From 881c244a4e1b857d883cd105cd035a1fd6ed3fa6 Mon Sep 17 00:00:00 2001
From: James M Snell <jasnell@gmail.com>
Date: Mon, 27 Apr 2020 10:47:58 -0700
Subject: [PATCH] http2: implement support for max settings entries

Adds the maxSettings option to limit the number of settings
entries allowed per SETTINGS frame. Default 32

Signed-off-by: James M Snell <jasnell@gmail.com>

Fixes: https://hackerone.com/reports/446662
CVE-ID: CVE-2020-11080
PR-URL: https://github.com/nodejs-private/node-private/pull/204
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/207
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
---
 doc/api/http2.md                              | 15 ++++++++
 lib/internal/http2/util.js                    |  8 ++++-
 src/node_http2.cc                             |  6 ++++
 src/node_http2_state.h                        |  1 +
 test/parallel/test-http2-max-settings.js      | 35 +++++++++++++++++++
 .../test-http2-util-update-options-buffer.js  |  8 +++--
 6 files changed, 70 insertions(+), 3 deletions(-)
 create mode 100644 test/parallel/test-http2-max-settings.js

diff --git a/doc/api/http2.md b/doc/api/http2.md
index 3e836f5dae35b6..c3b4e67f3ea2c6 100644
--- a/doc/api/http2.md
+++ b/doc/api/http2.md
@@ -1900,6 +1900,9 @@ error will be thrown.
 <!-- YAML
 added: v8.4.0
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs-private/node-private/pull/204
+    description: Added `maxSettings` option with a default of 32.
   - version: v8.9.3
     pr-url: https://github.com/nodejs/node/pull/17105
     description: Added the `maxOutstandingPings` option with a default limit of
@@ -1917,6 +1920,8 @@ changes:
 * `options` {Object}
   * `maxDeflateDynamicTableSize` {number} Sets the maximum dynamic table size
     for deflating header fields. **Default:** `4Kib`.
+  * `maxSettings` {number} Sets the maximum number of settings entries per
+    `SETTINGS` frame. The minimum value allowed is `1`. **Default:** `32`.
   * `maxSessionMemory`{number} Sets the maximum memory that the `Http2Session`
     is permitted to use. The value is expressed in terms of number of megabytes,
     e.g. `1` equal 1 megabyte. The minimum value allowed is `1`.
@@ -2010,6 +2015,9 @@ server.listen(80);
 <!-- YAML
 added: v8.4.0
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs-private/node-private/pull/204
+    description: Added `maxSettings` option with a default of 32.
   - version: v10.12.0
     pr-url: https://github.com/nodejs/node/pull/22956
     description: Added the `origins` option to automatically send an `ORIGIN`
@@ -2031,6 +2039,8 @@ changes:
     **Default:** `false`.
   * `maxDeflateDynamicTableSize` {number} Sets the maximum dynamic table size
     for deflating header fields. **Default:** `4Kib`.
+  * `maxSettings` {number} Sets the maximum number of settings entries per
+    `SETTINGS` frame. The minimum value allowed is `1`. **Default:** `32`.
   * `maxSessionMemory`{number} Sets the maximum memory that the `Http2Session`
     is permitted to use. The value is expressed in terms of number of megabytes,
     e.g. `1` equal 1 megabyte. The minimum value allowed is `1`. This is a
@@ -2112,6 +2122,9 @@ server.listen(80);
 <!-- YAML
 added: v8.4.0
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs-private/node-private/pull/204
+    description: Added `maxSettings` option with a default of 32.
   - version: v8.9.3
     pr-url: https://github.com/nodejs/node/pull/17105
     description: Added the `maxOutstandingPings` option with a default limit of
@@ -2126,6 +2139,8 @@ changes:
 * `options` {Object}
   * `maxDeflateDynamicTableSize` {number} Sets the maximum dynamic table size
     for deflating header fields. **Default:** `4Kib`.
+  * `maxSettings` {number} Sets the maximum number of settings entries per
+    `SETTINGS` frame. The minimum value allowed is `1`. **Default:** `32`.
   * `maxSessionMemory`{number} Sets the maximum memory that the `Http2Session`
     is permitted to use. The value is expressed in terms of number of megabytes,
     e.g. `1` equal 1 megabyte. The minimum value allowed is `1`.
diff --git a/lib/internal/http2/util.js b/lib/internal/http2/util.js
index c8701af616f327..09567899fe500f 100644
--- a/lib/internal/http2/util.js
+++ b/lib/internal/http2/util.js
@@ -186,7 +186,8 @@ const IDX_OPTIONS_MAX_HEADER_LIST_PAIRS = 5;
 const IDX_OPTIONS_MAX_OUTSTANDING_PINGS = 6;
 const IDX_OPTIONS_MAX_OUTSTANDING_SETTINGS = 7;
 const IDX_OPTIONS_MAX_SESSION_MEMORY = 8;
-const IDX_OPTIONS_FLAGS = 9;
+const IDX_OPTIONS_MAX_SETTINGS = 9;
+const IDX_OPTIONS_FLAGS = 10;
 
 function updateOptionsBuffer(options) {
   var flags = 0;
@@ -235,6 +236,11 @@ function updateOptionsBuffer(options) {
     optionsBuffer[IDX_OPTIONS_MAX_SESSION_MEMORY] =
       Math.max(1, options.maxSessionMemory);
   }
+  if (typeof options.maxSettings === 'number') {
+    flags |= (1 << IDX_OPTIONS_MAX_SETTINGS);
+    optionsBuffer[IDX_OPTIONS_MAX_SETTINGS] =
+      Math.max(1, options.maxSettings);
+  }
   optionsBuffer[IDX_OPTIONS_FLAGS] = flags;
 }
 
diff --git a/src/node_http2.cc b/src/node_http2.cc
index 35e0e8f623e3e6..9bde444bdd20d4 100644
--- a/src/node_http2.cc
+++ b/src/node_http2.cc
@@ -203,6 +203,12 @@ Http2Options::Http2Options(Environment* env, nghttp2_session_type type) {
   if (flags & (1 << IDX_OPTIONS_MAX_SESSION_MEMORY)) {
     SetMaxSessionMemory(buffer[IDX_OPTIONS_MAX_SESSION_MEMORY] * 1e6);
   }
+
+  if (flags & (1 << IDX_OPTIONS_MAX_SETTINGS)) {
+    nghttp2_option_set_max_settings(
+        options_,
+        static_cast<size_t>(buffer[IDX_OPTIONS_MAX_SETTINGS]));
+  }
 }
 
 void Http2Session::Http2Settings::Init() {
diff --git a/src/node_http2_state.h b/src/node_http2_state.h
index d21d0f90096074..1c87ac654a0e6c 100644
--- a/src/node_http2_state.h
+++ b/src/node_http2_state.h
@@ -52,6 +52,7 @@ namespace http2 {
     IDX_OPTIONS_MAX_OUTSTANDING_PINGS,
     IDX_OPTIONS_MAX_OUTSTANDING_SETTINGS,
     IDX_OPTIONS_MAX_SESSION_MEMORY,
+    IDX_OPTIONS_MAX_SETTINGS,
     IDX_OPTIONS_FLAGS
   };
 
diff --git a/test/parallel/test-http2-max-settings.js b/test/parallel/test-http2-max-settings.js
new file mode 100644
index 00000000000000..2eae223d21bcc7
--- /dev/null
+++ b/test/parallel/test-http2-max-settings.js
@@ -0,0 +1,35 @@
+'use strict';
+
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const http2 = require('http2');
+
+const server = http2.createServer({ maxSettings: 1 });
+
+// TODO(@jasnell): There is still a session event
+// emitted on the server side but it will be destroyed
+// immediately after creation and there will be no
+// stream created.
+server.on('session', common.mustCall((session) => {
+  session.on('stream', common.mustNotCall());
+  session.on('remoteSettings', common.mustNotCall());
+}));
+server.on('stream', common.mustNotCall());
+
+server.listen(0, common.mustCall(() => {
+  // Specify two settings entries when a max of 1 is allowed.
+  // Connection should error immediately.
+  const client = http2.connect(
+    `http://localhost:${server.address().port}`, {
+      settings: {
+        // The actual settings values do not matter.
+        headerTableSize: 1000,
+        enablePush: false,
+      } });
+
+  client.on('error', common.mustCall(() => {
+    server.close();
+  }));
+}));
diff --git a/test/parallel/test-http2-util-update-options-buffer.js b/test/parallel/test-http2-util-update-options-buffer.js
index 6ab8bcff02866e..294f7ee4e1e59a 100644
--- a/test/parallel/test-http2-util-update-options-buffer.js
+++ b/test/parallel/test-http2-util-update-options-buffer.js
@@ -21,7 +21,8 @@ const IDX_OPTIONS_MAX_HEADER_LIST_PAIRS = 5;
 const IDX_OPTIONS_MAX_OUTSTANDING_PINGS = 6;
 const IDX_OPTIONS_MAX_OUTSTANDING_SETTINGS = 7;
 const IDX_OPTIONS_MAX_SESSION_MEMORY = 8;
-const IDX_OPTIONS_FLAGS = 9;
+const IDX_OPTIONS_MAX_SETTINGS = 9;
+const IDX_OPTIONS_FLAGS = 10;
 
 {
   updateOptionsBuffer({
@@ -33,7 +34,8 @@ const IDX_OPTIONS_FLAGS = 9;
     maxHeaderListPairs: 6,
     maxOutstandingPings: 7,
     maxOutstandingSettings: 8,
-    maxSessionMemory: 9
+    maxSessionMemory: 9,
+    maxSettings: 10,
   });
 
   strictEqual(optionsBuffer[IDX_OPTIONS_MAX_DEFLATE_DYNAMIC_TABLE_SIZE], 1);
@@ -45,6 +47,7 @@ const IDX_OPTIONS_FLAGS = 9;
   strictEqual(optionsBuffer[IDX_OPTIONS_MAX_OUTSTANDING_PINGS], 7);
   strictEqual(optionsBuffer[IDX_OPTIONS_MAX_OUTSTANDING_SETTINGS], 8);
   strictEqual(optionsBuffer[IDX_OPTIONS_MAX_SESSION_MEMORY], 9);
+  strictEqual(optionsBuffer[IDX_OPTIONS_MAX_SETTINGS], 10);
 
   const flags = optionsBuffer[IDX_OPTIONS_FLAGS];
 
@@ -56,6 +59,7 @@ const IDX_OPTIONS_FLAGS = 9;
   ok(flags & (1 << IDX_OPTIONS_MAX_HEADER_LIST_PAIRS));
   ok(flags & (1 << IDX_OPTIONS_MAX_OUTSTANDING_PINGS));
   ok(flags & (1 << IDX_OPTIONS_MAX_OUTSTANDING_SETTINGS));
+  ok(flags & (1 << IDX_OPTIONS_MAX_SETTINGS));
 }
 
 {