From caf2ecd39fcbb5bf8772568413eed11f1f53c94f Mon Sep 17 00:00:00 2001 From: mgb01105731 Date: Mon, 11 Nov 2024 10:05:25 +0800 Subject: [PATCH] fix CVE-2024-28182 --- 0001-CVE-2024-28182_1.patch | 103 ++++++++++++++++++++++++++++++++++++ 0002-CVE-2024-28182_2.patch | 98 ++++++++++++++++++++++++++++++++++ nghttp2.spec | 18 +++++-- 3 files changed, 215 insertions(+), 4 deletions(-) create mode 100644 0001-CVE-2024-28182_1.patch create mode 100644 0002-CVE-2024-28182_2.patch diff --git a/0001-CVE-2024-28182_1.patch b/0001-CVE-2024-28182_1.patch new file mode 100644 index 0000000..ceea142 --- /dev/null +++ b/0001-CVE-2024-28182_1.patch @@ -0,0 +1,103 @@ +From 00201ecd8f982da3b67d4f6868af72a1b03b14e0 Mon Sep 17 00:00:00 2001 +From: Tatsuhiro Tsujikawa +Date: Sat, 9 Mar 2024 16:26:42 +0900 +Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame + +--- + lib/includes/nghttp2/nghttp2.h | 7 ++++++- + lib/nghttp2_helper.c | 2 ++ + lib/nghttp2_session.c | 7 +++++++ + lib/nghttp2_session.h | 10 ++++++++++ + 4 files changed, 25 insertions(+), 1 deletion(-) + +diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h +index 889176097d..a9629c7823 100644 +--- a/lib/includes/nghttp2/nghttp2.h ++++ b/lib/includes/nghttp2/nghttp2.h +@@ -466,7 +466,12 @@ typedef enum { + * exhaustion on server side to send these frames forever and does + * not read network. + */ +- NGHTTP2_ERR_FLOODED = -904 ++ NGHTTP2_ERR_FLOODED = -904, ++ /** ++ * When a local endpoint receives too many CONTINUATION frames ++ * following a HEADER frame. ++ */ ++ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905, + } nghttp2_error; + + /** +diff --git a/lib/nghttp2_helper.c b/lib/nghttp2_helper.c +index 93dd4754b7..b3563d98e0 100644 +--- a/lib/nghttp2_helper.c ++++ b/lib/nghttp2_helper.c +@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) { + "closed"; + case NGHTTP2_ERR_TOO_MANY_SETTINGS: + return "SETTINGS frame contained more than the maximum allowed entries"; ++ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS: ++ return "Too many CONTINUATION frames following a HEADER frame"; + default: + return "Unknown error code"; + } +diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c +index ea4fcbec57..fc4c77a3f0 100644 +--- a/lib/nghttp2_session.c ++++ b/lib/nghttp2_session.c +@@ -497,6 +497,7 @@ static int session_new(nghttp2_session **session_ptr, + (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN; + (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM; + (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS; ++ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS; + + if (option) { + if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) && +@@ -6826,6 +6827,8 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + } + } + session_inbound_frame_reset(session); ++ ++ session->num_continuations = 0; + } + break; + } +@@ -6947,6 +6950,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + } + #endif /* DEBUGBUILD */ + ++ if (++session->num_continuations > session->max_continuations) { ++ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS; ++ } ++ + readlen = inbound_frame_buf_read(iframe, in, last); + in += readlen; + +diff --git a/lib/nghttp2_session.h b/lib/nghttp2_session.h +index b119329a04..ef8f7b27d6 100644 +--- a/lib/nghttp2_session.h ++++ b/lib/nghttp2_session.h +@@ -110,6 +110,10 @@ typedef struct { + #define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000 + #define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33 + ++/* The default max number of CONTINUATION frames following an incoming ++ HEADER frame. */ ++#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8 ++ + /* Internal state when receiving incoming frame */ + typedef enum { + /* Receiving frame header */ +@@ -290,6 +294,12 @@ struct nghttp2_session { + size_t max_send_header_block_length; + /* The maximum number of settings accepted per SETTINGS frame. */ + size_t max_settings; ++ /* The maximum number of CONTINUATION frames following an incoming ++ HEADER frame. */ ++ size_t max_continuations; ++ /* The number of CONTINUATION frames following an incoming HEADER ++ frame. This variable is reset when END_HEADERS flag is seen. */ ++ size_t num_continuations; + /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */ + uint32_t next_stream_id; + /* The last stream ID this session initiated. For client session, diff --git a/0002-CVE-2024-28182_2.patch b/0002-CVE-2024-28182_2.patch new file mode 100644 index 0000000..aeff3ad --- /dev/null +++ b/0002-CVE-2024-28182_2.patch @@ -0,0 +1,98 @@ +From d71a4668c6bead55805d18810d633fbb98315af9 Mon Sep 17 00:00:00 2001 +From: Tatsuhiro Tsujikawa +Date: Sat, 9 Mar 2024 16:48:10 +0900 +Subject: [PATCH] Add nghttp2_option_set_max_continuations + +--- + doc/Makefile.am | 1 + + lib/includes/nghttp2/nghttp2.h | 11 +++++++++++ + lib/nghttp2_option.c | 5 +++++ + lib/nghttp2_option.h | 5 +++++ + lib/nghttp2_session.c | 4 ++++ + 5 files changed, 26 insertions(+) + +diff --git a/doc/Makefile.am b/doc/Makefile.am +index 51945e4f0b..50d57b2217 100644 +--- a/doc/Makefile.am ++++ b/doc/Makefile.am +@@ -77,6 +77,7 @@ APIDOCS= \ + nghttp2_option_set_peer_max_concurrent_streams.rst \ + nghttp2_option_set_server_fallback_rfc7540_priorities.rst \ + nghttp2_option_set_user_recv_extension_type.rst \ ++ nghttp2_option_set_max_continuations.rst \ + nghttp2_option_set_max_outbound_ack.rst \ + nghttp2_option_set_max_settings.rst \ + nghttp2_option_set_stream_reset_rate_limit.rst \ +diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h +index a9629c7823..92c3ccc6e4 100644 +--- a/lib/includes/nghttp2/nghttp2.h ++++ b/lib/includes/nghttp2/nghttp2.h +@@ -3210,6 +3210,17 @@ NGHTTP2_EXTERN void + nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option, + uint64_t burst, uint64_t rate); + ++/** ++ * @function ++ * ++ * This function sets the maximum number of CONTINUATION frames ++ * following an incoming HEADER frame. If more than those frames are ++ * received, the remote endpoint is considered to be misbehaving and ++ * session will be closed. The default value is 8. ++ */ ++NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option, ++ size_t val); ++ + /** + * @function + * +diff --git a/lib/nghttp2_option.c b/lib/nghttp2_option.c +index 43d4e95229..53144b9b75 100644 +--- a/lib/nghttp2_option.c ++++ b/lib/nghttp2_option.c +@@ -150,3 +150,8 @@ void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option, + option->stream_reset_burst = burst; + option->stream_reset_rate = rate; + } ++ ++void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) { ++ option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS; ++ option->max_continuations = val; ++} +diff --git a/lib/nghttp2_option.h b/lib/nghttp2_option.h +index 2259e1849d..c89cb97f8b 100644 +--- a/lib/nghttp2_option.h ++++ b/lib/nghttp2_option.h +@@ -71,6 +71,7 @@ typedef enum { + NGHTTP2_OPT_SERVER_FALLBACK_RFC7540_PRIORITIES = 1 << 13, + NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION = 1 << 14, + NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15, ++ NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16, + } nghttp2_option_flag; + + /** +@@ -98,6 +99,10 @@ struct nghttp2_option { + * NGHTTP2_OPT_MAX_SETTINGS + */ + size_t max_settings; ++ /** ++ * NGHTTP2_OPT_MAX_CONTINUATIONS ++ */ ++ size_t max_continuations; + /** + * Bitwise OR of nghttp2_option_flag to determine that which fields + * are specified. +diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c +index fc4c77a3f0..004a4dffaa 100644 +--- a/lib/nghttp2_session.c ++++ b/lib/nghttp2_session.c +@@ -586,6 +586,10 @@ static int session_new(nghttp2_session **session_ptr, + option->stream_reset_burst, + option->stream_reset_rate); + } ++ ++ if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) { ++ (*session_ptr)->max_continuations = option->max_continuations; ++ } + } + + rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater, diff --git a/nghttp2.spec b/nghttp2.spec index f18b798..6a75a02 100644 --- a/nghttp2.spec +++ b/nghttp2.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 Name: nghttp2 Version: 1.58.0 @@ -8,6 +8,9 @@ Summary: Experimental HTTP/2 client, server and proxy URL: https://nghttp2.org/ Source0: https://github.com/tatsuhiro-t/nghttp2/releases/download/v%{version}/nghttp2-%{version}.tar.xz +Patch1000: 0001-CVE-2024-28182_1.patch +Patch1001: 0002-CVE-2024-28182_2.patch + BuildRequires: gcc-c++ BuildRequires: make BuildRequires: systemd @@ -56,7 +59,7 @@ BuildArch: noarch The %{name}-doc package contains documentation files for %{name} %prep -%setup -q +%autosetup -p1 # make fetch-ocsp-response use Python 3 sed -e '1 s|^#!/.*python|&3|' -i script/fetch-ocsp-response @@ -86,21 +89,25 @@ rm -f "$RPM_BUILD_ROOT%{_datadir}/doc/nghttp2/README.rst" %postun %systemd_postun nghttpx.service - +# aarch64 faild when check +%ifarch x86_64 loongarch64 %check # test the just built library instead of the system one, without using rpath export "LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" %make_build check +%endif %files %{_bindir}/h2load %{_bindir}/nghttp %{_bindir}/nghttpd %{_bindir}/nghttpx +%ifarch x86_64 loongarch64 %{abidir}/h2load-option.list %{abidir}/nghttp-option.list -%{abidir}/nghttpd-option.list %{abidir}/nghttpx-option.list +%endif +%{abidir}/nghttpd-option.list %{_datadir}/nghttp2 %{_mandir}/man1/h2load.1* %{_mandir}/man1/nghttp.1* @@ -123,6 +130,9 @@ export "LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" %doc AUTHORS ChangeLog NEWS README README.rst %changelog +* Mon Nov 11 2024 mgb01105731 - 1.58.0-2 +- add patch to fix CVE-2024-28182 + * Mon Mar 11 2024 - 1.58.0-1 - New version 1.58.0 -- Gitee