diff options
Diffstat (limited to 'main/nginx/CVE-2019-9511.patch')
-rw-r--r-- | main/nginx/CVE-2019-9511.patch | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/main/nginx/CVE-2019-9511.patch b/main/nginx/CVE-2019-9511.patch new file mode 100644 index 0000000000..3b48e0cd7a --- /dev/null +++ b/main/nginx/CVE-2019-9511.patch @@ -0,0 +1,87 @@ +From 3f64486e0c15414dc6368139453dcaca338ddf3e Mon Sep 17 00:00:00 2001 +From: Ruslan Ermilov <ru@nginx.com> +Date: Tue, 13 Aug 2019 15:43:36 +0300 +Subject: [PATCH 2/3] HTTP/2: limited number of DATA frames. + +Fixed excessive memory growth and CPU usage if stream windows are +manipulated in a way that results in generating many small DATA frames. +Fix is to limit the number of simultaneously allocated DATA frames. +--- + src/http/v2/ngx_http_v2.c | 2 ++ + src/http/v2/ngx_http_v2.h | 2 ++ + src/http/v2/ngx_http_v2_filter_module.c | 22 +++++++++++++++++----- + 3 files changed, 21 insertions(+), 5 deletions(-) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index be2ef82b..1b01f271 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -4339,6 +4339,8 @@ ngx_http_v2_close_stream(ngx_http_v2_stream_t *stream, ngx_int_t rc) + */ + pool = stream->pool; + ++ h2c->frames -= stream->frames; ++ + ngx_http_free_request(stream->request, rc); + + if (pool != h2c->state.pool) { +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index bec22160..715b7d30 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -192,6 +192,8 @@ struct ngx_http_v2_stream_s { + + ngx_buf_t *preread; + ++ ngx_uint_t frames; ++ + ngx_http_v2_out_frame_t *free_frames; + ngx_chain_t *free_frame_headers; + ngx_chain_t *free_bufs; +diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c +index 029e8ece..c7ee5536 100644 +--- a/src/http/v2/ngx_http_v2_filter_module.c ++++ b/src/http/v2/ngx_http_v2_filter_module.c +@@ -1661,22 +1661,34 @@ static ngx_http_v2_out_frame_t * + ngx_http_v2_filter_get_data_frame(ngx_http_v2_stream_t *stream, + size_t len, ngx_chain_t *first, ngx_chain_t *last) + { +- u_char flags; +- ngx_buf_t *buf; +- ngx_chain_t *cl; +- ngx_http_v2_out_frame_t *frame; ++ u_char flags; ++ ngx_buf_t *buf; ++ ngx_chain_t *cl; ++ ngx_http_v2_out_frame_t *frame; ++ ngx_http_v2_connection_t *h2c; + + frame = stream->free_frames; ++ h2c = stream->connection; + + if (frame) { + stream->free_frames = frame->next; + +- } else { ++ } else if (h2c->frames < 10000) { + frame = ngx_palloc(stream->request->pool, + sizeof(ngx_http_v2_out_frame_t)); + if (frame == NULL) { + return NULL; + } ++ ++ stream->frames++; ++ h2c->frames++; ++ ++ } else { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "http2 flood detected"); ++ ++ h2c->connection->error = 1; ++ return NULL; + } + + flags = last->buf->last_buf ? NGX_HTTP_V2_END_STREAM_FLAG : 0; +-- +2.20.1 + |