "https://github.com/nghttp2/nghttp2/releases"
 SRC_URI = "\
    https://github.com/nghttp2/nghttp2/releases/download/v${PV}/nghttp2-${PV}.tar.xz \
    file://0001-fetch-ocsp-response-use-python3.patch \
+    file://CVE-2020-11080-1.patch \
+    file://CVE-2020-11080-2.patch \
 "
 SRC_URI[md5sum] = "8d1a6b96760254e4dd142d7176e8fb7c"
 SRC_URI[sha256sum] = "09fc43d428ff237138733c737b29fb1a7e49d49de06d2edbed3bc4cdcee69073"
author	Rahul Taya <Rahul.Taya@kpit.com>	2021-02-25 13:02:59 +0530
committer	Armin Kuster <akuster808@gmail.com>	2021-03-16 08:40:06 -0700
commit	a8e3b20df3e1a97601bc54da9b2f1405c2056f7b (patch)
tree	de5142ff7be827982f4cd45e632212bb8aec5e2b
parent	453bd7845fb4f9f67937b93bc7fd2275ca8f203b (diff)
download	meta-openembedded-a8e3b20df3e1a97601bc54da9b2f1405c2056f7b.tar.gz

diff --git a/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-1.patch b/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-1.patch new file mode 100644 index 0000000000..ca181bb4b2 --- /dev/null +++ b/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-1.patch
@@ -0,0 +1,31 @@
		1	From f8da73bd042f810f34d19f9eae02b46d870af394 Mon Sep 17 00:00:00 2001
		2	From: James M Snell <jasnell@gmail.com>
		3	Date: Sun, 19 Apr 2020 09:12:24 -0700
		4	Subject: [PATCH] Earlier check for settings flood
		5
		6	CVE: CVE-2020-11080
		7	Upstream-Status: Backport [https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394.patch]
		8	Comment: No hunk refreshed
		9	Affects-version: < v1.41.0
		10	Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com>
		11	---
		12	lib/nghttp2_session.c \| 6 ++++++
		13	1 file changed, 6 insertions(+)
		14
		15	Index: nghttp2-1.40.0/lib/nghttp2_session.c
		16	===================================================================
		17	--- nghttp2-1.40.0.orig/lib/nghttp2_session.c
		18	+++ nghttp2-1.40.0/lib/nghttp2_session.c
		19	@@ -5678,6 +5678,12 @@ ssize_t nghttp2_session_mem_recv(nghttp2
		20	break;
		21	}
		22
		23	+ /* Check the settings flood counter early to be safe */
		24	+ if (session->obq_flood_counter_ >= session->max_outbound_ack &&
		25	+ !(iframe->frame.hd.flags & NGHTTP2_FLAG_ACK)) {
		26	+ return NGHTTP2_ERR_FLOODED;
		27	+ }
		28	+
		29	iframe->state = NGHTTP2_IB_READ_SETTINGS;
		30
		31	if (iframe->payloadleft) {


diff --git a/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-2.patch b/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-2.patch new file mode 100644 index 0000000000..d3c57e9a80 --- /dev/null +++ b/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-2.patch
@@ -0,0 +1,308 @@
		1	From 336a98feb0d56b9ac54e12736b18785c27f75090 Mon Sep 17 00:00:00 2001
		2	From: James M Snell <jasnell@gmail.com>
		3	Date: Fri, 17 Apr 2020 16:53:51 -0700
		4	Subject: [PATCH] Implement max settings option
		5
		6	CVE: CVE-2020-11080
		7	Upstream-Status: Backport [https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090.patch]
		8	Comment: No hunks refreshed
		9	Affects-version: < v1.41.0
		10	Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com>
		11	---
		12	doc/CMakeLists.txt \| 1 +
		13	doc/Makefile.am \| 1 +
		14	lib/includes/nghttp2/nghttp2.h \| 23 +++++++++++++
		15	lib/nghttp2_helper.c \| 2 ++
		16	lib/nghttp2_option.c \| 5 +++
		17	lib/nghttp2_option.h \| 5 +++
		18	lib/nghttp2_session.c \| 21 ++++++++++++
		19	lib/nghttp2_session.h \| 2 ++
		20	tests/main.c \| 2 ++
		21	tests/nghttp2_session_test.c \| 61 ++++++++++++++++++++++++++++++++++
		22	tests/nghttp2_session_test.h \| 1 +
		23	11 files changed, 124 insertions(+)
		24
		25	Index: nghttp2-1.40.0/doc/CMakeLists.txt
		26	===================================================================
		27	--- nghttp2-1.40.0.orig/doc/CMakeLists.txt
		28	+++ nghttp2-1.40.0/doc/CMakeLists.txt
		29	@@ -42,6 +42,7 @@ set(APIDOCS
		30	nghttp2_option_set_no_recv_client_magic.rst
		31	nghttp2_option_set_peer_max_concurrent_streams.rst
		32	nghttp2_option_set_user_recv_extension_type.rst
		33	+ nghttp2_option_set_max_settings.rst
		34	nghttp2_pack_settings_payload.rst
		35	nghttp2_priority_spec_check_default.rst
		36	nghttp2_priority_spec_default_init.rst
		37	Index: nghttp2-1.40.0/lib/includes/nghttp2/nghttp2.h
		38	===================================================================
		39	--- nghttp2-1.40.0.orig/lib/includes/nghttp2/nghttp2.h
		40	+++ nghttp2-1.40.0/lib/includes/nghttp2/nghttp2.h
		41	@@ -229,6 +229,13 @@ typedef struct {
		42	#define NGHTTP2_CLIENT_MAGIC_LEN 24
		43
		44	/**
		45	+ * @macro
		46	+ *
		47	+ * The default max number of settings per SETTINGS frame
		48	+ */
		49	+#define NGHTTP2_DEFAULT_MAX_SETTINGS 32
		50	+
		51	+/**
		52	* @enum
		53	*
		54	* Error codes used in this library. The code range is [-999, -500],
		55	@@ -399,6 +406,11 @@ typedef enum {
		56	*/
		57	NGHTTP2_ERR_SETTINGS_EXPECTED = -536,
		58	/**
		59	+ * When a local endpoint receives too many settings entries
		60	+ * in a single SETTINGS frame.
		61	+ */
		62	+ NGHTTP2_ERR_TOO_MANY_SETTINGS = -537,
		63	+ /**
		64	* The errors < :enum:`NGHTTP2_ERR_FATAL` mean that the library is
		65	* under unexpected condition and processing was terminated (e.g.,
		66	* out of memory). If application receives this error code, it must
		67	@@ -2661,6 +2673,17 @@ NGHTTP2_EXTERN void nghttp2_option_set_m
		68
		69	/**
		70	* @function
		71	+ *
		72	+ * This function sets the maximum number of SETTINGS entries per
		73	+ * SETTINGS frame that will be accepted. If more than those entries
		74	+ * are received, the peer is considered to be misbehaving and session
		75	+ * will be closed. The default value is 32.
		76	+ */
		77	+NGHTTP2_EXTERN void nghttp2_option_set_max_settings(nghttp2_option *option,
		78	+ size_t val);
		79	+
		80	+/**
		81	+ * @function
		82	*
		83	* Initializes \|*session_ptr\| for client use. The all members of
		84	* \|callbacks\| are copied to \|session_ptr\|. Therefore \|session_ptr\|
		85	Index: nghttp2-1.40.0/lib/nghttp2_helper.c
		86	===================================================================
		87	--- nghttp2-1.40.0.orig/lib/nghttp2_helper.c
		88	+++ nghttp2-1.40.0/lib/nghttp2_helper.c
		89	@@ -334,6 +334,8 @@ const char *nghttp2_strerror(int error_c
		90	case NGHTTP2_ERR_FLOODED:
		91	return "Flooding was detected in this HTTP/2 session, and it must be "
		92	"closed";
		93	+ case NGHTTP2_ERR_TOO_MANY_SETTINGS:
		94	+ return "SETTINGS frame contained more than the maximum allowed entries";
		95	default:
		96	return "Unknown error code";
		97	}
		98	Index: nghttp2-1.40.0/lib/nghttp2_option.c
		99	===================================================================
		100	--- nghttp2-1.40.0.orig/lib/nghttp2_option.c
		101	+++ nghttp2-1.40.0/lib/nghttp2_option.c
		102	@@ -121,3 +121,8 @@ void nghttp2_option_set_max_outbound_ack
		103	option->opt_set_mask \|= NGHTTP2_OPT_MAX_OUTBOUND_ACK;
		104	option->max_outbound_ack = val;
		105	}
		106	+
		107	+void nghttp2_option_set_max_settings(nghttp2_option *option, size_t val) {
		108	+ option->opt_set_mask \|= NGHTTP2_OPT_MAX_SETTINGS;
		109	+ option->max_settings = val;
		110	+}
		111	Index: nghttp2-1.40.0/lib/nghttp2_option.h
		112	===================================================================
		113	--- nghttp2-1.40.0.orig/lib/nghttp2_option.h
		114	+++ nghttp2-1.40.0/lib/nghttp2_option.h
		115	@@ -67,6 +67,7 @@ typedef enum {
		116	NGHTTP2_OPT_MAX_DEFLATE_DYNAMIC_TABLE_SIZE = 1 << 9,
		117	NGHTTP2_OPT_NO_CLOSED_STREAMS = 1 << 10,
		118	NGHTTP2_OPT_MAX_OUTBOUND_ACK = 1 << 11,
		119	+ NGHTTP2_OPT_MAX_SETTINGS = 1 << 12,
		120	} nghttp2_option_flag;
		121
		122	/**
		123	@@ -86,6 +87,10 @@ struct nghttp2_option {
		124	*/
		125	size_t max_outbound_ack;
		126	/**
		127	+ * NGHTTP2_OPT_MAX_SETTINGS
		128	+ */
		129	+ size_t max_settings;
		130	+ /**
		131	* Bitwise OR of nghttp2_option_flag to determine that which fields
		132	* are specified.
		133	*/
		134	Index: nghttp2-1.40.0/lib/nghttp2_session.c
		135	===================================================================
		136	--- nghttp2-1.40.0.orig/lib/nghttp2_session.c
		137	+++ nghttp2-1.40.0/lib/nghttp2_session.c
		138	@@ -458,6 +458,7 @@ static int session_new(nghttp2_session *
		139
		140	(*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
		141	(*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
		142	+ (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
		143
		144	if (option) {
		145	if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
		146	@@ -521,6 +522,11 @@ static int session_new(nghttp2_session *
		147	if (option->opt_set_mask & NGHTTP2_OPT_MAX_OUTBOUND_ACK) {
		148	(*session_ptr)->max_outbound_ack = option->max_outbound_ack;
		149	}
		150	+
		151	+ if ((option->opt_set_mask & NGHTTP2_OPT_MAX_SETTINGS) &&
		152	+ option->max_settings) {
		153	+ (*session_ptr)->max_settings = option->max_settings;
		154	+ }
		155	}
		156
		157	rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
		158	@@ -5694,6 +5700,16 @@ ssize_t nghttp2_session_mem_recv(nghttp2
		159	iframe->max_niv =
		160	iframe->frame.hd.length / NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH + 1;
		161
		162	+ if (iframe->max_niv - 1 > session->max_settings) {
		163	+ rv = nghttp2_session_terminate_session_with_reason(
		164	+ session, NGHTTP2_ENHANCE_YOUR_CALM,
		165	+ "SETTINGS: too many setting entries");
		166	+ if (nghttp2_is_fatal(rv)) {
		167	+ return rv;
		168	+ }
		169	+ return (ssize_t)inlen;
		170	+ }
		171	+
		172	iframe->iv = nghttp2_mem_malloc(mem, sizeof(nghttp2_settings_entry) *
		173	iframe->max_niv);
		174
		175	@@ -7460,6 +7476,11 @@ static int nghttp2_session_upgrade_inter
		176	if (settings_payloadlen % NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH) {
		177	return NGHTTP2_ERR_INVALID_ARGUMENT;
		178	}
		179	+ /* SETTINGS frame contains too many settings */
		180	+ if (settings_payloadlen / NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH
		181	+ > session->max_settings) {
		182	+ return NGHTTP2_ERR_TOO_MANY_SETTINGS;
		183	+ }
		184	rv = nghttp2_frame_unpack_settings_payload2(&iv, &niv, settings_payload,
		185	settings_payloadlen, mem);
		186	if (rv != 0) {
		187	Index: nghttp2-1.40.0/lib/nghttp2_session.h
		188	===================================================================
		189	--- nghttp2-1.40.0.orig/lib/nghttp2_session.h
		190	+++ nghttp2-1.40.0/lib/nghttp2_session.h
		191	@@ -267,6 +267,8 @@ struct nghttp2_session {
		192	/* The maximum length of header block to send. Calculated by the
		193	same way as nghttp2_hd_deflate_bound() does. */
		194	size_t max_send_header_block_length;
		195	+ /* The maximum number of settings accepted per SETTINGS frame. */
		196	+ size_t max_settings;
		197	/* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
		198	uint32_t next_stream_id;
		199	/* The last stream ID this session initiated. For client session,
		200	Index: nghttp2-1.40.0/tests/main.c
		201	===================================================================
		202	--- nghttp2-1.40.0.orig/tests/main.c
		203	+++ nghttp2-1.40.0/tests/main.c
		204	@@ -315,6 +315,8 @@ int main() {
		205	test_nghttp2_session_set_local_window_size) \|\|
		206	!CU_add_test(pSuite, "session_cancel_from_before_frame_send",
		207	test_nghttp2_session_cancel_from_before_frame_send) \|\|
		208	+ !CU_add_test(pSuite, "session_too_many_settings",
		209	+ test_nghttp2_session_too_many_settings) \|\|
		210	!CU_add_test(pSuite, "session_removed_closed_stream",
		211	test_nghttp2_session_removed_closed_stream) \|\|
		212	!CU_add_test(pSuite, "session_pause_data",
		213	Index: nghttp2-1.40.0/tests/nghttp2_session_test.c
		214	===================================================================
		215	--- nghttp2-1.40.0.orig/tests/nghttp2_session_test.c
		216	+++ nghttp2-1.40.0/tests/nghttp2_session_test.c
		217	@@ -10558,6 +10558,67 @@ void test_nghttp2_session_cancel_from_be
		218	nghttp2_session_del(session);
		219	}
		220
		221	+void test_nghttp2_session_too_many_settings(void) {
		222	+ nghttp2_session *session;
		223	+ nghttp2_option *option;
		224	+ nghttp2_session_callbacks callbacks;
		225	+ nghttp2_frame frame;
		226	+ nghttp2_bufs bufs;
		227	+ nghttp2_buf *buf;
		228	+ ssize_t rv;
		229	+ my_user_data ud;
		230	+ nghttp2_settings_entry iv[3];
		231	+ nghttp2_mem *mem;
		232	+ nghttp2_outbound_item *item;
		233	+
		234	+ mem = nghttp2_mem_default();
		235	+ frame_pack_bufs_init(&bufs);
		236	+
		237	+ memset(&callbacks, 0, sizeof(nghttp2_session_callbacks));
		238	+ callbacks.on_frame_recv_callback = on_frame_recv_callback;
		239	+ callbacks.send_callback = null_send_callback;
		240	+
		241	+ nghttp2_option_new(&option);
		242	+ nghttp2_option_set_max_settings(option, 1);
		243	+
		244	+ nghttp2_session_client_new2(&session, &callbacks, &ud, option);
		245	+
		246	+ CU_ASSERT(1 == session->max_settings);
		247	+
		248	+ nghttp2_option_del(option);
		249	+
		250	+ iv[0].settings_id = NGHTTP2_SETTINGS_HEADER_TABLE_SIZE;
		251	+ iv[0].value = 3000;
		252	+
		253	+ iv[1].settings_id = NGHTTP2_SETTINGS_INITIAL_WINDOW_SIZE;
		254	+ iv[1].value = 16384;
		255	+
		256	+ nghttp2_frame_settings_init(&frame.settings, NGHTTP2_FLAG_NONE, dup_iv(iv, 2),
		257	+ 2);
		258	+
		259	+ rv = nghttp2_frame_pack_settings(&bufs, &frame.settings);
		260	+
		261	+ CU_ASSERT(0 == rv);
		262	+ CU_ASSERT(nghttp2_bufs_len(&bufs) > 0);
		263	+
		264	+ nghttp2_frame_settings_free(&frame.settings, mem);
		265	+
		266	+ buf = &bufs.head->buf;
		267	+ assert(nghttp2_bufs_len(&bufs) == nghttp2_buf_len(buf));
		268	+
		269	+ ud.frame_recv_cb_called = 0;
		270	+
		271	+ rv = nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf));
		272	+ CU_ASSERT((ssize_t)nghttp2_buf_len(buf) == rv);
		273	+
		274	+ item = nghttp2_session_get_next_ob_item(session);
		275	+ CU_ASSERT(NGHTTP2_GOAWAY == item->frame.hd.type);
		276	+
		277	+ nghttp2_bufs_reset(&bufs);
		278	+ nghttp2_bufs_free(&bufs);
		279	+ nghttp2_session_del(session);
		280	+}
		281	+
		282	static void
		283	prepare_session_removed_closed_stream(nghttp2_session *session,
		284	nghttp2_hd_deflater *deflater) {
		285	Index: nghttp2-1.40.0/tests/nghttp2_session_test.h
		286	===================================================================
		287	--- nghttp2-1.40.0.orig/tests/nghttp2_session_test.h
		288	+++ nghttp2-1.40.0/tests/nghttp2_session_test.h
		289	@@ -156,6 +156,7 @@ void test_nghttp2_session_repeated_prior
		290	void test_nghttp2_session_repeated_priority_submission(void);
		291	void test_nghttp2_session_set_local_window_size(void);
		292	void test_nghttp2_session_cancel_from_before_frame_send(void);
		293	+void test_nghttp2_session_too_many_settings(void);
		294	void test_nghttp2_session_removed_closed_stream(void);
		295	void test_nghttp2_session_pause_data(void);
		296	void test_nghttp2_session_no_closed_streams(void);
		297	Index: nghttp2-1.40.0/doc/Makefile.am
		298	===================================================================
		299	--- nghttp2-1.40.0.orig/doc/Makefile.am
		300	+++ nghttp2-1.40.0/doc/Makefile.am
		301	@@ -69,6 +69,7 @@ APIDOCS= \
		302	nghttp2_option_set_peer_max_concurrent_streams.rst \
		303	nghttp2_option_set_user_recv_extension_type.rst \
		304	nghttp2_option_set_max_outbound_ack.rst \
		305	+ nghttp2_option_set_max_settings.rst \
		306	nghttp2_pack_settings_payload.rst \
		307	nghttp2_priority_spec_check_default.rst \
		308	nghttp2_priority_spec_default_init.rst \


diff --git a/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb b/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb index 9ed8c56420..b497058ca6 100644 --- a/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb +++ b/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb
@@ -10,6 +10,8 @@ UPSTREAM_CHECK_URI = "https://github.com/nghttp2/nghttp2/releases"
10	SRC_URI = "\	10	SRC_URI = "\
11	https://github.com/nghttp2/nghttp2/releases/download/v${PV}/nghttp2-${PV}.tar.xz \	11	https://github.com/nghttp2/nghttp2/releases/download/v${PV}/nghttp2-${PV}.tar.xz \
12	file://0001-fetch-ocsp-response-use-python3.patch \	12	file://0001-fetch-ocsp-response-use-python3.patch \
		13	file://CVE-2020-11080-1.patch \
		14	file://CVE-2020-11080-2.patch \
13	"	15	"
14	SRC_URI[md5sum] = "8d1a6b96760254e4dd142d7176e8fb7c"	16	SRC_URI[md5sum] = "8d1a6b96760254e4dd142d7176e8fb7c"
15	SRC_URI[sha256sum] = "09fc43d428ff237138733c737b29fb1a7e49d49de06d2edbed3bc4cdcee69073"	17	SRC_URI[sha256sum] = "09fc43d428ff237138733c737b29fb1a7e49d49de06d2edbed3bc4cdcee69073"