[internal-branch.go1.16-vendor] http2: cap the size of the server's canonical header cache

The HTTP/2 server keeps a per-connection cache mapping header keys
to their canonicalized form (e.g., "foo-bar" => "Foo-Bar"). Cap the
maximum size of this cache to prevent a peer sending many unique
header keys from causing unbounded memory growth.

Cap chosen arbitrarily at 32 entries. Since this cache does not
include common headers (e.g., "content-type"), 32 seems like more
than enough for almost all normal uses.

Updates golang/go#50058
Fixes CVE-2021-44716

Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827
Reviewed-by: Roland Shoemaker <bracewell@google.com>
1 file changed
tree: 8ac79a46eea3a40fc7a3eff1bb31e96a5f3df0b4
  1. bpf/
  2. context/
  3. dict/
  4. dns/
  5. html/
  6. http/
  7. http2/
  8. icmp/
  9. idna/
  10. internal/
  11. ipv4/
  12. ipv6/
  13. lif/
  14. nettest/
  15. netutil/
  16. proxy/
  17. publicsuffix/
  18. route/
  19. trace/
  20. webdav/
  21. websocket/
  22. xsrftoken/
  23. .gitattributes
  24. .gitignore
  25. AUTHORS
  26. codereview.cfg
  27. CONTRIBUTING.md
  28. CONTRIBUTORS
  29. go.mod
  30. go.sum
  31. LICENSE
  32. PATENTS
  33. README.md
README.md

Go Networking

Go Reference

This repository holds supplementary Go networking libraries.

Download/Install

The easiest way to install is to run go get -u golang.org/x/net. You can also manually git clone the repository to $GOPATH/src/golang.org/x/net.

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://golang.org/doc/contribute.html. The main issue tracker for the net repository is located at https://github.com/golang/go/issues. Prefix your issue with “x/net:” in the subject line, so it is easy to find.