commit | 4205dd41f8702baecd880da035de3db86340e81d | [log] [tgz] |
---|---|---|
author | Damien Neil <dneil@google.com> | Wed Oct 26 11:32:42 2022 -0700 |
committer | Heschi Kreinick <heschi@google.com> | Fri Dec 09 18:42:34 2022 +0000 |
tree | a44fcdb8c118c4e52cb816dab4f7c50a5c6dbdb0 | |
parent | 0a43f88f7ef0aaea83080c53ac040e8c4d04c8e3 [diff] |
[internal-branch.go1.18-vendor] http2: limit canonical header cache by bytes, not entries The canonical header cache is a per-connection cache mapping header keys to their canonicalized form. (For example, "foo-bar" => "Foo-Bar"). We limit the number of entries in the cache to prevent an attacker from consuming unbounded amounts of memory by sending many unique keys, but a small number of very large keys can still consume an unreasonable amount of memory. Track the amount of memory consumed by the cache and limit it based on memory rather than number of entries. Thanks to Josselin Costanzi for reporting this issue. For golang/go#56350 For golang/go#57008 Fixes CVE-2022-41717 Change-Id: Ief3c141001524fd3776958ecc8556c724427f063 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1619953 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1662692 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/net/+/455735 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Jenny Rakoczy <jenny@golang.org>
This repository holds supplementary Go networking libraries.
The easiest way to install is to run go get -u golang.org/x/net
. You can also manually git clone the repository to $GOPATH/src/golang.org/x/net
.
This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://golang.org/doc/contribute.html. The main issue tracker for the net repository is located at https://github.com/golang/go/issues. Prefix your issue with “x/net:” in the subject line, so it is easy to find.