From 9f1860075990e7bf908ca7cc329d1d3ef91741c8 Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Thu, 9 Dec 2021 06:13:31 -0500 Subject: [PATCH] net/http: update bundled golang.org/x/net/http2 Upstream-Status: Backport [https://github.com/golang/go/commit/d0aebe3e74fe14799f97ddd3f01129697c6a290a] CVE: CVE-2021-44716 Signed-off-by: Ralph Siemsen Pull in security fix a5309b3 http2: cap the size of the server's canonical header cache Updates #50058 Fixes CVE-2021-44716 Change-Id: Ifdd13f97fce168de5fb4b2e74ef2060d059800b9 Reviewed-on: https://go-review.googlesource.com/c/go/+/370575 Trust: Filippo Valsorda Run-TryBot: Filippo Valsorda Reviewed-by: Alex Rakoczy TryBot-Result: Gopher Robot (cherry picked from commit d0aebe3e74fe14799f97ddd3f01129697c6a290a) --- src/go.mod | 2 +- src/go.sum | 4 ++-- src/net/http/h2_bundle.go | 10 +++++++++- src/vendor/modules.txt | 2 +- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/src/go.mod b/src/go.mod index ec6bd98..56f2fbb 100644 --- a/src/go.mod +++ b/src/go.mod @@ -4,7 +4,7 @@ go 1.14 require ( golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d - golang.org/x/net v0.0.0-20210129194117-4acb7895a057 + golang.org/x/net v0.0.0-20211209100217-a5309b321dca golang.org/x/sys v0.0.0-20200201011859-915c9c3d4ccf // indirect golang.org/x/text v0.3.3-0.20191031172631-4b67af870c6f // indirect ) diff --git a/src/go.sum b/src/go.sum index 171e083..1ceba05 100644 --- a/src/go.sum +++ b/src/go.sum @@ -2,8 +2,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d h1:9FCpayM9Egr1baVnV1SX0H87m+XB0B8S0hAMi99X/3U= golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20210129194117-4acb7895a057 h1:HThQeV5c0Ab/Puir+q6mC97b7+3dfZdsLWMLoBrzo68= -golang.org/x/net v0.0.0-20210129194117-4acb7895a057/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20211209100217-a5309b321dca h1:UmeWAm8AwB6NA/e4FSaGlK1EKTLXKX3utx4Si+6kfPg= +golang.org/x/net v0.0.0-20211209100217-a5309b321dca/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200201011859-915c9c3d4ccf h1:+4j7oujXP478CVb/AFvHJmVX5+Pczx2NGts5yirA0oY= diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go index 702fd5a..83f2a72 100644 --- a/src/net/http/h2_bundle.go +++ b/src/net/http/h2_bundle.go @@ -4293,7 +4293,15 @@ func (sc *http2serverConn) canonicalHeader(v string) string { sc.canonHeader = make(map[string]string) } cv = CanonicalHeaderKey(v) - sc.canonHeader[v] = cv + // maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of + // entries in the canonHeader cache. This should be larger than the number + // of unique, uncommon header keys likely to be sent by the peer, while not + // so high as to permit unreaasonable memory usage if the peer sends an unbounded + // number of unique header keys. + const maxCachedCanonicalHeaders = 32 + if len(sc.canonHeader) < maxCachedCanonicalHeaders { + sc.canonHeader[v] = cv + } return cv } diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt index 669bd9b..1d67183 100644 --- a/src/vendor/modules.txt +++ b/src/vendor/modules.txt @@ -8,7 +8,7 @@ golang.org/x/crypto/curve25519 golang.org/x/crypto/hkdf golang.org/x/crypto/internal/subtle golang.org/x/crypto/poly1305 -# golang.org/x/net v0.0.0-20210129194117-4acb7895a057 +# golang.org/x/net v0.0.0-20211209100217-a5309b321dca ## explicit golang.org/x/net/dns/dnsmessage golang.org/x/net/http/httpguts