From 9dc032e93eb29093c6479783111bcc910ba92416 Mon Sep 17 00:00:00 2001 From: z00562929 Date: Wed, 27 Dec 2023 11:31:45 +0800 Subject: [PATCH] fix CVE-2023-44487 --- ...87-add-max-concurrent-streams-policy.patch | 543 ++++++++++++++++++ grpc.spec | 9 +- 2 files changed, 551 insertions(+), 1 deletion(-) create mode 100644 fix-CVE-2023-44487-add-max-concurrent-streams-policy.patch diff --git a/fix-CVE-2023-44487-add-max-concurrent-streams-policy.patch b/fix-CVE-2023-44487-add-max-concurrent-streams-policy.patch new file mode 100644 index 0000000..8a56f96 --- /dev/null +++ b/fix-CVE-2023-44487-add-max-concurrent-streams-policy.patch @@ -0,0 +1,543 @@ +From 115ffc66341e07daea06273c2ddb5e34a991232b Mon Sep 17 00:00:00 2001 +From: huang-wen-j +Date: Wed, 27 Dec 2023 11:18:49 +0800 +Subject: [PATCH] fix-CVE-2023-44487-add-max-concurrent-streams-policy + +--- + BUILD | 14 +++++ + CMakeLists.txt | 2 + + Makefile | 2 + + build_autogenerated.yaml | 4 ++ + config.m4 | 1 + + config.w32 | 1 + + gRPC-C++.podspec | 2 + + gRPC-Core.podspec | 3 + + grpc.gemspec | 2 + + grpc.gyp | 2 + + package.xml | 2 + + .../transport/chttp2/transport/chttp2_transport.cc | 4 ++ + src/core/ext/transport/chttp2/transport/internal.h | 5 ++ + .../transport/max_concurrent_streams_policy.cc | 44 ++++++++++++++ + .../transport/max_concurrent_streams_policy.h | 67 ++++++++++++++++++++++ + src/core/ext/transport/chttp2/transport/parsing.cc | 16 ++++++ + src/core/ext/transport/chttp2/transport/writing.cc | 12 +++- + src/python/grpcio/grpc_core_dependencies.py | 1 + + tools/doxygen/Doxyfile.c++.internal | 2 + + tools/doxygen/Doxyfile.core.internal | 2 + + 20 files changed, 187 insertions(+), 1 deletion(-) + create mode 100644 src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.cc + create mode 100644 src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.h + +diff --git a/BUILD b/BUILD +index 7e56a55..dff9acd 100644 +--- a/BUILD ++++ b/BUILD +@@ -2912,6 +2912,20 @@ grpc_cc_library( + ) + + grpc_cc_library( ++ name = "max_concurrent_streams_policy", ++ srcs = [ ++ "src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.cc", ++ ], ++ hdrs = [ ++ "src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.h", ++ ], ++ deps = [ ++ "gpr", ++ "gpr_platform", ++ ], ++) ++ ++grpc_cc_library( + name = "grpc_transport_chttp2", + srcs = [ + "src/core/ext/transport/chttp2/transport/bin_decoder.cc", +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 65164ce..181e45b 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -1666,6 +1666,7 @@ add_library(grpc + src/core/ext/transport/chttp2/transport/hpack_utils.cc + src/core/ext/transport/chttp2/transport/http2_settings.cc + src/core/ext/transport/chttp2/transport/huffsyms.cc ++ src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.cc + src/core/ext/transport/chttp2/transport/incoming_metadata.cc + src/core/ext/transport/chttp2/transport/parsing.cc + src/core/ext/transport/chttp2/transport/stream_lists.cc +@@ -2493,6 +2494,7 @@ add_library(grpc_unsecure + src/core/ext/transport/chttp2/transport/hpack_utils.cc + src/core/ext/transport/chttp2/transport/http2_settings.cc + src/core/ext/transport/chttp2/transport/huffsyms.cc ++ src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.cc + src/core/ext/transport/chttp2/transport/incoming_metadata.cc + src/core/ext/transport/chttp2/transport/parsing.cc + src/core/ext/transport/chttp2/transport/stream_lists.cc +diff --git a/Makefile b/Makefile +index 5c9df01..fc7067e 100644 +--- a/Makefile ++++ b/Makefile +@@ -1154,6 +1154,7 @@ LIBGRPC_SRC = \ + src/core/ext/transport/chttp2/transport/hpack_utils.cc \ + src/core/ext/transport/chttp2/transport/http2_settings.cc \ + src/core/ext/transport/chttp2/transport/huffsyms.cc \ ++ src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.cc \ + src/core/ext/transport/chttp2/transport/incoming_metadata.cc \ + src/core/ext/transport/chttp2/transport/parsing.cc \ + src/core/ext/transport/chttp2/transport/stream_lists.cc \ +@@ -1829,6 +1830,7 @@ LIBGRPC_UNSECURE_SRC = \ + src/core/ext/transport/chttp2/transport/hpack_utils.cc \ + src/core/ext/transport/chttp2/transport/http2_settings.cc \ + src/core/ext/transport/chttp2/transport/huffsyms.cc \ ++ src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.cc \ + src/core/ext/transport/chttp2/transport/incoming_metadata.cc \ + src/core/ext/transport/chttp2/transport/parsing.cc \ + src/core/ext/transport/chttp2/transport/stream_lists.cc \ +diff --git a/build_autogenerated.yaml b/build_autogenerated.yaml +index e09b30b..fd53710 100644 +--- a/build_autogenerated.yaml ++++ b/build_autogenerated.yaml +@@ -523,6 +523,7 @@ libs: + - src/core/ext/transport/chttp2/transport/huffsyms.h + - src/core/ext/transport/chttp2/transport/incoming_metadata.h + - src/core/ext/transport/chttp2/transport/internal.h ++ - src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.h + - src/core/ext/transport/chttp2/transport/popularity_count.h + - src/core/ext/transport/chttp2/transport/stream_map.h + - src/core/ext/transport/chttp2/transport/varint.h +@@ -1060,6 +1061,7 @@ libs: + - src/core/ext/transport/chttp2/transport/hpack_utils.cc + - src/core/ext/transport/chttp2/transport/http2_settings.cc + - src/core/ext/transport/chttp2/transport/huffsyms.cc ++ - src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.cc + - src/core/ext/transport/chttp2/transport/incoming_metadata.cc + - src/core/ext/transport/chttp2/transport/parsing.cc + - src/core/ext/transport/chttp2/transport/stream_lists.cc +@@ -1759,6 +1761,7 @@ libs: + - src/core/ext/transport/chttp2/transport/huffsyms.h + - src/core/ext/transport/chttp2/transport/incoming_metadata.h + - src/core/ext/transport/chttp2/transport/internal.h ++ - src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.h + - src/core/ext/transport/chttp2/transport/popularity_count.h + - src/core/ext/transport/chttp2/transport/stream_map.h + - src/core/ext/transport/chttp2/transport/varint.h +@@ -2021,6 +2024,7 @@ libs: + - src/core/ext/transport/chttp2/transport/hpack_utils.cc + - src/core/ext/transport/chttp2/transport/http2_settings.cc + - src/core/ext/transport/chttp2/transport/huffsyms.cc ++ - src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.cc + - src/core/ext/transport/chttp2/transport/incoming_metadata.cc + - src/core/ext/transport/chttp2/transport/parsing.cc + - src/core/ext/transport/chttp2/transport/stream_lists.cc +diff --git a/config.m4 b/config.m4 +index 9467e7e..b1fedc6 100644 +--- a/config.m4 ++++ b/config.m4 +@@ -145,6 +145,7 @@ if test "$PHP_GRPC" != "no"; then + src/core/ext/transport/chttp2/transport/hpack_utils.cc \ + src/core/ext/transport/chttp2/transport/http2_settings.cc \ + src/core/ext/transport/chttp2/transport/huffsyms.cc \ ++ src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.cc \ + src/core/ext/transport/chttp2/transport/incoming_metadata.cc \ + src/core/ext/transport/chttp2/transport/parsing.cc \ + src/core/ext/transport/chttp2/transport/stream_lists.cc \ +diff --git a/config.w32 b/config.w32 +index 3e46c07..8918c80 100644 +--- a/config.w32 ++++ b/config.w32 +@@ -111,6 +111,7 @@ if (PHP_GRPC != "no") { + "src\\core\\ext\\transport\\chttp2\\transport\\hpack_utils.cc " + + "src\\core\\ext\\transport\\chttp2\\transport\\http2_settings.cc " + + "src\\core\\ext\\transport\\chttp2\\transport\\huffsyms.cc " + ++ "src\\core\\ext\\transport\\chttp2\\transport\\max_concurrent_streams_policy.cc " + + "src\\core\\ext\\transport\\chttp2\\transport\\incoming_metadata.cc " + + "src\\core\\ext\\transport\\chttp2\\transport\\parsing.cc " + + "src\\core\\ext\\transport\\chttp2\\transport\\stream_lists.cc " + +diff --git a/gRPC-C++.podspec b/gRPC-C++.podspec +index 5869d24..7b866d9 100644 +--- a/gRPC-C++.podspec ++++ b/gRPC-C++.podspec +@@ -293,6 +293,7 @@ Pod::Spec.new do |s| + 'src/core/ext/transport/chttp2/transport/huffsyms.h', + 'src/core/ext/transport/chttp2/transport/incoming_metadata.h', + 'src/core/ext/transport/chttp2/transport/internal.h', ++ 'src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.h', + 'src/core/ext/transport/chttp2/transport/popularity_count.h', + 'src/core/ext/transport/chttp2/transport/stream_map.h', + 'src/core/ext/transport/chttp2/transport/varint.h', +@@ -960,6 +961,7 @@ Pod::Spec.new do |s| + 'src/core/ext/transport/chttp2/transport/huffsyms.h', + 'src/core/ext/transport/chttp2/transport/incoming_metadata.h', + 'src/core/ext/transport/chttp2/transport/internal.h', ++ 'src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.h', + 'src/core/ext/transport/chttp2/transport/popularity_count.h', + 'src/core/ext/transport/chttp2/transport/stream_map.h', + 'src/core/ext/transport/chttp2/transport/varint.h', +diff --git a/gRPC-Core.podspec b/gRPC-Core.podspec +index efee0db..bedc615 100644 +--- a/gRPC-Core.podspec ++++ b/gRPC-Core.podspec +@@ -390,6 +390,8 @@ Pod::Spec.new do |s| + 'src/core/ext/transport/chttp2/transport/incoming_metadata.cc', + 'src/core/ext/transport/chttp2/transport/incoming_metadata.h', + 'src/core/ext/transport/chttp2/transport/internal.h', ++ 'src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.cc', ++ 'src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.h', + 'src/core/ext/transport/chttp2/transport/parsing.cc', + 'src/core/ext/transport/chttp2/transport/popularity_count.h', + 'src/core/ext/transport/chttp2/transport/stream_lists.cc', +@@ -1543,6 +1545,7 @@ Pod::Spec.new do |s| + 'src/core/ext/transport/chttp2/transport/huffsyms.h', + 'src/core/ext/transport/chttp2/transport/incoming_metadata.h', + 'src/core/ext/transport/chttp2/transport/internal.h', ++ 'src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.h', + 'src/core/ext/transport/chttp2/transport/popularity_count.h', + 'src/core/ext/transport/chttp2/transport/stream_map.h', + 'src/core/ext/transport/chttp2/transport/varint.h', +diff --git a/grpc.gemspec b/grpc.gemspec +index 511fa50..b5aef0b 100644 +--- a/grpc.gemspec ++++ b/grpc.gemspec +@@ -303,6 +303,8 @@ Gem::Specification.new do |s| + s.files += %w( src/core/ext/transport/chttp2/transport/incoming_metadata.cc ) + s.files += %w( src/core/ext/transport/chttp2/transport/incoming_metadata.h ) + s.files += %w( src/core/ext/transport/chttp2/transport/internal.h ) ++ s.files += %w( src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.cc ) ++ s.files += %w( src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.h ) + s.files += %w( src/core/ext/transport/chttp2/transport/parsing.cc ) + s.files += %w( src/core/ext/transport/chttp2/transport/popularity_count.h ) + s.files += %w( src/core/ext/transport/chttp2/transport/stream_lists.cc ) +diff --git a/grpc.gyp b/grpc.gyp +index ed67482..6997963 100644 +--- a/grpc.gyp ++++ b/grpc.gyp +@@ -591,6 +591,7 @@ + 'src/core/ext/transport/chttp2/transport/hpack_utils.cc', + 'src/core/ext/transport/chttp2/transport/http2_settings.cc', + 'src/core/ext/transport/chttp2/transport/huffsyms.cc', ++ 'src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.cc', + 'src/core/ext/transport/chttp2/transport/incoming_metadata.cc', + 'src/core/ext/transport/chttp2/transport/parsing.cc', + 'src/core/ext/transport/chttp2/transport/stream_lists.cc', +@@ -1241,6 +1242,7 @@ + 'src/core/ext/transport/chttp2/transport/hpack_utils.cc', + 'src/core/ext/transport/chttp2/transport/http2_settings.cc', + 'src/core/ext/transport/chttp2/transport/huffsyms.cc', ++ 'src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.cc', + 'src/core/ext/transport/chttp2/transport/incoming_metadata.cc', + 'src/core/ext/transport/chttp2/transport/parsing.cc', + 'src/core/ext/transport/chttp2/transport/stream_lists.cc', +diff --git a/package.xml b/package.xml +index 745c8d5..9030fa6 100644 +--- a/package.xml ++++ b/package.xml +@@ -283,6 +283,8 @@ + + + ++ ++ + + + +diff --git a/src/core/ext/transport/chttp2/transport/chttp2_transport.cc b/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +index 80b1d31..f995c95 100644 +--- a/src/core/ext/transport/chttp2/transport/chttp2_transport.cc ++++ b/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +@@ -35,6 +35,7 @@ + #include "src/core/ext/transport/chttp2/transport/frame_data.h" + #include "src/core/ext/transport/chttp2/transport/internal.h" + #include "src/core/ext/transport/chttp2/transport/varint.h" ++#include "src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.h" + #include "src/core/lib/channel/channel_args.h" + #include "src/core/lib/compression/stream_compression.h" + #include "src/core/lib/debug/stats.h" +@@ -378,6 +379,9 @@ static bool read_channel_args(grpc_chttp2_transport* t, + if (value >= 0) { + queue_setting_update(t, settings_map[j].setting_id, + static_cast(value)); ++ if (settings_map[j].setting_id == GRPC_CHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS) { ++ t->max_concurrent_streams_policy.SetTarget(value); ++ } + } + } + break; +diff --git a/src/core/ext/transport/chttp2/transport/internal.h b/src/core/ext/transport/chttp2/transport/internal.h +index ddf8ea2..d40d636 100644 +--- a/src/core/ext/transport/chttp2/transport/internal.h ++++ b/src/core/ext/transport/chttp2/transport/internal.h +@@ -36,6 +36,7 @@ + #include "src/core/ext/transport/chttp2/transport/hpack_parser.h" + #include "src/core/ext/transport/chttp2/transport/incoming_metadata.h" + #include "src/core/ext/transport/chttp2/transport/stream_map.h" ++#include "src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.h" + #include "src/core/lib/channel/channelz.h" + #include "src/core/lib/compression/stream_compression.h" + #include "src/core/lib/gprpp/manual_constructor.h" +@@ -387,6 +388,8 @@ struct grpc_chttp2_transport { + uint64_t ping_ctr = 0; /* unique id for pings */ + grpc_closure retry_initiate_ping_locked; + ++ grpc_core::Chttp2MaxConcurrentStreamsPolicy max_concurrent_streams_policy; ++ + /** ping acks */ + size_t ping_ack_count = 0; + size_t ping_ack_capacity = 0; +@@ -482,6 +485,8 @@ struct grpc_chttp2_transport { + /** grace period for a ping to complete before watchdog kicks in */ + grpc_millis keepalive_timeout; + /** if keepalive pings are allowed when there's no outstanding streams */ ++ /// number of stream objects currently allocated by this transport ++ std::atomic streams_allocated{0}; + bool keepalive_permit_without_calls = false; + /** If start_keepalive_ping_locked has been called */ + bool keepalive_ping_started = false; +diff --git a/src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.cc b/src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.cc +new file mode 100644 +index 0000000..aeef1db +--- /dev/null ++++ b/src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.cc +@@ -0,0 +1,44 @@ ++// Copyright 2023 gRPC authors. ++// ++// Licensed under the Apache License, Version 2.0 (the "License"); ++// you may not use this file except in compliance with the License. ++// You may obtain a copy of the License at ++// ++// http://www.apache.org/licenses/LICENSE-2.0 ++// ++// Unless required by applicable law or agreed to in writing, software ++// distributed under the License is distributed on an "AS IS" BASIS, ++// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++// See the License for the specific language governing permissions and ++// limitations under the License. ++ ++#include ++ ++#include "src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.h" ++ ++#include ++ ++namespace grpc_core { ++ ++void Chttp2MaxConcurrentStreamsPolicy::AddDemerit() { ++ ++new_demerits_; ++ ++unacked_demerits_; ++} ++ ++void Chttp2MaxConcurrentStreamsPolicy::FlushedSettings() { ++ sent_demerits_ += new_demerits_; ++ new_demerits_ = 0; ++} ++ ++void Chttp2MaxConcurrentStreamsPolicy::AckLastSend() { ++ GPR_ASSERT(unacked_demerits_ >= sent_demerits_); ++ unacked_demerits_ -= sent_demerits_; ++ sent_demerits_ = 0; ++} ++ ++uint32_t Chttp2MaxConcurrentStreamsPolicy::AdvertiseValue() const { ++ if (target_ < unacked_demerits_) return 0; ++ return target_ - unacked_demerits_; ++} ++ ++} // namespace grpc_core +diff --git a/src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.h b/src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.h +new file mode 100644 +index 0000000..e8ec52e +--- /dev/null ++++ b/src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.h +@@ -0,0 +1,67 @@ ++// Copyright 2023 gRPC authors. ++// ++// Licensed under the Apache License, Version 2.0 (the "License"); ++// you may not use this file except in compliance with the License. ++// You may obtain a copy of the License at ++// ++// http://www.apache.org/licenses/LICENSE-2.0 ++// ++// Unless required by applicable law or agreed to in writing, software ++// distributed under the License is distributed on an "AS IS" BASIS, ++// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++// See the License for the specific language governing permissions and ++// limitations under the License. ++ ++#ifndef GRPC_SRC_CORE_EXT_TRANSPORT_CHTTP2_TRANSPORT_MAX_CONCURRENT_STREAMS_POLICY_H ++#define GRPC_SRC_CORE_EXT_TRANSPORT_CHTTP2_TRANSPORT_MAX_CONCURRENT_STREAMS_POLICY_H ++ ++#include ++ ++#include ++#include ++ ++namespace grpc_core { ++ ++class Chttp2MaxConcurrentStreamsPolicy { ++ public: ++ // Set the target number of concurrent streams. ++ // If everything is idle we should advertise this number. ++ void SetTarget(uint32_t target) { target_ = target; } ++ ++ // Add one demerit to the current target. ++ // We need to do one full settings round trip after this to clear this ++ // demerit. ++ // It will reduce our advertised max concurrent streams by one. ++ void AddDemerit(); ++ ++ // Notify the policy that we've sent a settings frame. ++ // Newly added demerits since the last settings frame was sent will be cleared ++ // once that settings frame is acknowledged. ++ void FlushedSettings(); ++ ++ // Notify the policy that we've received an acknowledgement for the last ++ // settings frame we sent. ++ void AckLastSend(); ++ ++ // Returns what we should advertise as max concurrent streams. ++ uint32_t AdvertiseValue() const; ++ ++ private: ++ uint32_t target_ = std::numeric_limits::max(); ++ // Demerit flow: ++ // When we add a demerit, we add to both new & unacked. ++ // When we flush settings, we move new to sent. ++ // When we ack settings, we remove what we sent from unacked. ++ // eg: ++ // we add 10 demerits - now new=10, sent=0, unacked=10 ++ // we send settings - now new=0, sent=10, unacked=10 ++ // we add 5 demerits - now new=5, sent=10, unacked=15 ++ // we get the settings ack - now new=5, sent=0, unacked=5 ++ uint32_t new_demerits_ = 0; ++ uint32_t sent_demerits_ = 0; ++ uint32_t unacked_demerits_ = 0; ++}; ++ ++} // namespace grpc_core ++ ++#endif // GRPC_SRC_CORE_EXT_TRANSPORT_CHTTP2_TRANSPORT_MAX_CONCURRENT_STREAMS_POLICY_H +diff --git a/src/core/ext/transport/chttp2/transport/parsing.cc b/src/core/ext/transport/chttp2/transport/parsing.cc +index aa2765c..b0f71fd 100644 +--- a/src/core/ext/transport/chttp2/transport/parsing.cc ++++ b/src/core/ext/transport/chttp2/transport/parsing.cc +@@ -27,6 +27,7 @@ + #include + + #include "src/core/ext/transport/chttp2/transport/internal.h" ++#include "src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.h" + #include "src/core/lib/profiling/timers.h" + #include "src/core/lib/slice/slice_string_helpers.h" + #include "src/core/lib/slice/slice_utils.h" +@@ -636,6 +637,17 @@ static grpc_error_handle init_header_frame_parser(grpc_chttp2_transport* t, + t->settings[GRPC_ACKED_SETTINGS] + [GRPC_CHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS])) { + return GRPC_ERROR_CREATE_FROM_STATIC_STRING("Max stream count exceeded"); ++ } else if (GPR_UNLIKELY( ++ t->streams_allocated.load(std::memory_order_relaxed) > ++ t->max_concurrent_streams_policy.AdvertiseValue())) { ++ // We have more streams allocated than we'd like, so apply some pushback ++ // by refusing this stream. ++ ++t->num_pending_induced_frames; ++ grpc_slice_buffer_add(&t->qbuf, grpc_chttp2_rst_stream_create( ++ t->incoming_stream_id, ++ GRPC_HTTP2_REFUSED_STREAM, nullptr)); ++ grpc_chttp2_initiate_write(t, GRPC_CHTTP2_INITIATE_WRITE_RST_STREAM); ++ return init_header_skip_frame_parser(t, priority_type); + } + t->last_new_stream_id = t->incoming_stream_id; + s = t->incoming_stream = +@@ -756,6 +768,7 @@ static grpc_error_handle init_settings_frame_parser(grpc_chttp2_transport* t) { + return err; + } + if (t->incoming_frame_flags & GRPC_CHTTP2_FLAG_ACK) { ++ t->max_concurrent_streams_policy.AckLastSend(); + memcpy(t->settings[GRPC_ACKED_SETTINGS], t->settings[GRPC_SENT_SETTINGS], + GRPC_CHTTP2_NUM_SETTINGS * sizeof(uint32_t)); + t->hpack_parser.hpack_table()->SetMaxBytes( +@@ -765,6 +778,9 @@ static grpc_error_handle init_settings_frame_parser(grpc_chttp2_transport* t) { + } + t->parser = grpc_chttp2_settings_parser_parse; + t->parser_data = &t->simple.settings; ++ if (!t->is_client) { ++ t->max_concurrent_streams_policy.AddDemerit(); ++ } + return GRPC_ERROR_NONE; + } + +diff --git a/src/core/ext/transport/chttp2/transport/writing.cc b/src/core/ext/transport/chttp2/transport/writing.cc +index ccd6944..fcf1909 100644 +--- a/src/core/ext/transport/chttp2/transport/writing.cc ++++ b/src/core/ext/transport/chttp2/transport/writing.cc +@@ -25,6 +25,7 @@ + #include "src/core/ext/transport/chttp2/transport/chttp2_transport.h" + #include "src/core/ext/transport/chttp2/transport/context_list.h" + #include "src/core/ext/transport/chttp2/transport/internal.h" ++#include "src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.h" + #include "src/core/lib/compression/stream_compression.h" + #include "src/core/lib/debug/stats.h" + #include "src/core/lib/profiling/timers.h" +@@ -217,7 +218,15 @@ class WriteContext { + } + + void FlushSettings() { +- if (t_->dirtied_local_settings && !t_->sent_local_settings) { ++ const bool dirty = ++ t_->dirtied_local_settings || ++ t_->settings[GRPC_SENT_SETTINGS] ++ [GRPC_CHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS] != ++ t_->max_concurrent_streams_policy.AdvertiseValue(); ++ if (dirty && !t_->sent_local_settings) { ++ t_->settings[GRPC_LOCAL_SETTINGS] ++ [GRPC_CHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS] = ++ t_->max_concurrent_streams_policy.AdvertiseValue(); + grpc_slice_buffer_add( + &t_->outbuf, grpc_chttp2_settings_create( + t_->settings[GRPC_SENT_SETTINGS], +@@ -226,6 +235,7 @@ class WriteContext { + t_->force_send_settings = false; + t_->dirtied_local_settings = false; + t_->sent_local_settings = true; ++ t_->max_concurrent_streams_policy.FlushedSettings(); + GRPC_STATS_INC_HTTP2_SETTINGS_WRITES(); + } + } +diff --git a/src/python/grpcio/grpc_core_dependencies.py b/src/python/grpcio/grpc_core_dependencies.py +index 774175d..b089de9 100644 +--- a/src/python/grpcio/grpc_core_dependencies.py ++++ b/src/python/grpcio/grpc_core_dependencies.py +@@ -120,6 +120,7 @@ CORE_SOURCE_FILES = [ + 'src/core/ext/transport/chttp2/transport/hpack_utils.cc', + 'src/core/ext/transport/chttp2/transport/http2_settings.cc', + 'src/core/ext/transport/chttp2/transport/huffsyms.cc', ++ 'src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.cc', + 'src/core/ext/transport/chttp2/transport/incoming_metadata.cc', + 'src/core/ext/transport/chttp2/transport/parsing.cc', + 'src/core/ext/transport/chttp2/transport/stream_lists.cc', +diff --git a/tools/doxygen/Doxyfile.c++.internal b/tools/doxygen/Doxyfile.c++.internal +index 90657ac..b503784 100644 +--- a/tools/doxygen/Doxyfile.c++.internal ++++ b/tools/doxygen/Doxyfile.c++.internal +@@ -1240,6 +1240,8 @@ src/core/ext/transport/chttp2/transport/huffsyms.h \ + src/core/ext/transport/chttp2/transport/incoming_metadata.cc \ + src/core/ext/transport/chttp2/transport/incoming_metadata.h \ + src/core/ext/transport/chttp2/transport/internal.h \ ++src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.cc \ ++src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.h \ + src/core/ext/transport/chttp2/transport/parsing.cc \ + src/core/ext/transport/chttp2/transport/popularity_count.h \ + src/core/ext/transport/chttp2/transport/stream_lists.cc \ +diff --git a/tools/doxygen/Doxyfile.core.internal b/tools/doxygen/Doxyfile.core.internal +index aff4e8f..f95caf5 100644 +--- a/tools/doxygen/Doxyfile.core.internal ++++ b/tools/doxygen/Doxyfile.core.internal +@@ -1075,6 +1075,8 @@ src/core/ext/transport/chttp2/transport/huffsyms.h \ + src/core/ext/transport/chttp2/transport/incoming_metadata.cc \ + src/core/ext/transport/chttp2/transport/incoming_metadata.h \ + src/core/ext/transport/chttp2/transport/internal.h \ ++src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.cc \ ++src/core/ext/transport/chttp2/transport/max_concurrent_streams_policy.h \ + src/core/ext/transport/chttp2/transport/parsing.cc \ + src/core/ext/transport/chttp2/transport/popularity_count.h \ + src/core/ext/transport/chttp2/transport/stream_lists.cc \ +-- +2.1.3 + diff --git a/grpc.spec b/grpc.spec index a864669..8aad913 100644 --- a/grpc.spec +++ b/grpc.spec @@ -3,7 +3,7 @@ Name: grpc Version: 1.41.1 -Release: 8 +Release: 9 Summary: A modern, open source high performance RPC framework that can run in any environment License: ASL 2.0 URL: https://www.grpc.io @@ -16,6 +16,7 @@ Patch0011: backport-Ignore-Connection-Aborted-errors-on-accept-29318.patch Patch0012: backport-iomgr-EventEngine-Improve-server-handling-o.patch Patch0013: fix-CVE-2023-33953-add-header-limit.patch Patch0014: remove-cert-expired-on-20230930.patch +Patch0015: fix-CVE-2023-44487-add-max-concurrent-streams-policy.patch BuildRequires: gcc-c++ pkgconfig protobuf-devel protobuf-compiler BuildRequires: openssl-devel c-ares-devel gtest-devel zlib-devel gperftools-devel @@ -142,6 +143,12 @@ cd ../.. %{python3_sitearch}/grpcio-%{version}-py?.?.egg-info %changelog +* Wed Dec 27 2023 huangwenjie - 1.41.1-9 +- Type:CVE +- ID:CVE-2023-44487 +- SUG:NA +- DESC:fix CVE-2023-44487 + * Wed Nov 15 2023 zhouyihang - 1.41.1-8 - Type:bugfix - ID:NA -- Gitee