commit | d99f623d45a4846fab7f1cc1d429359adb1e1ec1 | [log] [tgz] |
---|---|---|
author | Damien Neil <dneil@google.com> | Thu Dec 22 09:33:10 2022 -0800 |
committer | Michael Pratt <mpratt@google.com> | Tue Feb 14 20:08:05 2023 +0000 |
tree | 3c87c33a7c35902b44eed90f6d3e954d40b20394 | |
parent | 183621ab9c4e43af4b725d1302c73c75ff11e5ec [diff] |
[internal-branch.go1.19-vendor] http2/hpack: avoid quadratic complexity in hpack decoding When parsing a field literal containing two Huffman-encoded strings, don't decode the first string until verifying all data is present. Avoids forced quadratic complexity when repeatedly parsing a partial field, repeating the Huffman decoding of the string on each iteration. Thanks to Philippe Antoine (Catena cyber) for reporting this issue. Fixes golang/go#57855 Fixes CVE-2022-41723 For golang/go#58355 Change-Id: I58a743df450a4a4923dddd5cf6bb0592b0a7bdf3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1688184 TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/net/+/468135 Run-TryBot: Michael Pratt <mpratt@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Than McIntosh <thanm@google.com> Auto-Submit: Michael Pratt <mpratt@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> (cherry picked from commit 8e2b117aee74f6b86c207a808b0255de45c0a18a) Reviewed-on: https://go-review.googlesource.com/c/net/+/468335
This repository holds supplementary Go networking libraries.
The easiest way to install is to run go get -u golang.org/x/net
. You can also manually git clone the repository to $GOPATH/src/golang.org/x/net
.
This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://golang.org/doc/contribute.html. The main issue tracker for the net repository is located at https://github.com/golang/go/issues. Prefix your issue with “x/net:” in the subject line, so it is easy to find.