diff options
3 files changed, 217 insertions, 0 deletions
diff --git a/meta/recipes-support/nghttp2/nghttp2/CVE-2024-28182-0001.patch b/meta/recipes-support/nghttp2/nghttp2/CVE-2024-28182-0001.patch new file mode 100644 index 0000000000..e1d909b0d1 --- /dev/null +++ b/meta/recipes-support/nghttp2/nghttp2/CVE-2024-28182-0001.patch | |||
@@ -0,0 +1,110 @@ | |||
1 | From 00201ecd8f982da3b67d4f6868af72a1b03b14e0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com> | ||
3 | Date: Sat, 9 Mar 2024 16:26:42 +0900 | ||
4 | Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame | ||
5 | |||
6 | CVE: CVE-2024-28182 | ||
7 | |||
8 | Upstream-Status: Backport [https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0] | ||
9 | |||
10 | Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> | ||
11 | --- | ||
12 | lib/includes/nghttp2/nghttp2.h | 7 ++++++- | ||
13 | lib/nghttp2_helper.c | 2 ++ | ||
14 | lib/nghttp2_session.c | 7 +++++++ | ||
15 | lib/nghttp2_session.h | 10 ++++++++++ | ||
16 | 4 files changed, 25 insertions(+), 1 deletion(-) | ||
17 | |||
18 | diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h | ||
19 | index 2bd35f4..6cc8c0c 100644 | ||
20 | --- a/lib/includes/nghttp2/nghttp2.h | ||
21 | +++ b/lib/includes/nghttp2/nghttp2.h | ||
22 | @@ -440,7 +440,12 @@ typedef enum { | ||
23 | * exhaustion on server side to send these frames forever and does | ||
24 | * not read network. | ||
25 | */ | ||
26 | - NGHTTP2_ERR_FLOODED = -904 | ||
27 | + NGHTTP2_ERR_FLOODED = -904, | ||
28 | + /** | ||
29 | + * When a local endpoint receives too many CONTINUATION frames | ||
30 | + * following a HEADER frame. | ||
31 | + */ | ||
32 | + NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905, | ||
33 | } nghttp2_error; | ||
34 | |||
35 | /** | ||
36 | diff --git a/lib/nghttp2_helper.c b/lib/nghttp2_helper.c | ||
37 | index 588e269..98989f6 100644 | ||
38 | --- a/lib/nghttp2_helper.c | ||
39 | +++ b/lib/nghttp2_helper.c | ||
40 | @@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) { | ||
41 | "closed"; | ||
42 | case NGHTTP2_ERR_TOO_MANY_SETTINGS: | ||
43 | return "SETTINGS frame contained more than the maximum allowed entries"; | ||
44 | + case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS: | ||
45 | + return "Too many CONTINUATION frames following a HEADER frame"; | ||
46 | default: | ||
47 | return "Unknown error code"; | ||
48 | } | ||
49 | diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c | ||
50 | index 5c834fa..537127c 100644 | ||
51 | --- a/lib/nghttp2_session.c | ||
52 | +++ b/lib/nghttp2_session.c | ||
53 | @@ -464,6 +464,7 @@ static int session_new(nghttp2_session **session_ptr, | ||
54 | (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN; | ||
55 | (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM; | ||
56 | (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS; | ||
57 | + (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS; | ||
58 | |||
59 | if (option) { | ||
60 | if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) && | ||
61 | @@ -6307,6 +6308,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, | ||
62 | } | ||
63 | } | ||
64 | session_inbound_frame_reset(session); | ||
65 | + | ||
66 | + session->num_continuations = 0; | ||
67 | } | ||
68 | break; | ||
69 | } | ||
70 | @@ -6428,6 +6431,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, | ||
71 | } | ||
72 | #endif /* DEBUGBUILD */ | ||
73 | |||
74 | + if (++session->num_continuations > session->max_continuations) { | ||
75 | + return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS; | ||
76 | + } | ||
77 | + | ||
78 | readlen = inbound_frame_buf_read(iframe, in, last); | ||
79 | in += readlen; | ||
80 | |||
81 | diff --git a/lib/nghttp2_session.h b/lib/nghttp2_session.h | ||
82 | index 5f71a16..9a00b0e 100644 | ||
83 | --- a/lib/nghttp2_session.h | ||
84 | +++ b/lib/nghttp2_session.h | ||
85 | @@ -107,6 +107,10 @@ typedef struct { | ||
86 | #define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000 | ||
87 | #define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33 | ||
88 | |||
89 | +/* The default max number of CONTINUATION frames following an incoming | ||
90 | + HEADER frame. */ | ||
91 | +#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8 | ||
92 | + | ||
93 | /* Internal state when receiving incoming frame */ | ||
94 | typedef enum { | ||
95 | /* Receiving frame header */ | ||
96 | @@ -279,6 +283,12 @@ struct nghttp2_session { | ||
97 | size_t max_send_header_block_length; | ||
98 | /* The maximum number of settings accepted per SETTINGS frame. */ | ||
99 | size_t max_settings; | ||
100 | + /* The maximum number of CONTINUATION frames following an incoming | ||
101 | + HEADER frame. */ | ||
102 | + size_t max_continuations; | ||
103 | + /* The number of CONTINUATION frames following an incoming HEADER | ||
104 | + frame. This variable is reset when END_HEADERS flag is seen. */ | ||
105 | + size_t num_continuations; | ||
106 | /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */ | ||
107 | uint32_t next_stream_id; | ||
108 | /* The last stream ID this session initiated. For client session, | ||
109 | -- | ||
110 | 2.40.0 | ||
diff --git a/meta/recipes-support/nghttp2/nghttp2/CVE-2024-28182-0002.patch b/meta/recipes-support/nghttp2/nghttp2/CVE-2024-28182-0002.patch new file mode 100644 index 0000000000..fee19465d5 --- /dev/null +++ b/meta/recipes-support/nghttp2/nghttp2/CVE-2024-28182-0002.patch | |||
@@ -0,0 +1,105 @@ | |||
1 | From d71a4668c6bead55805d18810d633fbb98315af9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com> | ||
3 | Date: Sat, 9 Mar 2024 16:48:10 +0900 | ||
4 | Subject: [PATCH] Add nghttp2_option_set_max_continuations | ||
5 | |||
6 | CVE: CVE-2024-28182 | ||
7 | |||
8 | Upstream-Status: Backport [https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9] | ||
9 | |||
10 | Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> | ||
11 | --- | ||
12 | doc/Makefile.am | 1 + | ||
13 | lib/includes/nghttp2/nghttp2.h | 11 +++++++++++ | ||
14 | lib/nghttp2_option.c | 5 +++++ | ||
15 | lib/nghttp2_option.h | 5 +++++ | ||
16 | lib/nghttp2_session.c | 4 ++++ | ||
17 | 5 files changed, 26 insertions(+) | ||
18 | |||
19 | diff --git a/doc/Makefile.am b/doc/Makefile.am | ||
20 | index b9d5a2d..83cfdfd 100644 | ||
21 | --- a/doc/Makefile.am | ||
22 | +++ b/doc/Makefile.am | ||
23 | @@ -70,6 +70,7 @@ APIDOCS= \ | ||
24 | nghttp2_option_set_no_recv_client_magic.rst \ | ||
25 | nghttp2_option_set_peer_max_concurrent_streams.rst \ | ||
26 | nghttp2_option_set_user_recv_extension_type.rst \ | ||
27 | + nghttp2_option_set_max_continuations.rst \ | ||
28 | nghttp2_option_set_max_outbound_ack.rst \ | ||
29 | nghttp2_option_set_max_settings.rst \ | ||
30 | nghttp2_option_set_stream_reset_rate_limit.rst \ | ||
31 | diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h | ||
32 | index 6cc8c0c..c77cca9 100644 | ||
33 | --- a/lib/includes/nghttp2/nghttp2.h | ||
34 | +++ b/lib/includes/nghttp2/nghttp2.h | ||
35 | @@ -2724,6 +2724,17 @@ NGHTTP2_EXTERN void nghttp2_option_set_max_outbound_ack(nghttp2_option *option, | ||
36 | NGHTTP2_EXTERN void nghttp2_option_set_max_settings(nghttp2_option *option, | ||
37 | size_t val); | ||
38 | |||
39 | +/** | ||
40 | + * @function | ||
41 | + * | ||
42 | + * This function sets the maximum number of CONTINUATION frames | ||
43 | + * following an incoming HEADER frame. If more than those frames are | ||
44 | + * received, the remote endpoint is considered to be misbehaving and | ||
45 | + * session will be closed. The default value is 8. | ||
46 | + */ | ||
47 | +NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option, | ||
48 | + size_t val); | ||
49 | + | ||
50 | /** | ||
51 | * @function | ||
52 | * | ||
53 | diff --git a/lib/nghttp2_option.c b/lib/nghttp2_option.c | ||
54 | index 0d9a404..f3659c1 100644 | ||
55 | --- a/lib/nghttp2_option.c | ||
56 | +++ b/lib/nghttp2_option.c | ||
57 | @@ -133,3 +133,8 @@ void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option, | ||
58 | option->stream_reset_burst = burst; | ||
59 | option->stream_reset_rate = rate; | ||
60 | } | ||
61 | + | ||
62 | +void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) { | ||
63 | + option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS; | ||
64 | + option->max_continuations = val; | ||
65 | +} | ||
66 | diff --git a/lib/nghttp2_option.h b/lib/nghttp2_option.h | ||
67 | index e6ba910..c1b48c7 100644 | ||
68 | --- a/lib/nghttp2_option.h | ||
69 | +++ b/lib/nghttp2_option.h | ||
70 | @@ -69,6 +69,7 @@ typedef enum { | ||
71 | NGHTTP2_OPT_MAX_OUTBOUND_ACK = 1 << 11, | ||
72 | NGHTTP2_OPT_MAX_SETTINGS = 1 << 12, | ||
73 | NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15, | ||
74 | + NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16, | ||
75 | } nghttp2_option_flag; | ||
76 | |||
77 | /** | ||
78 | @@ -96,6 +97,10 @@ struct nghttp2_option { | ||
79 | * NGHTTP2_OPT_MAX_SETTINGS | ||
80 | */ | ||
81 | size_t max_settings; | ||
82 | + /** | ||
83 | + * NGHTTP2_OPT_MAX_CONTINUATIONS | ||
84 | + */ | ||
85 | + size_t max_continuations; | ||
86 | /** | ||
87 | * Bitwise OR of nghttp2_option_flag to determine that which fields | ||
88 | * are specified. | ||
89 | diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c | ||
90 | index 537127c..b390cd5 100644 | ||
91 | --- a/lib/nghttp2_session.c | ||
92 | +++ b/lib/nghttp2_session.c | ||
93 | @@ -539,6 +539,10 @@ static int session_new(nghttp2_session **session_ptr, | ||
94 | option->stream_reset_burst, | ||
95 | option->stream_reset_rate); | ||
96 | } | ||
97 | + | ||
98 | + if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) { | ||
99 | + (*session_ptr)->max_continuations = option->max_continuations; | ||
100 | + } | ||
101 | } | ||
102 | |||
103 | rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater, | ||
104 | -- | ||
105 | 2.40.0 | ||
diff --git a/meta/recipes-support/nghttp2/nghttp2_1.47.0.bb b/meta/recipes-support/nghttp2/nghttp2_1.47.0.bb index b67313b5c2..79b1cf95c5 100644 --- a/meta/recipes-support/nghttp2/nghttp2_1.47.0.bb +++ b/meta/recipes-support/nghttp2/nghttp2_1.47.0.bb | |||
@@ -11,6 +11,8 @@ SRC_URI = "\ | |||
11 | file://0001-fetch-ocsp-response-use-python3.patch \ | 11 | file://0001-fetch-ocsp-response-use-python3.patch \ |
12 | file://CVE-2023-35945.patch \ | 12 | file://CVE-2023-35945.patch \ |
13 | file://CVE-2023-44487.patch \ | 13 | file://CVE-2023-44487.patch \ |
14 | file://CVE-2024-28182-0001.patch \ | ||
15 | file://CVE-2024-28182-0002.patch \ | ||
14 | " | 16 | " |
15 | SRC_URI[sha256sum] = "68271951324554c34501b85190f22f2221056db69f493afc3bbac8e7be21e7cc" | 17 | SRC_URI[sha256sum] = "68271951324554c34501b85190f22f2221056db69f493afc3bbac8e7be21e7cc" |
16 | 18 | ||