http2: allow security revert for Ping/Settings Flood

addaleax · BethGriggs · commit 073108c855b3 · 2019-08-15T17:39:04.000+01:00
nghttp2 has updated its limit for outstanding Ping/Settings ACKs to 1000. This commit allows reverting to the old default of 10000. The associated CVEs are CVE-2019-9512/CVE-2019-9515. Backport-PR-URL: #29124 PR-URL: #29122 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
diff --git a/src/node_http2.cc b/src/node_http2.cc
@@ -144,6 +144,9 @@ Http2Options::Http2Options(Environment* env, nghttp2_session_type type) {
         buffer[IDX_OPTIONS_PEER_MAX_CONCURRENT_STREAMS]);
   }
 
+  if (IsReverted(SECURITY_REVERT_CVE_2019_9512))
+    nghttp2_option_set_max_outbound_ack(options_, 10000);
+
   // The padding strategy sets the mechanism by which we determine how much
   // additional frame padding to apply to DATA and HEADERS frames. Currently
   // this is set on a per-session basis, but eventually we may switch to
diff --git a/src/node_revert.h b/src/node_revert.h
@@ -17,6 +17,7 @@ namespace node {
 
 #define SECURITY_REVERSIONS(XX) \
   XX(CVE_2018_12116, "CVE-2018-12116", "HTTP request splitting")           \
+  XX(CVE_2019_9512, "CVE-2019-9512", "HTTP/2 Ping/Settings Flood")         \
   XX(CVE_2019_9514, "CVE-2019-9514", "HTTP/2 Reset Flood")                 \
   XX(CVE_2019_9516, "CVE-2019-9516", "HTTP/2 0-Length Headers Leak")       \
   XX(CVE_2019_9518, "CVE-2019-9518", "HTTP/2 Empty DATA Frame Flooding")   \

Original file line number	Diff line number	Diff line change
`@@ -144,6 +144,9 @@ Http2Options::Http2Options(Environment* env, nghttp2_session_type type) {`
`144`	`144`	`buffer[IDX_OPTIONS_PEER_MAX_CONCURRENT_STREAMS]);`
`145`	`145`	`}`
`146`	`146`
	`147`	`+ if (IsReverted(SECURITY_REVERT_CVE_2019_9512))`
	`148`	`+ nghttp2_option_set_max_outbound_ack(options_, 10000);`
	`149`	`+`
`147`	`150`	`// The padding strategy sets the mechanism by which we determine how much`
`148`	`151`	`// additional frame padding to apply to DATA and HEADERS frames. Currently`
`149`	`152`	`// this is set on a per-session basis, but eventually we may switch to`