Commit c57c033a authored by hadret's avatar hadret

fix: CVE-2019-9511, CVE-2019-9513 & CVE-2019-9516.

parent 8ce4f1a5
nginx (1.14.2-4xenial0) xenial; urgency=medium
* Non-maintainer upload.
* SECURITY UPDATE: HTTP/2 Data Dribble issue
- debian/patches/CVE-2019-9511.patch: limited number of DATA frames in
src/http/v2/ngx_http_v2.c, src/http/v2/ngx_http_v2.h,
src/http/v2/ngx_http_v2_filter_module.c.
- CVE-2019-9511
* SECURITY UPDATE: HTTP/2 Resource Loop / Priority Shuffling issue
- debian/patches/CVE-2019-9513.patch: limited number of PRIORITY frames
in src/http/v2/ngx_http_v2.c, src/http/v2/ngx_http_v2.h.
- CVE-2019-9513
* SECURITY UPDATE: HTTP/2 0-Length Headers Leak issue
- debian/patches/CVE-2019-9516.patch: reject zero length headers with
PROTOCOL_ERROR in src/http/v2/ngx_http_v2.c.
- CVE-2019-9516
-- Filip Chabik <hadret@gmail.com> Fri, 16 Aug 2019 08:24:21 +0000
nginx (1.14.2-3xenial2) xenial; urgency=medium
* Non-maintainer upload.
......
From 94c5eb142e58a86f81eb1369fa6fcb96c2f23d6b Mon Sep 17 00:00:00 2001
From: Ruslan Ermilov <ru@nginx.com>
Date: Tue, 13 Aug 2019 15:43:36 +0300
Subject: [PATCH] HTTP/2: limited number of DATA frames.
Fixed excessive memory growth and CPU usage if stream windows are
manipulated in a way that results in generating many small DATA frames.
Fix is to limit the number of simultaneously allocated DATA frames.
---
src/http/v2/ngx_http_v2.c | 2 ++
src/http/v2/ngx_http_v2.h | 2 ++
src/http/v2/ngx_http_v2_filter_module.c | 22 +++++++++++++++++-----
3 files changed, 21 insertions(+), 5 deletions(-)
Index: nginx-1.14.0/src/http/v2/ngx_http_v2.c
===================================================================
--- nginx-1.14.0.orig/src/http/v2/ngx_http_v2.c 2019-08-14 14:44:24.703339807 -0400
+++ nginx-1.14.0/src/http/v2/ngx_http_v2.c 2019-08-14 14:44:24.699339795 -0400
@@ -4335,6 +4335,8 @@ ngx_http_v2_close_stream(ngx_http_v2_str
*/
pool = stream->pool;
+ h2c->frames -= stream->frames;
+
ngx_http_free_request(stream->request, rc);
if (pool != h2c->state.pool) {
Index: nginx-1.14.0/src/http/v2/ngx_http_v2.h
===================================================================
--- nginx-1.14.0.orig/src/http/v2/ngx_http_v2.h 2019-08-14 14:44:24.703339807 -0400
+++ nginx-1.14.0/src/http/v2/ngx_http_v2.h 2019-08-14 14:44:24.699339795 -0400
@@ -192,6 +192,8 @@ struct ngx_http_v2_stream_s {
ngx_buf_t *preread;
+ ngx_uint_t frames;
+
ngx_http_v2_out_frame_t *free_frames;
ngx_chain_t *free_frame_headers;
ngx_chain_t *free_bufs;
Index: nginx-1.14.0/src/http/v2/ngx_http_v2_filter_module.c
===================================================================
--- nginx-1.14.0.orig/src/http/v2/ngx_http_v2_filter_module.c 2019-08-14 14:44:24.703339807 -0400
+++ nginx-1.14.0/src/http/v2/ngx_http_v2_filter_module.c 2019-08-14 14:44:24.703339807 -0400
@@ -1661,22 +1661,34 @@ static ngx_http_v2_out_frame_t *
ngx_http_v2_filter_get_data_frame(ngx_http_v2_stream_t *stream,
size_t len, ngx_chain_t *first, ngx_chain_t *last)
{
- u_char flags;
- ngx_buf_t *buf;
- ngx_chain_t *cl;
- ngx_http_v2_out_frame_t *frame;
+ u_char flags;
+ ngx_buf_t *buf;
+ ngx_chain_t *cl;
+ ngx_http_v2_out_frame_t *frame;
+ ngx_http_v2_connection_t *h2c;
frame = stream->free_frames;
+ h2c = stream->connection;
if (frame) {
stream->free_frames = frame->next;
- } else {
+ } else if (h2c->frames < 10000) {
frame = ngx_palloc(stream->request->pool,
sizeof(ngx_http_v2_out_frame_t));
if (frame == NULL) {
return NULL;
}
+
+ stream->frames++;
+ h2c->frames++;
+
+ } else {
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+ "http2 flood detected");
+
+ h2c->connection->error = 1;
+ return NULL;
}
flags = last->buf->last_buf ? NGX_HTTP_V2_END_STREAM_FLAG : 0;
From 39bb3b9d4a33bd03c8ae0134dedc8a7700ae7b2b Mon Sep 17 00:00:00 2001
From: Ruslan Ermilov <ru@nginx.com>
Date: Tue, 13 Aug 2019 15:43:40 +0300
Subject: [PATCH] HTTP/2: limited number of PRIORITY frames.
Fixed excessive CPU usage caused by a peer that continuously shuffles
priority of streams. Fix is to limit the number of PRIORITY frames.
---
src/http/v2/ngx_http_v2.c | 10 ++++++++++
src/http/v2/ngx_http_v2.h | 1 +
2 files changed, 11 insertions(+)
Index: nginx-1.14.0/src/http/v2/ngx_http_v2.c
===================================================================
--- nginx-1.14.0.orig/src/http/v2/ngx_http_v2.c 2019-08-14 14:44:31.139358603 -0400
+++ nginx-1.14.0/src/http/v2/ngx_http_v2.c 2019-08-14 14:44:31.135358591 -0400
@@ -275,6 +275,7 @@ ngx_http_v2_init(ngx_event_t *rev)
h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module);
h2c->concurrent_pushes = h2scf->concurrent_pushes;
+ h2c->priority_limit = h2scf->concurrent_streams;
h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log);
if (h2c->pool == NULL) {
@@ -1798,6 +1799,13 @@ ngx_http_v2_state_priority(ngx_http_v2_c
return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR);
}
+ if (--h2c->priority_limit == 0) {
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+ "client sent too many PRIORITY frames");
+
+ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_ENHANCE_YOUR_CALM);
+ }
+
if (end - pos < NGX_HTTP_V2_PRIORITY_SIZE) {
return ngx_http_v2_state_save(h2c, pos, end,
ngx_http_v2_state_priority);
@@ -3112,6 +3120,8 @@ ngx_http_v2_create_stream(ngx_http_v2_co
h2c->processing++;
}
+ h2c->priority_limit += h2scf->concurrent_streams;
+
return stream;
}
Index: nginx-1.14.0/src/http/v2/ngx_http_v2.h
===================================================================
--- nginx-1.14.0.orig/src/http/v2/ngx_http_v2.h 2019-08-14 14:44:31.139358603 -0400
+++ nginx-1.14.0/src/http/v2/ngx_http_v2.h 2019-08-14 14:44:31.135358591 -0400
@@ -122,6 +122,7 @@ struct ngx_http_v2_connection_s {
ngx_uint_t processing;
ngx_uint_t frames;
ngx_uint_t idle;
+ ngx_uint_t priority_limit;
ngx_uint_t pushing;
ngx_uint_t concurrent_pushes;
From dbdd9ffea81d9db46fb88b5eba828f2ad080d388 Mon Sep 17 00:00:00 2001
From: Sergey Kandaurov <pluknet@nginx.com>
Date: Tue, 13 Aug 2019 15:43:32 +0300
Subject: [PATCH] HTTP/2: reject zero length headers with PROTOCOL_ERROR.
Fixed uncontrolled memory growth if peer sends a stream of
headers with a 0-length header name and 0-length header value.
Fix is to reject headers with zero name length.
---
src/http/v2/ngx_http_v2.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
Index: nginx-1.14.0/src/http/v2/ngx_http_v2.c
===================================================================
--- nginx-1.14.0.orig/src/http/v2/ngx_http_v2.c 2019-08-14 14:44:36.239373498 -0400
+++ nginx-1.14.0/src/http/v2/ngx_http_v2.c 2019-08-14 14:44:36.239373498 -0400
@@ -1549,6 +1549,14 @@ ngx_http_v2_state_process_header(ngx_htt
header->name.len = h2c->state.field_end - h2c->state.field_start;
header->name.data = h2c->state.field_start;
+ if (header->name.len == 0) {
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+ "client sent zero header name length");
+
+ return ngx_http_v2_connection_error(h2c,
+ NGX_HTTP_V2_PROTOCOL_ERROR);
+ }
+
return ngx_http_v2_state_field_len(h2c, pos, end);
}
@@ -3259,10 +3267,6 @@ ngx_http_v2_validate_header(ngx_http_req
ngx_uint_t i;
ngx_http_core_srv_conf_t *cscf;
- if (header->name.len == 0) {
- return NGX_ERROR;
- }
-
r->invalid_header = 0;
cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
0001-upstream-check.patch
0002-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch
0003-define_gnu_source-on-other-glibc-based-platforms.patch
CVE-2019-9511.patch
CVE-2019-9513.patch
CVE-2019-9516.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment