bugfix: applied the patch for security advisory to NGINX cores < 1.14.1 and < 1.15.6 (CVE-2019-9511 CVE-2019-9513 CVE-2019-9516).

pull/524/head
Thibault Charbonnier 5 years ago committed by Thibault Charbonnier
parent 80ba3892c6
commit 59e4ef5c23

@ -0,0 +1,136 @@
--- src/http/v2/ngx_http_v2.c
+++ src/http/v2/ngx_http_v2.c
@@ -1546,6 +1546,14 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos,
header->name.len = h2c->state.field_end - h2c->state.field_start;
header->name.data = h2c->state.field_start;
+ if (header->name.len == 0) {
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+ "client sent zero header name length");
+
+ return ngx_http_v2_connection_error(h2c,
+ NGX_HTTP_V2_PROTOCOL_ERROR);
+ }
+
return ngx_http_v2_state_field_len(h2c, pos, end);
}
@@ -3249,10 +3257,6 @@ ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header)
ngx_uint_t i;
ngx_http_core_srv_conf_t *cscf;
- if (header->name.len == 0) {
- return NGX_ERROR;
- }
-
r->invalid_header = 0;
cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
--- src/http/v2/ngx_http_v2.c
+++ src/http/v2/ngx_http_v2.c
@@ -4369,6 +4369,8 @@ ngx_http_v2_close_stream(ngx_http_v2_stream_t *stream, ngx_int_t rc)
*/
pool = stream->pool;
+ h2c->frames -= stream->frames;
+
ngx_http_free_request(stream->request, rc);
if (pool != h2c->state.pool) {
--- src/http/v2/ngx_http_v2.h
+++ src/http/v2/ngx_http_v2.h
@@ -192,6 +192,8 @@ struct ngx_http_v2_stream_s {
ngx_buf_t *preread;
+ ngx_uint_t frames;
+
ngx_http_v2_out_frame_t *free_frames;
ngx_chain_t *free_frame_headers;
ngx_chain_t *free_bufs;
--- src/http/v2/ngx_http_v2_filter_module.c
+++ src/http/v2/ngx_http_v2_filter_module.c
@@ -1669,22 +1669,34 @@ static ngx_http_v2_out_frame_t *
ngx_http_v2_filter_get_data_frame(ngx_http_v2_stream_t *stream,
size_t len, ngx_chain_t *first, ngx_chain_t *last)
{
- u_char flags;
- ngx_buf_t *buf;
- ngx_chain_t *cl;
- ngx_http_v2_out_frame_t *frame;
+ u_char flags;
+ ngx_buf_t *buf;
+ ngx_chain_t *cl;
+ ngx_http_v2_out_frame_t *frame;
+ ngx_http_v2_connection_t *h2c;
frame = stream->free_frames;
+ h2c = stream->connection;
if (frame) {
stream->free_frames = frame->next;
- } else {
+ } else if (h2c->frames < 10000) {
frame = ngx_palloc(stream->request->pool,
sizeof(ngx_http_v2_out_frame_t));
if (frame == NULL) {
return NULL;
}
+
+ stream->frames++;
+ h2c->frames++;
+
+ } else {
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+ "http2 flood detected");
+
+ h2c->connection->error = 1;
+ return NULL;
}
flags = last->buf->last_buf ? NGX_HTTP_V2_END_STREAM_FLAG : 0;
--- src/http/v2/ngx_http_v2.c
+++ src/http/v2/ngx_http_v2.c
@@ -273,6 +273,7 @@ ngx_http_v2_init(ngx_event_t *rev)
h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module);
h2c->concurrent_pushes = h2scf->concurrent_pushes;
+ h2c->priority_limit = h2scf->concurrent_streams;
h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log);
if (h2c->pool == NULL) {
@@ -1804,6 +1805,13 @@ ngx_http_v2_state_priority(ngx_http_v2_connection_t *h2c, u_char *pos,
return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR);
}
+ if (--h2c->priority_limit == 0) {
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+ "client sent too many PRIORITY frames");
+
+ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_ENHANCE_YOUR_CALM);
+ }
+
if (end - pos < NGX_HTTP_V2_PRIORITY_SIZE) {
return ngx_http_v2_state_save(h2c, pos, end,
ngx_http_v2_state_priority);
@@ -3120,6 +3128,8 @@ ngx_http_v2_create_stream(ngx_http_v2_connection_t *h2c, ngx_uint_t push)
h2c->processing++;
}
+ h2c->priority_limit += h2scf->concurrent_streams;
+
return stream;
}
--- src/http/v2/ngx_http_v2.h
+++ src/http/v2/ngx_http_v2.h
@@ -122,6 +122,7 @@ struct ngx_http_v2_connection_s {
ngx_uint_t processing;
ngx_uint_t frames;
ngx_uint_t idle;
+ ngx_uint_t priority_limit;
ngx_uint_t pushing;
ngx_uint_t concurrent_pushes;

@ -411,7 +411,7 @@ if [ "$answer" = "Y" ]; then
echo "$info_txt applying the patch for nginx security advisory (CVE-2018-16843 CVE-2018-16844)"
patch -p0 < $root/patches/patch.2018.h2.txt || exit 1
echo
else
elif [ `$root/util/ver-ge "$main_ver" 1.15.0` = "Y" ]; then
answer=`$root/util/ver-ge "$main_ver" 1.15.6`
if [ "$answer" = "N" ]; then
echo "$info_txt applying the patch for nginx security advisory (CVE-2018-16843 CVE-2018-16844)"
@ -435,6 +435,23 @@ else
fi
fi
answer=`$root/util/ver-ge "$main_ver" 1.9.5`
if [ "$answer" = "Y" ]; then
answer=`$root/util/ver-ge "$main_ver" 1.16.1`
if [ "$answer" = "N" ]; then
echo "$info_txt applying the patch for nginx security advisory (CVE-2019-9511 CVE-2019-9513 CVE-2019-9516)"
patch -p0 < $root/patches/patch.2019.h2.txt || exit 1
echo
elif [ `$root/util/ver-ge "$main_ver" 1.17.0` = "Y" ]; then
answer=`$root/util/ver-ge "$main_ver" 1.17.3`
if [ "$answer" = "N" ]; then
echo "$info_txt applying the patch for nginx security advisory (CVE-2019-9511 CVE-2019-9513 CVE-2019-9516)"
patch -p0 < $root/patches/patch.2019.h2.txt || exit 1
echo
fi
fi
fi
rm -f *.patch || exit 1
echo "$info_txt applying the always_enable_cc_feature_tests patch to nginx"

Loading…
Cancel
Save