Google Git
Sign in
go / net / ba872109ef2dc8f1da778651bd1fd3792d0e4587
commitba872109ef2dc8f1da778651bd1fd3792d0e4587[log] [tgz]
authorDamien Neil <dneil@google.com>Wed Jan 10 13:41:39 2024 -0800
committerGopher Robot <gobot@golang.org>Wed Apr 03 16:01:29 2024 +0000
treead3cff270a45585d2a6f038874d8931147d7c83c
parentebc8168ac8ac742194df729305175940790c55a2 [diff]
http2: close connections when receiving too many headers

Maintaining HPACK state requires that we parse and process
all HEADERS and CONTINUATION frames on a connection.
When a request's headers exceed MaxHeaderBytes, we don't
allocate memory to store the excess headers but we do
parse them. This permits an attacker to cause an HTTP/2
endpoint to read arbitrary amounts of data, all associated
with a request which is going to be rejected.

Set a limit on the amount of excess header frames we
will process before closing a connection.

Thanks to Bartek Nowotarski for reporting this issue.

Fixes CVE-2023-45288
Fixes golang/go#65051

Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/net/+/576155
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2 files changed
tree: ad3cff270a45585d2a6f038874d8931147d7c83c
  1. bpf/
  2. context/
  3. dict/
  4. dns/
  5. html/
  6. http/
  7. http2/
  8. icmp/
  9. idna/
  10. internal/
  11. ipv4/
  12. ipv6/
  13. lif/
  14. nettest/
  15. netutil/
  16. proxy/
  17. publicsuffix/
  18. quic/
  19. route/
  20. trace/
  21. webdav/
  22. websocket/
  23. xsrftoken/
  24. .gitattributes
  25. .gitignore
  26. codereview.cfg
  27. CONTRIBUTING.md
  28. go.mod
  29. go.sum
  30. LICENSE
  31. PATENTS
  32. README.md
README.md

Go Networking

Go Reference

This repository holds supplementary Go networking libraries.

Download/Install

The easiest way to install is to run go get -u golang.org/x/net. You can also manually git clone the repository to $GOPATH/src/golang.org/x/net.

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://golang.org/doc/contribute.html. The main issue tracker for the net repository is located at https://github.com/golang/go/issues. Prefix your issue with “x/net:” in the subject line, so it is easy to find.