forked from microsoft/azurelinux
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
726 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| From 0360b25ae53f9398cfca462f91698d1887a1ae76 Mon Sep 17 00:00:00 2001 | ||
| From: Pawel Winogrodzki <pawelwi@microsoft.com> | ||
| Date: Mon, 1 Jul 2024 16:33:53 -0700 | ||
| Subject: [PATCH] Port CVE-2022-3064 fix from go-yaml to zclconf. | ||
|
|
||
| This patch is ported from go-yaml's fix for CVE-2022-3064: | ||
| https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5 | ||
|
|
||
| The patch only applies to "scannerc.go", which seems to have been | ||
| copied from go-yaml by zclconf. | ||
| --- | ||
| .../github.com/zclconf/go-cty-yaml/scannerc.go | 16 ++++++++++++++++ | ||
| 1 file changed, 16 insertions(+) | ||
|
|
||
| diff --git a/vendor/github.com/zclconf/go-cty-yaml/scannerc.go b/vendor/github.com/zclconf/go-cty-yaml/scannerc.go | ||
| index ea82e3e..8eb8303 100644 | ||
| --- a/vendor/github.com/zclconf/go-cty-yaml/scannerc.go | ||
| +++ b/vendor/github.com/zclconf/go-cty-yaml/scannerc.go | ||
| @@ -906,6 +906,9 @@ func yaml_parser_remove_simple_key(parser *yaml_parser_t) bool { | ||
| return true | ||
| } | ||
|
|
||
| +// max_flow_level limits the flow_level | ||
| +const max_flow_level = 10000 | ||
| + | ||
| // Increase the flow level and resize the simple key list if needed. | ||
| func yaml_parser_increase_flow_level(parser *yaml_parser_t) bool { | ||
| // Reset the simple key on the next level. | ||
| @@ -913,6 +916,11 @@ func yaml_parser_increase_flow_level(parser *yaml_parser_t) bool { | ||
|
|
||
| // Increase the flow level. | ||
| parser.flow_level++ | ||
| + if parser.flow_level > max_flow_level { | ||
| + return yaml_parser_set_scanner_error(parser, | ||
| + "while increasing flow level", parser.simple_keys[len(parser.simple_keys)-1].mark, | ||
| + fmt.Sprintf("exceeded max depth of %d", max_flow_level)) | ||
| + } | ||
| return true | ||
| } | ||
|
|
||
| @@ -925,6 +933,9 @@ func yaml_parser_decrease_flow_level(parser *yaml_parser_t) bool { | ||
| return true | ||
| } | ||
|
|
||
| +// max_indents limits the indents stack size | ||
| +const max_indents = 10000 | ||
| + | ||
| // Push the current indentation level to the stack and set the new level | ||
| // the current column is greater than the indentation level. In this case, | ||
| // append or insert the specified token into the token queue. | ||
| @@ -939,6 +950,11 @@ func yaml_parser_roll_indent(parser *yaml_parser_t, column, number int, typ yaml | ||
| // indentation level. | ||
| parser.indents = append(parser.indents, parser.indent) | ||
| parser.indent = column | ||
| + if len(parser.indents) > max_indents { | ||
| + return yaml_parser_set_scanner_error(parser, | ||
| + "while increasing indent level", parser.simple_keys[len(parser.simple_keys)-1].mark, | ||
| + fmt.Sprintf("exceeded max depth of %d", max_indents)) | ||
| + } | ||
|
|
||
| // Create a token and insert it into the queue. | ||
| token := yaml_token_t{ | ||
| -- | ||
| 2.34.1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,86 @@ | ||
| From 63b4ddd633bde166d2b2800dbc6ad6a64f77b838 Mon Sep 17 00:00:00 2001 | ||
| From: Damien Neil <dneil@google.com> | ||
| Date: Wed, 10 Jan 2024 13:41:39 -0800 | ||
| Subject: [PATCH] http2: close connections when receiving too many headers | ||
|
|
||
| Maintaining HPACK state requires that we parse and process | ||
| all HEADERS and CONTINUATION frames on a connection. | ||
| When a request's headers exceed MaxHeaderBytes, we don't | ||
| allocate memory to store the excess headers but we do | ||
| parse them. This permits an attacker to cause an HTTP/2 | ||
| endpoint to read arbitrary amounts of data, all associated | ||
| with a request which is going to be rejected. | ||
|
|
||
| Set a limit on the amount of excess header frames we | ||
| will process before closing a connection. | ||
|
|
||
| Thanks to Bartek Nowotarski for reporting this issue. | ||
|
|
||
| Fixes CVE-2023-45288 | ||
| Fixes golang/go#65051 | ||
|
|
||
| Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6 | ||
| Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527 | ||
| Reviewed-by: Roland Shoemaker <bracewell@google.com> | ||
| Reviewed-by: Tatiana Bradley <tatianabradley@google.com> | ||
| Reviewed-on: https://go-review.googlesource.com/c/net/+/576155 | ||
| Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> | ||
| Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org> | ||
| Reviewed-by: Than McIntosh <thanm@google.com> | ||
| LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> | ||
| --- | ||
| vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++ | ||
| 1 file changed, 31 insertions(+) | ||
|
|
||
| diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go | ||
| index c1f6b90..175c154 100644 | ||
| --- a/vendor/golang.org/x/net/http2/frame.go | ||
| +++ b/vendor/golang.org/x/net/http2/frame.go | ||
| @@ -1565,6 +1565,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { | ||
| if size > remainSize { | ||
| hdec.SetEmitEnabled(false) | ||
| mh.Truncated = true | ||
| + remainSize = 0 | ||
| return | ||
| } | ||
| remainSize -= size | ||
| @@ -1577,6 +1578,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { | ||
| var hc headersOrContinuation = hf | ||
| for { | ||
| frag := hc.HeaderBlockFragment() | ||
| + | ||
| + // Avoid parsing large amounts of headers that we will then discard. | ||
| + // If the sender exceeds the max header list size by too much, | ||
| + // skip parsing the fragment and close the connection. | ||
| + // | ||
| + // "Too much" is either any CONTINUATION frame after we've already | ||
| + // exceeded the max header list size (in which case remainSize is 0), | ||
| + // or a frame whose encoded size is more than twice the remaining | ||
| + // header list bytes we're willing to accept. | ||
| + if int64(len(frag)) > int64(2*remainSize) { | ||
| + if VerboseLogs { | ||
| + log.Printf("http2: header list too large") | ||
| + } | ||
| + // It would be nice to send a RST_STREAM before sending the GOAWAY, | ||
| + // but the struture of the server's frame writer makes this difficult. | ||
| + return nil, ConnectionError(ErrCodeProtocol) | ||
| + } | ||
| + | ||
| + // Also close the connection after any CONTINUATION frame following an | ||
| + // invalid header, since we stop tracking the size of the headers after | ||
| + // an invalid one. | ||
| + if invalid != nil { | ||
| + if VerboseLogs { | ||
| + log.Printf("http2: invalid header: %v", invalid) | ||
| + } | ||
| + // It would be nice to send a RST_STREAM before sending the GOAWAY, | ||
| + // but the struture of the server's frame writer makes this difficult. | ||
| + return nil, ConnectionError(ErrCodeProtocol) | ||
| + } | ||
| + | ||
| if _, err := hdec.Write(frag); err != nil { | ||
| return nil, ConnectionError(ErrCodeCompression) | ||
| } | ||
| -- | ||
| 2.44.0 | ||
|
|
Oops, something went wrong.