From 073108c855b35be92754f1b37f0291a547f70803 Mon Sep 17 00:00:00 2001 From: Anna Henningsen Date: Mon, 12 Aug 2019 23:36:00 +0200 Subject: [PATCH] http2: allow security revert for Ping/Settings Flood nghttp2 has updated its limit for outstanding Ping/Settings ACKs to 1000. This commit allows reverting to the old default of 10000. The associated CVEs are CVE-2019-9512/CVE-2019-9515. Backport-PR-URL: https://github.com/nodejs/node/pull/29124 PR-URL: https://github.com/nodejs/node/pull/29122 Reviewed-By: Rich Trott Reviewed-By: James M Snell --- src/node_http2.cc | 3 +++ src/node_revert.h | 1 + 2 files changed, 4 insertions(+) diff --git a/src/node_http2.cc b/src/node_http2.cc index 5cd73ca4c585e1..eefad40a5dc3a6 100644 --- a/src/node_http2.cc +++ b/src/node_http2.cc @@ -144,6 +144,9 @@ Http2Options::Http2Options(Environment* env, nghttp2_session_type type) { buffer[IDX_OPTIONS_PEER_MAX_CONCURRENT_STREAMS]); } + if (IsReverted(SECURITY_REVERT_CVE_2019_9512)) + nghttp2_option_set_max_outbound_ack(options_, 10000); + // The padding strategy sets the mechanism by which we determine how much // additional frame padding to apply to DATA and HEADERS frames. Currently // this is set on a per-session basis, but eventually we may switch to diff --git a/src/node_revert.h b/src/node_revert.h index 44311027f76903..33aa1fd446b155 100644 --- a/src/node_revert.h +++ b/src/node_revert.h @@ -17,6 +17,7 @@ namespace node { #define SECURITY_REVERSIONS(XX) \ XX(CVE_2018_12116, "CVE-2018-12116", "HTTP request splitting") \ + XX(CVE_2019_9512, "CVE-2019-9512", "HTTP/2 Ping/Settings Flood") \ XX(CVE_2019_9514, "CVE-2019-9514", "HTTP/2 Reset Flood") \ XX(CVE_2019_9516, "CVE-2019-9516", "HTTP/2 0-Length Headers Leak") \ XX(CVE_2019_9518, "CVE-2019-9518", "HTTP/2 Empty DATA Frame Flooding") \