-
Notifications
You must be signed in to change notification settings - Fork 4.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(patches): apply Nginx patch for detecting HTTP/2 stream reset att…
…acks early (CVE-2023-44487) From nginx/nginx@6ceef19 --------- Signed-off-by: Aapo Talvensaari <[email protected]> Co-authored-by: chronolaw <[email protected]> Co-authored-by: Datong Sun <[email protected]> (cherry picked from commit c54eddd)
- Loading branch information
Showing
2 changed files
with
56 additions
and
0 deletions.
There are no files selected for viewing
53 changes: 53 additions & 0 deletions
53
build/openresty/patches/nginx-1.21.4_09-http2-rapid-reset-ddos-attack-cve-2023-44487.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
diff --git a/bundle/nginx-1.21.4/src/http/v2/ngx_http_v2.c b/bundle/nginx-1.21.4/src/http/v2/ngx_http_v2.c | ||
index 3afa8b6..228b060 100644 | ||
--- a/bundle/nginx-1.21.4/src/http/v2/ngx_http_v2.c | ||
+++ b/bundle/nginx-1.21.4/src/http/v2/ngx_http_v2.c | ||
@@ -361,6 +361,7 @@ ngx_http_v2_read_handler(ngx_event_t *rev) | ||
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http2 read handler"); | ||
|
||
h2c->blocked = 1; | ||
+ h2c->new_streams = 0; | ||
|
||
if (c->close) { | ||
c->close = 0; | ||
@@ -1321,6 +1322,14 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos, | ||
goto rst_stream; | ||
} | ||
|
||
+ if (h2c->new_streams++ >= 2 * h2scf->concurrent_streams) { | ||
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, | ||
+ "client sent too many streams at once"); | ||
+ | ||
+ status = NGX_HTTP_V2_REFUSED_STREAM; | ||
+ goto rst_stream; | ||
+ } | ||
+ | ||
if (!h2c->settings_ack | ||
&& !(h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG) | ||
&& h2scf->preread_size < NGX_HTTP_V2_DEFAULT_WINDOW) | ||
@@ -1386,6 +1395,12 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos, | ||
|
||
rst_stream: | ||
|
||
+ if (h2c->refused_streams++ > ngx_max(h2scf->concurrent_streams, 100)) { | ||
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, | ||
+ "client sent too many refused streams"); | ||
+ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_NO_ERROR); | ||
+ } | ||
+ | ||
if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid, status) != NGX_OK) { | ||
return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR); | ||
} | ||
diff --git a/bundle/nginx-1.21.4/src/http/v2/ngx_http_v2.h b/bundle/nginx-1.21.4/src/http/v2/ngx_http_v2.h | ||
index 0eceae3..aef40bb 100644 | ||
--- a/bundle/nginx-1.21.4/src/http/v2/ngx_http_v2.h | ||
+++ b/bundle/nginx-1.21.4/src/http/v2/ngx_http_v2.h | ||
@@ -124,6 +124,8 @@ struct ngx_http_v2_connection_s { | ||
ngx_uint_t processing; | ||
ngx_uint_t frames; | ||
ngx_uint_t idle; | ||
+ ngx_uint_t new_streams; | ||
+ ngx_uint_t refused_streams; | ||
ngx_uint_t priority_limit; | ||
|
||
ngx_uint_t pushing; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
message: Apply Nginx patch for detecting HTTP/2 stream reset attacks early (CVE-2023-44487) | ||
type: bugfix | ||
scope: Core |