etcd/0010-fix-CVE-2021-44716.patch

From 6b06b626969f252e520b1b8f8c3cd1f515835484 Mon Sep 17 00:00:00 2001
From: bwzhang <zhangbowei@kylinos.cn>
Date: Tue, 7 May 2024 09:29:47 +0800
Subject: [PATCH] fix CVE-2021-44716

http2: cap the size of the server's canonical header cache

The HTTP/2 server keeps a per-connection cache mapping header keys
to their canonicalized form (e.g., foo-bar => Foo-Bar). Cap the
maximum size of this cache to prevent a peer sending many unique
header keys from causing unbounded memory growth.

Cap chosen arbitrarily at 32 entries. Since this cache does not
include common headers (e.g., content-type), 32 seems like more
than enough for almost all normal uses.

Fixes #50058
Fixes CVE-2021-44716

Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/net/+/369794
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Trust: Damien Neil <dneil@google.com>
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
---
 vendor/golang.org/x/net/http2/server.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go
index 5e01ce9..5253650 100644
--- a/vendor/golang.org/x/net/http2/server.go
+++ b/vendor/golang.org/x/net/http2/server.go
@@ -723,7 +723,15 @@ func (sc *serverConn) canonicalHeader(v string) string {
 		sc.canonHeader = make(map[string]string)
 	}
 	cv = http.CanonicalHeaderKey(v)
-	sc.canonHeader[v] = cv
+	// maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
+	// entries in the canonHeader cache. This should be larger than the number
+	// of unique, uncommon header keys likely to be sent by the peer, while not
+	// so high as to permit unreaasonable memory usage if the peer sends an unbounded
+	// number of unique header keys.
+	const maxCachedCanonicalHeaders = 32
+	if len(sc.canonHeader) < maxCachedCanonicalHeaders {
+		sc.canonHeader[v] = cv
+	}
 	return cv
 }
 
-- 
2.20.1
fix CVE-2021-44716 instead of CVE-2024-4437 2024-05-07 09:35:45 +08:00			`From 6b06b626969f252e520b1b8f8c3cd1f515835484 Mon Sep 17 00:00:00 2001`
			`From: bwzhang <zhangbowei@kylinos.cn>`
			`Date: Tue, 7 May 2024 09:29:47 +0800`
			`Subject: [PATCH] fix CVE-2021-44716`

			`http2: cap the size of the server's canonical header cache`

			`The HTTP/2 server keeps a per-connection cache mapping header keys`
			`to their canonicalized form (e.g., foo-bar => Foo-Bar). Cap the`
			`maximum size of this cache to prevent a peer sending many unique`
			`header keys from causing unbounded memory growth.`

			`Cap chosen arbitrarily at 32 entries. Since this cache does not`
			`include common headers (e.g., content-type), 32 seems like more`
			`than enough for almost all normal uses.`

			`Fixes #50058`
			`Fixes CVE-2021-44716`

			`Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105`
			`Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827`
			`Reviewed-by: Roland Shoemaker <bracewell@google.com>`
			`Reviewed-on: https://go-review.googlesource.com/c/net/+/369794`
			`Trust: Filippo Valsorda <filippo@golang.org>`
			`Run-TryBot: Filippo Valsorda <filippo@golang.org>`
			`Trust: Damien Neil <dneil@google.com>`
			`Reviewed-by: Russ Cox <rsc@golang.org>`
			`Reviewed-by: Filippo Valsorda <filippo@golang.org>`
			`TryBot-Result: Gopher Robot <gobot@golang.org>`
			`---`
			`vendor/golang.org/x/net/http2/server.go \| 10 +++++++++-`
			`1 file changed, 9 insertions(+), 1 deletion(-)`

			`diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go`
			`index 5e01ce9..5253650 100644`
			`--- a/vendor/golang.org/x/net/http2/server.go`
			`+++ b/vendor/golang.org/x/net/http2/server.go`
			`@@ -723,7 +723,15 @@ func (sc *serverConn) canonicalHeader(v string) string {`
			`sc.canonHeader = make(map[string]string)`
			`}`
			`cv = http.CanonicalHeaderKey(v)`
			`- sc.canonHeader[v] = cv`
			`+ // maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of`
			`+ // entries in the canonHeader cache. This should be larger than the number`
			`+ // of unique, uncommon header keys likely to be sent by the peer, while not`
			`+ // so high as to permit unreaasonable memory usage if the peer sends an unbounded`
			`+ // number of unique header keys.`
			`+ const maxCachedCanonicalHeaders = 32`
			`+ if len(sc.canonHeader) < maxCachedCanonicalHeaders {`
			`+ sc.canonHeader[v] = cv`
			`+ }`
			`return cv`
			`}`

			`--`
			`2.20.1`