From d8da265c81fb27925f744986bc9c7592d8ed24cc Mon Sep 17 00:00:00 2001
From: Anna Henningsen <anna@addaleax.net>
Date: Tue, 23 Mar 2021 15:48:41 +0100
Subject: [PATCH] http2: treat non-EOF empty frames like other invalid frames

Use the existing mechanism that we have to keep track of invalid frames
for treating this specific kind of invalid frame.

The commit that originally introduced this check was 695e38be69a780417,
which was supposed to proected against CVE-2019-9518, which in turn
was specifically about a *flood* of empty data frames. While these are
still invalid frames either way, it makes sense to be forgiving here
and just treat them like other invalid frames, i.e. to allow a small
(configurable) number of them.

Fixes: https://github.com/nodejs/node/issues/37849

PR-URL: https://github.com/nodejs/node/pull/37875
Backport-PR-URL: https://github.com/nodejs/node/pull/38673
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
---
 src/node_http2.cc                             |   6 ++-
 test/fixtures/emptyframe.http2                | Bin 0 -> 4233 bytes
 .../test-http2-empty-frame-without-eof.js     |  39 ++++++++++++++++++
 3 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 test/fixtures/emptyframe.http2
 create mode 100644 test/parallel/test-http2-empty-frame-without-eof.js

diff --git a/src/node_http2.cc b/src/node_http2.cc
index fb23cb0f51073c..5e7b484886f801 100644
--- a/src/node_http2.cc
+++ b/src/node_http2.cc
@@ -1277,7 +1277,11 @@ int Http2Session::HandleDataFrame(const nghttp2_frame* frame) {
       frame->hd.flags & NGHTTP2_FLAG_END_STREAM) {
     stream->EmitRead(UV_EOF);
   } else if (frame->hd.length == 0) {
-    return 1;  // Consider 0-length frame without END_STREAM an error.
+    if (invalid_frame_count_++ > js_fields_->max_invalid_frames) {
+      Debug(this, "rejecting empty-frame-without-END_STREAM flood\n");
+      // Consider a flood of 0-length frames without END_STREAM an error.
+      return 1;
+    }
   }
   return 0;
 }
diff --git a/test/fixtures/emptyframe.http2 b/test/fixtures/emptyframe.http2
new file mode 100644
index 0000000000000000000000000000000000000000..c4a095c4334529276c7b8435cd8fa6a86fb77fbb
GIT binary patch
literal 4233
zcma)8c{r497a!T8tYyhIV;TEc#x9dk#$J|2wlu~V!<ZQ}V~av$mo4<lntcf&`;t97
z5sFBbDX&yWWc$3;x4hT&{_#E6_1yP!&V9~#&iS4Dy6+zVz(5E1`OqGZ&c`nu%}?<}
z3C&*%G!Z}vdOQY;_XTnaT6v*mK~N=-DUt+&DnJ!MiprV_Dw+!FAh@X&ke!!;_NB<X
zQao_yK`2)wiHxSeyeKXZb#_q{0Z&2WDG)Lm<we3${2)XE4vX@GkkCW|i2@<uaejf7
zC!EnPNH5&66$u5BAfs_E5}@-StOw?&LK@_Zq#!kqHDnYCOZ;u+g(o9j&=9mY5-0I*
zA0HndIShe-!J#2YJQC+e!J^1=D1rxwOve55!hby|NQ}p^69!HC>G40}uZTaj|4!t%
zDm)tXw|xH_>Hq!rd5{O%8H@aT(PWC>arXa%gUd01<lo67iP&HD{Bw2^zcIn$aacV1
zF9`o~{)b>>3i245zg6_RAICicxl$-ZvZlN|icI|7COIO3Ou>-QWKWzNfrOD~XZMBp
zlF1Mvi9k7q0ZYKMC>~csa7M$Na0HY)@Dv^97M2K<Wz#{S(8nFSj7Jfiv3LwSlP|;@
zNy1~vu53^R4FzSW8VIVPq7GG11~Sk<fsk{Ga*Cke79dH)FH?C{IYlX;6uSq~7joPn
zn3AH3lB$A&0+5#8$&Z320|3lFcP<Su`sA-IObeik`lTvE7{|@1vbR#L71mT9$bJ?#
zwKu+;07>i=aZPAhI(zk{fs<aOZDQ5b?l-|zq~(StWK{^4pp;I?6d2w{mqYzsgRN>)
z`l6rgvG+ZK7L1NA(Z5DKC+{ad;X>$cghOj5zU+?du{2oPSnHu0xJq8fe{j)T&sj<g
zus}FhvM_Q;*oQ3VEvR%+ByP@2dr0+Jq0F@k{1axRhmqkHW%JD<k2w&;K9e4B*O-ix
zG$f5MD2+JDuNIXVB;#(!5SKCCy>$TS7aEnha_^o5{{@ZjcZ6-apV9F9)ZQdWF$uEU
zT*t~31*46mKjrLG$eSxv9}bpOGjs{e)f~}k&BhgPS^t8u*dk^~aP4BrWOr=9Xo)+V
zmZ1hw%3TBNvPynrX3RFMfmKD;&wmc_4pNDOUTr+B7%3iu*Zuf-eyg1=y)-rFla{7^
zZcOMYDtx`*lZBKC{jRl)n`1zWEgbjE#e9qXEgqrv=-X<QoB1Z^VTPm1(%taKa(bC1
z!(osrlaripqSRDfA8jxSHNM%L*hzkE43l>Wy;mVum|2wCWz%=1A3O;zRz9mJXgWMP
zc%pk(D5gaC`9a0l57V0dT%QN7@ro+jAes=Sl+24M>EsD3DfhA!ND~V_M6&4e;^>Hi
zbTiTh6Zs-NL)4_*2M>HV@7h$lZ`|k*8^hC!eRy$0Z=AnlsH1{|z%OK{U$UVGEqc*?
z-#L+gah;h#Upd=G_<X|nLf3u_!hgdWQzprZ8>B5Ir!4SnnL9<wz*skKK=m&?hGa9L
zl*~HgEb2`f#5=>=Ee9T@_mM;le2NWiS)<Qgc>hI%*;vIWDdoxiF<XP|(<z%`;A@eQ
z3YzB&c6y%;FE{fA0vnd*Xdt*#yLaQgCrezAPp_e+6!TEE;YtsdW;YV17!ezj&o8Ys
z(oLP7*|2208-{J))53x|{M&i&GW(gFk`pw!lC0&$^?g*vbAfxASUN1?a&_OY+QxCN
zPn7~sIb>^<E!w>G@ok#LZIb0uCL3mjLPExr7T7Ayy+(8P%q(YMrXAhN;#F*i;x6m{
zz;lhqP0PBzKXmv}n{)PviBOa+x=O$sCmoWx@a5aFR$AIR^RZ{sOiE?A-s!Cb?+vN`
z;Zb3cRNS~uY*kOEv}745YsgiQ(Y{n2|3eco+*IMWYqlm+jW(-!i<=j-`|5XqtCH3%
zb?*whKRH~O{jN!GQ_$F>bQHa+e6Cpet550{uG37;bw>AN+D#eVi?sF_F7VDvYvu~C
zk2h2^8#qY|e>PA}Z%s;E8uv~~J}C2E2dh$gKl}HH3ih_ckG^%W%D09*N*q0XD3&AT
z`6mC*sfrBnx!PSqP$y$+Ws*MTXu?bi3m(a~;G9<+BoGwa&*-pgx!<3Mz{YLdM(q9s
zDF*U>5oiYv<h;w!8m1{Qb`REgEtF(S)MFm*If)`&+6WjI+@#Fq`a|_KKW43tR(pTF
z`JK_hDg`#jw8!Qjk-TEccp<QLH{1rrt88EgP0t%GvVu8eYDNq|XRNO;bdvZi4;cV}
zqobea(eZG6%l^7(X)XZ(nZHh{m?74?3hbeuwYvM;lbX;|HB1o#FuyNUCbu%;#pku5
zJKL&bT^fT+1I}R@-bA9Bw%rkfRH#f5gfa))_TyPRE1jQ$&cU93`c1C+7T@jCHIMXM
zzFE$RHk~=<D&8frrMoOC`n;cry%y2>pKoD8nsO`0qzTZVai7~TU~run|4ref^hk}%
zI_X7XdWl4jtZ}&n@iF3V#;bnS(lr3!FN$!SwrJ4L`R6y_B=1jwX3%DV^j@9wQ2WXl
z6=>&kP4T{xVb~hywg8dSnxoU{#pM3kT7c=fnS^EMqBp=z*6-ifY1UQN%~uS|!L*9g
z>=+D5%_`sNneAIgpHe%IU59~_)2KbcB1h!afG&wIdWi+8X+Zeh$_UbJJ{Q>_`UNF!
zEI$oBLP*==L+Lqgd$+!_5U8uz9je$^=5kmgmV1Y-PdbG8+vV)6PN&CNYhPN#3Uv|m
z@L|i#z2{Dl%?eY~IJ)k*xq=>^{Fpx(dw>h}=4^M`8l9{}$E)slF;Uyr%GKuiWtl%v
zd+cS|`$1;iF_xd}gdTogu9C*-gX@h*;IG;6lG}(8cfgGlF-0EbApd?#W!OPOV#SHB
ztSm|T?h$qPJil;8f<hGiCU$+^tFm_XwC0wWXnhp9+Av@8Kv7Na3fACujj_8AX~F+)
z_2I!Y0jio#(&xmsmPzbh0{^@yV8syTe#L0Ab|@(%^FaGGYO=bwtg?5X<C8`?X2kOz
ztXDf5#uH1<#mrxa)oGJ7w{L{RSKv4}+mZ|`iU*IH(q{AHlw;2L@wHq{cI0W!;H9%L
zed3X?ZtMv#>okT$6?*a-`EyOpJ>U18n;If1B_8#dH)?PL=j8xAvDImY#O=qM2~?GG
z>$a9Z>^uBy&rq=}>4k)d&D*Bw%X&>QWJk5{Fk<FJm(2zIfcke}+x-3UvdHRym=w=-
zZA6<O)$`bH@o5bC$aD9J`XiOiA{)`TG{QspP@3OFSps}WZ7|nmNXu>VMeYj!ig~q*
zkc#_~`6kP;ol;zy%0|&{nBP{8i_q<&1UT?UDm<_eUHq=7StNmN!9+X6SJSjOe#B+B
z-<faoUgHy;K;H+%z&o*LS$t(3;-#Y)PD!sQLWhb*gLXEYXdNDo@Ll^ZD{BO$arz@W
zUgOjWJ}i3z{e38lkm19zj+v(nJqx9LVAHIx>c%BAPakXQXp0(PUv}D3J6EpRrj-tq
zLTavrh>2au=tW-K%}=pob21Z_oO=f-$13yL((6y8i;I;66<@hjQwYYHLWSQCi8#~k
zkJD;`Z6aQfWnSW{ZtA+%O*3d3B8|4L8N7jnEI7)Q{wOifovCZL4IJ}QU=Grm8sIT_
zY4@q~5#jQ5%aGltqF40qg85rIjP-<SbTv!RPx9_wvzCf7Gf<2lD{~k$QPz^EjS=G+
zor|*QSOjg}n?2WUT$kJyls_7o1jbZ11Rd@34@O6CRyZDdk^-DMoQrGWISR9(U+GkM
z=Bx2}=lLtHX5L5_ym}|9e`GQ(oDwE&VS-f=fSa^fMdasE3|=TWafs4?qV4CAP5vwh
za(ZELEA*bQjZnJ?>-5>9B*~zloB`f-aFi2=9^aMjGYeLx&<Sg!lj%0PiC@K1IJ0<D
z7)_o_<u^Q634VSCbD|EwuKYmyD0^RH`79*O^X`nO`iZT6(NkZz3<o2xrX(2d8*sgx
z<?)+N#@$m8762zYw~Cm*7*L3I0cF0Y?w&PByx9-XJB^gQ3{B$}SgL=w-QHUFmczFW
zQNfsN$KO*<Ca}RUTO2>8MxWjq_6q!<$!-67lw4Mt$&!2F`Z}EVx}I}~%?C}rCMC@i
zy$;%bv`vfGVTP;f4iliPgz9l0*j}9?Cy~2xGQ$hyA62ThuDQ;#^<(ZNL+9Z$CEZ39
zik9K0I5=l)2le%C?qcv%o6rHC#Upf_-X8Gw4kke2S!{Z%e;$sO`lHgJE+xEHIQLbH
zk5*F?LivM#CV6=aA=B(h^`@_X*BO$Se5PD5Z|lP2xMs5v(z@32`Ae{xQ6{?{U^~~F
zNG^cjZE6gAe^FpwrMgc@X2>EHZSg7twl@2I)HdhAjf-s!wbbIu>(ZCZFtgQR3cPG%
zB276<9s=Q+t-U*xg-M||s5*Bxnu9lRO#KYkp>Q<4`1+LmQJIKc=DKgG)!~n2$3OF0
ztF++y9G)$_CuXA#N;Ap1y3{^cZ3lx-%Hn<86zRMwzU=GGQQ&)4ezwL*gT@hW!t#UD
zO@-Uj4sE5)<#fwWONw4KEjQa2swD>qSF1sM*f*1E3t43bA;ZO4f!{8!%Au-^Jqs#h
zlnjbZ*1#(&;_?O9T{;Asrdp`<xosau)o6MZs3Yrhgnom-2WluuUsP703MAEjowqX4
zSr`#21s3TP34awc9v*`PhhcjXq6eOnRMD+318YRJn4}DgWeb|b@r}ms_dL0oIvpE^
zB0gBY3J0v+_I_h<ZEmUEZp_4qo@zBGjzqrQW>49PQ8i-p-RSsufcIyxva9^|wtSRl
zZP!II)xP&3AfPkaA)jxcB}p4`M{PF1Y4+e&J$3uZ;~|Jc^RueTny<QR4<-}-IF*p6
z%^&8QNaZBl42p5~V$}|<nztPUEnny%>d@++7T~|6Rjr)p8U`au$~|i%K)Q&}PFr1r
z@5Myw>o^Z$61Of%^i=erkxnUfL0s_<LRk{|yR9R$(Kvr+4BOhCbTjiBS<PaaQU2Z+
zjZ@;&bi7QMxGqO=&lme(Z`dw-lcWY>9)2|4hJY>v$3`wKM(azk7P)!7H>fq2m+gs?
zJ<@yHcfS6j&Elzi1DI5*nQzXwUg_<%q%7x<jc7LxuUDY^t6t&vx@L_^w5$=i6I59a
zyWpb-d|5)!{?s3PJ=jiMp0J%Vx2#)$5qf8ni!oI~(Ob`6jeo^&amUM8;w0<LrNj?~
zM!Til@)7S3UukKm#nEm$`JZd;?P|9Wx>_Y(JAc6Qi|?@fA_&K9=jiASdgI1~+<)l9
LFADS*52E=OrzwSx

literal 0
HcmV?d00001

diff --git a/test/parallel/test-http2-empty-frame-without-eof.js b/test/parallel/test-http2-empty-frame-without-eof.js
new file mode 100644
index 00000000000000..02da78d940a92d
--- /dev/null
+++ b/test/parallel/test-http2-empty-frame-without-eof.js
@@ -0,0 +1,39 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+const { readSync } = require('../common/fixtures');
+const net = require('net');
+const http2 = require('http2');
+const { once } = require('events');
+
+async function main() {
+  const blobWithEmptyFrame = readSync('emptyframe.http2');
+  const server = net.createServer((socket) => {
+    socket.end(blobWithEmptyFrame);
+  }).listen(0);
+  await once(server, 'listening');
+
+  for (const maxSessionInvalidFrames of [0, 2]) {
+    const client = http2.connect(`http://localhost:${server.address().port}`, {
+      maxSessionInvalidFrames
+    });
+    const stream = client.request({
+      ':method': 'GET',
+      ':path': '/'
+    });
+    if (maxSessionInvalidFrames) {
+      stream.on('error', common.mustNotCall());
+      client.on('error', common.mustNotCall());
+    } else {
+      stream.on('error', common.mustCall());
+      client.on('error', common.mustCall());
+    }
+    stream.resume();
+    await once(stream, 'end');
+    client.close();
+  }
+  server.close();
+}
+
+main().then(common.mustCall());