nghttp2: Fix CVE-2024-28182

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability. References: https://nvd.nist.gov/vuln/detail/CVE-2024-28182 (From OE-Core rev: 85e65af4727695d61c225a5911325764f423c331) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Soumya Sambu <soumya.sambu@windriver.com> 2024-04-16 12:48:35 +0000
committer: Steve Sakoman <steve@sakoman.com> 2024-04-21 06:33:34 -0700
commit: 9babd9f028d714bb9c9ec84dd3d547c04268a4f6 (patch)
tree: 61be5a0bb48927aa0d559f67d10a37f50e314999
parent: 0f437fb0f2bc7f27aab3dee70544f2a339cdccaa (diff)
download: poky-9babd9f028d714bb9c9ec84dd3d547c04268a4f6.tar.gz
3 files changed, 217 insertions, 0 deletions
diff --git a/meta/recipes-support/nghttp2/nghttp2/CVE-2024-28182-0001.patch b/meta/recipes-support/nghttp2/nghttp2/CVE-2024-28182-0001.patch
new file mode 100644
index 0000000000..e1d909b0d1
--- /dev/null
+++ b/meta/recipes-support/nghttp2/nghttp2/CVE-2024-28182-0001.patch
@@ -0,0 +1,110 @@
+From 00201ecd8f982da3b67d4f6868af72a1b03b14e0 Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
+Date: Sat, 9 Mar 2024 16:26:42 +0900
+Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame
+CVE: CVE-2024-28182
+Upstream-Status: Backport [https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ lib/includes/nghttp2/nghttp2.h |  7 ++++++-
+ lib/nghttp2_helper.c           |  2 ++
+ lib/nghttp2_session.c          |  7 +++++++
+ lib/nghttp2_session.h          | 10 ++++++++++
+ 4 files changed, 25 insertions(+), 1 deletion(-)
+diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h
+index 2bd35f4..6cc8c0c 100644
+--- a/lib/includes/nghttp2/nghttp2.h
+++ b/lib/includes/nghttp2/nghttp2.h
+@@ -440,7 +440,12 @@ typedef enum {
+    * exhaustion on server side to send these frames forever and does
+    * not read network.
+    */
+-  NGHTTP2_ERR_FLOODED = -904
+  NGHTTP2_ERR_FLOODED = -904,
+  /**
+   * When a local endpoint receives too many CONTINUATION frames
+   * following a HEADER frame.
+   */
+  NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
+ } nghttp2_error;
+ /**
+diff --git a/lib/nghttp2_helper.c b/lib/nghttp2_helper.c
+index 588e269..98989f6 100644
+--- a/lib/nghttp2_helper.c
+++ b/lib/nghttp2_helper.c
+@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) {
+            "closed";
+   case NGHTTP2_ERR_TOO_MANY_SETTINGS:
+     return "SETTINGS frame contained more than the maximum allowed entries";
+  case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
+    return "Too many CONTINUATION frames following a HEADER frame";
+   default:
+     return "Unknown error code";
+   }
+diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
+index 5c834fa..537127c 100644
+--- a/lib/nghttp2_session.c
+++ b/lib/nghttp2_session.c
+@@ -464,6 +464,7 @@ static int session_new(nghttp2_session **session_ptr,
+   (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
+   (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
+   (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
+  (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
+   if (option) {
+     if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
+@@ -6307,6 +6308,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+           }
+         }
+         session_inbound_frame_reset(session);
+
+        session->num_continuations = 0;
+       }
+       break;
+     }
+@@ -6428,6 +6431,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+       }
+ #endif /* DEBUGBUILD */
+      if (++session->num_continuations > session->max_continuations) {
+        return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
+      }
+
+       readlen = inbound_frame_buf_read(iframe, in, last);
+       in += readlen;
+diff --git a/lib/nghttp2_session.h b/lib/nghttp2_session.h
+index 5f71a16..9a00b0e 100644
+--- a/lib/nghttp2_session.h
+++ b/lib/nghttp2_session.h
+@@ -107,6 +107,10 @@ typedef struct {
+ #define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
+ #define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
+/* The default max number of CONTINUATION frames following an incoming
+   HEADER frame. */
+#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
+
+ /* Internal state when receiving incoming frame */
+ typedef enum {
+   /* Receiving frame header */
+@@ -279,6 +283,12 @@ struct nghttp2_session {
+   size_t max_send_header_block_length;
+   /* The maximum number of settings accepted per SETTINGS frame. */
+   size_t max_settings;
+  /* The maximum number of CONTINUATION frames following an incoming
+     HEADER frame. */
+  size_t max_continuations;
+  /* The number of CONTINUATION frames following an incoming HEADER
+     frame.  This variable is reset when END_HEADERS flag is seen. */
+  size_t num_continuations;
+   /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
+   uint32_t next_stream_id;
+   /* The last stream ID this session initiated.  For client session,
+--
+2.40.0
diff --git a/meta/recipes-support/nghttp2/nghttp2/CVE-2024-28182-0002.patch b/meta/recipes-support/nghttp2/nghttp2/CVE-2024-28182-0002.patch
new file mode 100644
index 0000000000..fee19465d5
--- /dev/null
+++ b/meta/recipes-support/nghttp2/nghttp2/CVE-2024-28182-0002.patch
@@ -0,0 +1,105 @@
+From d71a4668c6bead55805d18810d633fbb98315af9 Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
+Date: Sat, 9 Mar 2024 16:48:10 +0900
+Subject: [PATCH] Add nghttp2_option_set_max_continuations
+CVE: CVE-2024-28182
+Upstream-Status: Backport [https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ doc/Makefile.am                |  1 +
+ lib/includes/nghttp2/nghttp2.h | 11 +++++++++++
+ lib/nghttp2_option.c           |  5 +++++
+ lib/nghttp2_option.h           |  5 +++++
+ lib/nghttp2_session.c          |  4 ++++
+ 5 files changed, 26 insertions(+)
+diff --git a/doc/Makefile.am b/doc/Makefile.am
+index b9d5a2d..83cfdfd 100644
+--- a/doc/Makefile.am
+++ b/doc/Makefile.am
+@@ -70,6 +70,7 @@ APIDOCS= \
+        nghttp2_option_set_no_recv_client_magic.rst \
+        nghttp2_option_set_peer_max_concurrent_streams.rst \
+        nghttp2_option_set_user_recv_extension_type.rst \
+       nghttp2_option_set_max_continuations.rst \
+        nghttp2_option_set_max_outbound_ack.rst \
+        nghttp2_option_set_max_settings.rst \
+        nghttp2_option_set_stream_reset_rate_limit.rst \
+diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h
+index 6cc8c0c..c77cca9 100644
+--- a/lib/includes/nghttp2/nghttp2.h
+++ b/lib/includes/nghttp2/nghttp2.h
+@@ -2724,6 +2724,17 @@ NGHTTP2_EXTERN void nghttp2_option_set_max_outbound_ack(nghttp2_option *option,
+ NGHTTP2_EXTERN void nghttp2_option_set_max_settings(nghttp2_option *option,
+                                                     size_t val);
+/**
+ * @function
+ *
+ * This function sets the maximum number of CONTINUATION frames
+ * following an incoming HEADER frame.  If more than those frames are
+ * received, the remote endpoint is considered to be misbehaving and
+ * session will be closed.  The default value is 8.
+ */
+NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option,
+                                                         size_t val);
+
+ /**
+  * @function
+  *
+diff --git a/lib/nghttp2_option.c b/lib/nghttp2_option.c
+index 0d9a404..f3659c1 100644
+--- a/lib/nghttp2_option.c
+++ b/lib/nghttp2_option.c
+@@ -133,3 +133,8 @@ void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
+   option->stream_reset_burst = burst;
+   option->stream_reset_rate = rate;
+ }
+
+void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) {
+  option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS;
+  option->max_continuations = val;
+}
+diff --git a/lib/nghttp2_option.h b/lib/nghttp2_option.h
+index e6ba910..c1b48c7 100644
+--- a/lib/nghttp2_option.h
+++ b/lib/nghttp2_option.h
+@@ -69,6 +69,7 @@ typedef enum {
+   NGHTTP2_OPT_MAX_OUTBOUND_ACK = 1 << 11,
+   NGHTTP2_OPT_MAX_SETTINGS = 1 << 12,
+   NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15,
+  NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16,
+ } nghttp2_option_flag;
+ /**
+@@ -96,6 +97,10 @@ struct nghttp2_option {
+    * NGHTTP2_OPT_MAX_SETTINGS
+    */
+   size_t max_settings;
+  /**
+   * NGHTTP2_OPT_MAX_CONTINUATIONS
+   */
+  size_t max_continuations;
+   /**
+    * Bitwise OR of nghttp2_option_flag to determine that which fields
+    * are specified.
+diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
+index 537127c..b390cd5 100644
+--- a/lib/nghttp2_session.c
+++ b/lib/nghttp2_session.c
+@@ -539,6 +539,10 @@ static int session_new(nghttp2_session **session_ptr,
+                            option->stream_reset_burst,
+                            option->stream_reset_rate);
+     }
+
+    if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) {
+      (*session_ptr)->max_continuations = option->max_continuations;
+    }
+   }
+   rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
+--
+2.40.0
diff --git a/meta/recipes-support/nghttp2/nghttp2_1.47.0.bb b/meta/recipes-support/nghttp2/nghttp2_1.47.0.bb
index b67313b5c2..79b1cf95c5 100644
--- a/meta/recipes-support/nghttp2/nghttp2_1.47.0.bb
+++ b/meta/recipes-support/nghttp2/nghttp2_1.47.0.bb
@@ -11,6 +11,8 @@ SRC_URI = "\
    file://0001-fetch-ocsp-response-use-python3.patch \
    file://CVE-2023-35945.patch \
    file://CVE-2023-44487.patch \
+    file://CVE-2024-28182-0001.patch \
+    file://CVE-2024-28182-0002.patch \
 "
 SRC_URI[sha256sum] = "68271951324554c34501b85190f22f2221056db69f493afc3bbac8e7be21e7cc"
author	Soumya Sambu <soumya.sambu@windriver.com>	2024-04-16 12:48:35 +0000
committer	Steve Sakoman <steve@sakoman.com>	2024-04-21 06:33:34 -0700
commit	9babd9f028d714bb9c9ec84dd3d547c04268a4f6 (patch)
tree	61be5a0bb48927aa0d559f67d10a37f50e314999
parent	0f437fb0f2bc7f27aab3dee70544f2a339cdccaa (diff)
download	poky-9babd9f028d714bb9c9ec84dd3d547c04268a4f6.tar.gz

diff --git a/meta/recipes-support/nghttp2/nghttp2/CVE-2024-28182-0001.patch b/meta/recipes-support/nghttp2/nghttp2/CVE-2024-28182-0001.patch new file mode 100644 index 0000000000..e1d909b0d1 --- /dev/null +++ b/meta/recipes-support/nghttp2/nghttp2/CVE-2024-28182-0001.patch
@@ -0,0 +1,110 @@
		1	From 00201ecd8f982da3b67d4f6868af72a1b03b14e0 Mon Sep 17 00:00:00 2001
		2	From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
		3	Date: Sat, 9 Mar 2024 16:26:42 +0900
		4	Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame
		5
		6	CVE: CVE-2024-28182
		7
		8	Upstream-Status: Backport [https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0]
		9
		10	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		11	---
		12	lib/includes/nghttp2/nghttp2.h \| 7 ++++++-
		13	lib/nghttp2_helper.c \| 2 ++
		14	lib/nghttp2_session.c \| 7 +++++++
		15	lib/nghttp2_session.h \| 10 ++++++++++
		16	4 files changed, 25 insertions(+), 1 deletion(-)
		17
		18	diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h
		19	index 2bd35f4..6cc8c0c 100644
		20	--- a/lib/includes/nghttp2/nghttp2.h
		21	+++ b/lib/includes/nghttp2/nghttp2.h
		22	@@ -440,7 +440,12 @@ typedef enum {
		23	* exhaustion on server side to send these frames forever and does
		24	* not read network.
		25	*/
		26	- NGHTTP2_ERR_FLOODED = -904
		27	+ NGHTTP2_ERR_FLOODED = -904,
		28	+ /**
		29	+ * When a local endpoint receives too many CONTINUATION frames
		30	+ * following a HEADER frame.
		31	+ */
		32	+ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
		33	} nghttp2_error;
		34
		35	/**
		36	diff --git a/lib/nghttp2_helper.c b/lib/nghttp2_helper.c
		37	index 588e269..98989f6 100644
		38	--- a/lib/nghttp2_helper.c
		39	+++ b/lib/nghttp2_helper.c
		40	@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) {
		41	"closed";
		42	case NGHTTP2_ERR_TOO_MANY_SETTINGS:
		43	return "SETTINGS frame contained more than the maximum allowed entries";
		44	+ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
		45	+ return "Too many CONTINUATION frames following a HEADER frame";
		46	default:
		47	return "Unknown error code";
		48	}
		49	diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
		50	index 5c834fa..537127c 100644
		51	--- a/lib/nghttp2_session.c
		52	+++ b/lib/nghttp2_session.c
		53	@@ -464,6 +464,7 @@ static int session_new(nghttp2_session **session_ptr,
		54	(*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
		55	(*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
		56	(*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
		57	+ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
		58
		59	if (option) {
		60	if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
		61	@@ -6307,6 +6308,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session session, const uint8_t in,
		62	}
		63	}
		64	session_inbound_frame_reset(session);
		65	+
		66	+ session->num_continuations = 0;
		67	}
		68	break;
		69	}
		70	@@ -6428,6 +6431,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session session, const uint8_t in,
		71	}
		72	#endif /* DEBUGBUILD */
		73
		74	+ if (++session->num_continuations > session->max_continuations) {
		75	+ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
		76	+ }
		77	+
		78	readlen = inbound_frame_buf_read(iframe, in, last);
		79	in += readlen;
		80
		81	diff --git a/lib/nghttp2_session.h b/lib/nghttp2_session.h
		82	index 5f71a16..9a00b0e 100644
		83	--- a/lib/nghttp2_session.h
		84	+++ b/lib/nghttp2_session.h
		85	@@ -107,6 +107,10 @@ typedef struct {
		86	#define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
		87	#define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
		88
		89	+/* The default max number of CONTINUATION frames following an incoming
		90	+ HEADER frame. */
		91	+#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
		92	+
		93	/* Internal state when receiving incoming frame */
		94	typedef enum {
		95	/* Receiving frame header */
		96	@@ -279,6 +283,12 @@ struct nghttp2_session {
		97	size_t max_send_header_block_length;
		98	/* The maximum number of settings accepted per SETTINGS frame. */
		99	size_t max_settings;
		100	+ /* The maximum number of CONTINUATION frames following an incoming
		101	+ HEADER frame. */
		102	+ size_t max_continuations;
		103	+ /* The number of CONTINUATION frames following an incoming HEADER
		104	+ frame. This variable is reset when END_HEADERS flag is seen. */
		105	+ size_t num_continuations;
		106	/* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
		107	uint32_t next_stream_id;
		108	/* The last stream ID this session initiated. For client session,
		109	--
		110	2.40.0


diff --git a/meta/recipes-support/nghttp2/nghttp2/CVE-2024-28182-0002.patch b/meta/recipes-support/nghttp2/nghttp2/CVE-2024-28182-0002.patch new file mode 100644 index 0000000000..fee19465d5 --- /dev/null +++ b/meta/recipes-support/nghttp2/nghttp2/CVE-2024-28182-0002.patch
@@ -0,0 +1,105 @@
		1	From d71a4668c6bead55805d18810d633fbb98315af9 Mon Sep 17 00:00:00 2001
		2	From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
		3	Date: Sat, 9 Mar 2024 16:48:10 +0900
		4	Subject: [PATCH] Add nghttp2_option_set_max_continuations
		5
		6	CVE: CVE-2024-28182
		7
		8	Upstream-Status: Backport [https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9]
		9
		10	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		11	---
		12	doc/Makefile.am \| 1 +
		13	lib/includes/nghttp2/nghttp2.h \| 11 +++++++++++
		14	lib/nghttp2_option.c \| 5 +++++
		15	lib/nghttp2_option.h \| 5 +++++
		16	lib/nghttp2_session.c \| 4 ++++
		17	5 files changed, 26 insertions(+)
		18
		19	diff --git a/doc/Makefile.am b/doc/Makefile.am
		20	index b9d5a2d..83cfdfd 100644
		21	--- a/doc/Makefile.am
		22	+++ b/doc/Makefile.am
		23	@@ -70,6 +70,7 @@ APIDOCS= \
		24	nghttp2_option_set_no_recv_client_magic.rst \
		25	nghttp2_option_set_peer_max_concurrent_streams.rst \
		26	nghttp2_option_set_user_recv_extension_type.rst \
		27	+ nghttp2_option_set_max_continuations.rst \
		28	nghttp2_option_set_max_outbound_ack.rst \
		29	nghttp2_option_set_max_settings.rst \
		30	nghttp2_option_set_stream_reset_rate_limit.rst \
		31	diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h
		32	index 6cc8c0c..c77cca9 100644
		33	--- a/lib/includes/nghttp2/nghttp2.h
		34	+++ b/lib/includes/nghttp2/nghttp2.h
		35	@@ -2724,6 +2724,17 @@ NGHTTP2_EXTERN void nghttp2_option_set_max_outbound_ack(nghttp2_option *option,
		36	NGHTTP2_EXTERN void nghttp2_option_set_max_settings(nghttp2_option *option,
		37	size_t val);
		38
		39	+/**
		40	+ * @function
		41	+ *
		42	+ * This function sets the maximum number of CONTINUATION frames
		43	+ * following an incoming HEADER frame. If more than those frames are
		44	+ * received, the remote endpoint is considered to be misbehaving and
		45	+ * session will be closed. The default value is 8.
		46	+ */
		47	+NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option,
		48	+ size_t val);
		49	+
		50	/**
		51	* @function
		52	*
		53	diff --git a/lib/nghttp2_option.c b/lib/nghttp2_option.c
		54	index 0d9a404..f3659c1 100644
		55	--- a/lib/nghttp2_option.c
		56	+++ b/lib/nghttp2_option.c
		57	@@ -133,3 +133,8 @@ void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
		58	option->stream_reset_burst = burst;
		59	option->stream_reset_rate = rate;
		60	}
		61	+
		62	+void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) {
		63	+ option->opt_set_mask \|= NGHTTP2_OPT_MAX_CONTINUATIONS;
		64	+ option->max_continuations = val;
		65	+}
		66	diff --git a/lib/nghttp2_option.h b/lib/nghttp2_option.h
		67	index e6ba910..c1b48c7 100644
		68	--- a/lib/nghttp2_option.h
		69	+++ b/lib/nghttp2_option.h
		70	@@ -69,6 +69,7 @@ typedef enum {
		71	NGHTTP2_OPT_MAX_OUTBOUND_ACK = 1 << 11,
		72	NGHTTP2_OPT_MAX_SETTINGS = 1 << 12,
		73	NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15,
		74	+ NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16,
		75	} nghttp2_option_flag;
		76
		77	/**
		78	@@ -96,6 +97,10 @@ struct nghttp2_option {
		79	* NGHTTP2_OPT_MAX_SETTINGS
		80	*/
		81	size_t max_settings;
		82	+ /**
		83	+ * NGHTTP2_OPT_MAX_CONTINUATIONS
		84	+ */
		85	+ size_t max_continuations;
		86	/**
		87	* Bitwise OR of nghttp2_option_flag to determine that which fields
		88	* are specified.
		89	diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
		90	index 537127c..b390cd5 100644
		91	--- a/lib/nghttp2_session.c
		92	+++ b/lib/nghttp2_session.c
		93	@@ -539,6 +539,10 @@ static int session_new(nghttp2_session **session_ptr,
		94	option->stream_reset_burst,
		95	option->stream_reset_rate);
		96	}
		97	+
		98	+ if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) {
		99	+ (*session_ptr)->max_continuations = option->max_continuations;
		100	+ }
		101	}
		102
		103	rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
		104	--
		105	2.40.0


diff --git a/meta/recipes-support/nghttp2/nghttp2_1.47.0.bb b/meta/recipes-support/nghttp2/nghttp2_1.47.0.bb index b67313b5c2..79b1cf95c5 100644 --- a/meta/recipes-support/nghttp2/nghttp2_1.47.0.bb +++ b/meta/recipes-support/nghttp2/nghttp2_1.47.0.bb
@@ -11,6 +11,8 @@ SRC_URI = "\
11	file://0001-fetch-ocsp-response-use-python3.patch \	11	file://0001-fetch-ocsp-response-use-python3.patch \
12	file://CVE-2023-35945.patch \	12	file://CVE-2023-35945.patch \
13	file://CVE-2023-44487.patch \	13	file://CVE-2023-44487.patch \
		14	file://CVE-2024-28182-0001.patch \
		15	file://CVE-2024-28182-0002.patch \
14	"	16	"
15	SRC_URI[sha256sum] = "68271951324554c34501b85190f22f2221056db69f493afc3bbac8e7be21e7cc"	17	SRC_URI[sha256sum] = "68271951324554c34501b85190f22f2221056db69f493afc3bbac8e7be21e7cc"
16		18