Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Go version as minor point release #40

Merged
merged 1 commit into from
Apr 4, 2024
Merged

Conversation

TechSolomon
Copy link
Member

Fixes #36.


http2: close connections when receiving too many headers

Maintaining HPACK state requires that we parse and process all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, we don't allocate memory to store the excess headers but we do parse them. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.

Set a limit on the amount of excess header frames we will process before closing a connection.

Thanks to Bartek Nowotarski (https://nowotarski.info/) for reporting this issue.

This is CVE-2023-45288 and Go issue https://go.dev/issue/65051.

@TechSolomon TechSolomon self-assigned this Apr 4, 2024
@TechSolomon TechSolomon linked an issue Apr 4, 2024 that may be closed by this pull request
@TechSolomon TechSolomon changed the title Released Go version as minor point release Go version as minor point release Apr 4, 2024
@TechSolomon TechSolomon merged commit c10a4ba into main Apr 4, 2024
1 check passed
@TechSolomon TechSolomon deleted the 36-go-minor-revisions branch April 4, 2024 19:00
TechSolomon added a commit that referenced this pull request Apr 19, 2024
* Code freeze for first minor release (#39)

* nit: minor code format

* refactor: remove duplicate function contents

* Updated configuration flow of control (#38)

* feat: draft variable packet size experiment

* docs: new section for project replicability

* docs: markdown diagram (system control flow) + blockquote highlight

* refactor: utility to insights + diode collection script

* feat: module install & output binary

* feat: begin subscribe and publish commands

* feat: basic payload retrieval from standard input

* refactor: prepare for complete message detection

* feat: filter output from incoming payload

* refactor: stream demo into encapsulator & republisher

* refactor: option to delimit message & remove write new line

* feat: draft message flow w/ client-server location

* feat: mock MQTT connection prior to testing

* feat: recieve message from given source location

* refactor: next steps for outbound message flow

* docs: text on links for architecture diagram

* remove: start/end delimiter + message case

* refactor: entry point for main application, build information, & testing

* feat: split input & output metadata via project settings

* fix: repackaged JSON object contents + diode metadata

* docs: update main program directory name

* bump: patch version for `net/http` (#40)

* refactor: benchmark tooling for throughout testing

* refactor: placeholder client dialing attempts & timestamp units
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Go 1.22.2 and Go 1.21.9 pre-announcement
1 participant