1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
From 9f1860075990e7bf908ca7cc329d1d3ef91741c8 Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <filippo@golang.org>
Date: Thu, 9 Dec 2021 06:13:31 -0500
Subject: [PATCH] net/http: update bundled golang.org/x/net/http2
Upstream-Status: Backport [https://github.com/golang/go/commit/d0aebe3e74fe14799f97ddd3f01129697c6a290a]
CVE: CVE-2021-44716
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Pull in security fix
a5309b3 http2: cap the size of the server's canonical header cache
Updates #50058
Fixes CVE-2021-44716
Change-Id: Ifdd13f97fce168de5fb4b2e74ef2060d059800b9
Reviewed-on: https://go-review.googlesource.com/c/go/+/370575
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Alex Rakoczy <alex@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
(cherry picked from commit d0aebe3e74fe14799f97ddd3f01129697c6a290a)
---
src/go.mod | 2 +-
src/go.sum | 4 ++--
src/net/http/h2_bundle.go | 10 +++++++++-
src/vendor/modules.txt | 2 +-
4 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/src/go.mod b/src/go.mod
index ec6bd98..56f2fbb 100644
--- a/src/go.mod
+++ b/src/go.mod
@@ -4,7 +4,7 @@ go 1.14
require (
golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d
- golang.org/x/net v0.0.0-20210129194117-4acb7895a057
+ golang.org/x/net v0.0.0-20211209100217-a5309b321dca
golang.org/x/sys v0.0.0-20200201011859-915c9c3d4ccf // indirect
golang.org/x/text v0.3.3-0.20191031172631-4b67af870c6f // indirect
)
diff --git a/src/go.sum b/src/go.sum
index 171e083..1ceba05 100644
--- a/src/go.sum
+++ b/src/go.sum
@@ -2,8 +2,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d h1:9FCpayM9Egr1baVnV1SX0H87m+XB0B8S0hAMi99X/3U=
golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20210129194117-4acb7895a057 h1:HThQeV5c0Ab/Puir+q6mC97b7+3dfZdsLWMLoBrzo68=
-golang.org/x/net v0.0.0-20210129194117-4acb7895a057/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20211209100217-a5309b321dca h1:UmeWAm8AwB6NA/e4FSaGlK1EKTLXKX3utx4Si+6kfPg=
+golang.org/x/net v0.0.0-20211209100217-a5309b321dca/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200201011859-915c9c3d4ccf h1:+4j7oujXP478CVb/AFvHJmVX5+Pczx2NGts5yirA0oY=
diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
index 702fd5a..83f2a72 100644
--- a/src/net/http/h2_bundle.go
+++ b/src/net/http/h2_bundle.go
@@ -4293,7 +4293,15 @@ func (sc *http2serverConn) canonicalHeader(v string) string {
sc.canonHeader = make(map[string]string)
}
cv = CanonicalHeaderKey(v)
- sc.canonHeader[v] = cv
+ // maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
+ // entries in the canonHeader cache. This should be larger than the number
+ // of unique, uncommon header keys likely to be sent by the peer, while not
+ // so high as to permit unreaasonable memory usage if the peer sends an unbounded
+ // number of unique header keys.
+ const maxCachedCanonicalHeaders = 32
+ if len(sc.canonHeader) < maxCachedCanonicalHeaders {
+ sc.canonHeader[v] = cv
+ }
return cv
}
diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
index 669bd9b..1d67183 100644
--- a/src/vendor/modules.txt
+++ b/src/vendor/modules.txt
@@ -8,7 +8,7 @@ golang.org/x/crypto/curve25519
golang.org/x/crypto/hkdf
golang.org/x/crypto/internal/subtle
golang.org/x/crypto/poly1305
-# golang.org/x/net v0.0.0-20210129194117-4acb7895a057
+# golang.org/x/net v0.0.0-20211209100217-a5309b321dca
## explicit
golang.org/x/net/dns/dnsmessage
golang.org/x/net/http/httpguts
|