http2/hpack: avoid quadratic complexity in hpack decoding

When parsing a field literal containing two Huffman-encoded strings,
don't decode the first string until verifying all data is present.
Avoids forced quadratic complexity when repeatedly parsing a partial
field, repeating the Huffman decoding of the string on each iteration.

Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

Fixes golang/go#57855
Fixes CVE-2022-41723

Change-Id: I58a743df450a4a4923dddd5cf6bb0592b0a7bdf3
TryBot-Result: Security TryBots <>
Reviewed-by: Julie Qiu <>
Run-TryBot: Damien Neil <>
Reviewed-by: Roland Shoemaker <>
Run-TryBot: Michael Pratt <>
Reviewed-by: Roland Shoemaker <>
Reviewed-by: Than McIntosh <>
Auto-Submit: Michael Pratt <>
TryBot-Result: Gopher Robot <>
2 files changed
tree: 995ff053d9d8a642e3d42d9a130a7c521a9f6e38
  1. bpf/
  2. context/
  3. dict/
  4. dns/
  5. html/
  6. http/
  7. http2/
  8. icmp/
  9. idna/
  10. internal/
  11. ipv4/
  12. ipv6/
  13. lif/
  14. nettest/
  15. netutil/
  16. proxy/
  17. publicsuffix/
  18. route/
  19. trace/
  20. webdav/
  21. websocket/
  22. xsrftoken/
  23. .gitattributes
  24. .gitignore
  25. codereview.cfg
  27. go.mod
  28. go.sum

Go Networking

Go Reference

This repository holds supplementary Go networking libraries.


The easiest way to install is to run go get -u You can also manually git clone the repository to $GOPATH/src/

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see The main issue tracker for the net repository is located at Prefix your issue with “x/net:” in the subject line, so it is easy to find.