From 6b06b626969f252e520b1b8f8c3cd1f515835484 Mon Sep 17 00:00:00 2001 From: bwzhang Date: Tue, 7 May 2024 09:29:47 +0800 Subject: [PATCH] fix CVE-2021-44716 http2: cap the size of the server's canonical header cache The HTTP/2 server keeps a per-connection cache mapping header keys to their canonicalized form (e.g., foo-bar => Foo-Bar). Cap the maximum size of this cache to prevent a peer sending many unique header keys from causing unbounded memory growth. Cap chosen arbitrarily at 32 entries. Since this cache does not include common headers (e.g., content-type), 32 seems like more than enough for almost all normal uses. Fixes #50058 Fixes CVE-2021-44716 Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827 Reviewed-by: Roland Shoemaker Reviewed-on: https://go-review.googlesource.com/c/net/+/369794 Trust: Filippo Valsorda Run-TryBot: Filippo Valsorda Trust: Damien Neil Reviewed-by: Russ Cox Reviewed-by: Filippo Valsorda TryBot-Result: Gopher Robot --- vendor/golang.org/x/net/http2/server.go | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go index 5e01ce9..5253650 100644 --- a/vendor/golang.org/x/net/http2/server.go +++ b/vendor/golang.org/x/net/http2/server.go @@ -723,7 +723,15 @@ func (sc *serverConn) canonicalHeader(v string) string { sc.canonHeader = make(map[string]string) } cv = http.CanonicalHeaderKey(v) - sc.canonHeader[v] = cv + // maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of + // entries in the canonHeader cache. This should be larger than the number + // of unique, uncommon header keys likely to be sent by the peer, while not + // so high as to permit unreaasonable memory usage if the peer sends an unbounded + // number of unique header keys. + const maxCachedCanonicalHeaders = 32 + if len(sc.canonHeader) < maxCachedCanonicalHeaders { + sc.canonHeader[v] = cv + } return cv } -- 2.20.1