Google Git
Sign in
go / net / 4205dd41f8702baecd880da035de3db86340e81d
commit4205dd41f8702baecd880da035de3db86340e81d[log] [tgz]
authorDamien Neil <dneil@google.com>Wed Oct 26 11:32:42 2022 -0700
committerHeschi Kreinick <heschi@google.com>Fri Dec 09 18:42:34 2022 +0000
treea44fcdb8c118c4e52cb816dab4f7c50a5c6dbdb0
parent0a43f88f7ef0aaea83080c53ac040e8c4d04c8e3 [diff]
[internal-branch.go1.18-vendor] http2: limit canonical header cache by bytes, not entries

The canonical header cache is a per-connection cache mapping header
keys to their canonicalized form. (For example, "foo-bar" => "Foo-Bar").
We limit the number of entries in the cache to prevent an attacker
from consuming unbounded amounts of memory by sending many unique
keys, but a small number of very large keys can still consume an
unreasonable amount of memory.

Track the amount of memory consumed by the cache and limit it based
on memory rather than number of entries.

Thanks to Josselin Costanzi for reporting this issue.

For golang/go#56350
For golang/go#57008
Fixes CVE-2022-41717

Change-Id: Ief3c141001524fd3776958ecc8556c724427f063
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1619953
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1662692
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/net/+/455735
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Jenny Rakoczy <jenny@golang.org>
2 files changed
tree: a44fcdb8c118c4e52cb816dab4f7c50a5c6dbdb0
  1. bpf/
  2. context/
  3. dict/
  4. dns/
  5. html/
  6. http/
  7. http2/
  8. icmp/
  9. idna/
  10. internal/
  11. ipv4/
  12. ipv6/
  13. lif/
  14. nettest/
  15. netutil/
  16. proxy/
  17. publicsuffix/
  18. route/
  19. trace/
  20. webdav/
  21. websocket/
  22. xsrftoken/
  23. .gitattributes
  24. .gitignore
  25. AUTHORS
  26. codereview.cfg
  27. CONTRIBUTING.md
  28. CONTRIBUTORS
  29. go.mod
  30. go.sum
  31. LICENSE
  32. PATENTS
  33. README.md
README.md

Go Networking

Go Reference

This repository holds supplementary Go networking libraries.

Download/Install

The easiest way to install is to run go get -u golang.org/x/net. You can also manually git clone the repository to $GOPATH/src/golang.org/x/net.

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://golang.org/doc/contribute.html. The main issue tracker for the net repository is located at https://github.com/golang/go/issues. Prefix your issue with “x/net:” in the subject line, so it is easy to find.