commit | ba872109ef2dc8f1da778651bd1fd3792d0e4587 | [log] [tgz] |
---|---|---|
author | Damien Neil <dneil@google.com> | Wed Jan 10 13:41:39 2024 -0800 |
committer | Gopher Robot <gobot@golang.org> | Wed Apr 03 16:01:29 2024 +0000 |
tree | ad3cff270a45585d2a6f038874d8931147d7c83c | |
parent | ebc8168ac8ac742194df729305175940790c55a2 [diff] |
http2: close connections when receiving too many headers Maintaining HPACK state requires that we parse and process all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, we don't allocate memory to store the excess headers but we do parse them. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of data, all associated with a request which is going to be rejected. Set a limit on the amount of excess header frames we will process before closing a connection. Thanks to Bartek Nowotarski for reporting this issue. Fixes CVE-2023-45288 Fixes golang/go#65051 Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/net/+/576155 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Than McIntosh <thanm@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
This repository holds supplementary Go networking libraries.
The easiest way to install is to run go get -u golang.org/x/net
. You can also manually git clone the repository to $GOPATH/src/golang.org/x/net
.
This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://golang.org/doc/contribute.html. The main issue tracker for the net repository is located at https://github.com/golang/go/issues. Prefix your issue with “x/net:” in the subject line, so it is easy to find.