nghttp2: address CVE-2024-28182 (#10656)

Signed-off-by: Muhammad Falak R Wani <[email protected]>

Author: mfrw

SPECS/nghttp2/CVE-2024-28182.patch

@@ -0,0 +1,210 @@
+From 0480c05df47962b324f7e918a71f764102ff7441 Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa <[email protected]>
+Date: Sat, 9 Mar 2024 16:26:42 +0900
+Subject: [PATCH 1/2] Limit CONTINUATION frames following an incoming HEADER
+ frame
+
+Signed-off-by: Muhammad Falak R Wani <[email protected]>
+---
+ lib/includes/nghttp2/nghttp2.h |  7 ++++++-
+ lib/nghttp2_helper.c           |  2 ++
+ lib/nghttp2_session.c          |  7 +++++++
+ lib/nghttp2_session.h          | 10 ++++++++++
+ 4 files changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h
+index fa22081c..b394bde9 100644
+--- a/lib/includes/nghttp2/nghttp2.h
++++ b/lib/includes/nghttp2/nghttp2.h
+@@ -440,7 +440,12 @@ typedef enum {
+    * exhaustion on server side to send these frames forever and does
+    * not read network.
+    */
+-  NGHTTP2_ERR_FLOODED = -904
++  NGHTTP2_ERR_FLOODED = -904,
++  /**
++   * When a local endpoint receives too many CONTINUATION frames
++   * following a HEADER frame.
++   */
++  NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
+ } nghttp2_error;
+ 
+ /**
+diff --git a/lib/nghttp2_helper.c b/lib/nghttp2_helper.c
+index 93dd4754..b3563d98 100644
+--- a/lib/nghttp2_helper.c
++++ b/lib/nghttp2_helper.c
+@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) {
+            "closed";
+   case NGHTTP2_ERR_TOO_MANY_SETTINGS:
+     return "SETTINGS frame contained more than the maximum allowed entries";
++  case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
++    return "Too many CONTINUATION frames following a HEADER frame";
+   default:
+     return "Unknown error code";
+   }
+diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
+index ec5024d0..8e4d2e7e 100644
+--- a/lib/nghttp2_session.c
++++ b/lib/nghttp2_session.c
+@@ -496,6 +496,7 @@ static int session_new(nghttp2_session **session_ptr,
+   (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
+   (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
+   (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
++  (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
+ 
+   if (option) {
+     if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
+@@ -6778,6 +6779,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+           }
+         }
+         session_inbound_frame_reset(session);
++
++        session->num_continuations = 0;
+       }
+       break;
+     }
+@@ -6899,6 +6902,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+       }
+ #endif /* DEBUGBUILD */
+ 
++      if (++session->num_continuations > session->max_continuations) {
++        return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
++      }
++
+       readlen = inbound_frame_buf_read(iframe, in, last);
+       in += readlen;
+ 
+diff --git a/lib/nghttp2_session.h b/lib/nghttp2_session.h
+index b119329a..ef8f7b27 100644
+--- a/lib/nghttp2_session.h
++++ b/lib/nghttp2_session.h
+@@ -110,6 +110,10 @@ typedef struct {
+ #define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
+ #define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
+ 
++/* The default max number of CONTINUATION frames following an incoming
++   HEADER frame. */
++#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
++
+ /* Internal state when receiving incoming frame */
+ typedef enum {
+   /* Receiving frame header */
+@@ -290,6 +294,12 @@ struct nghttp2_session {
+   size_t max_send_header_block_length;
+   /* The maximum number of settings accepted per SETTINGS frame. */
+   size_t max_settings;
++  /* The maximum number of CONTINUATION frames following an incoming
++     HEADER frame. */
++  size_t max_continuations;
++  /* The number of CONTINUATION frames following an incoming HEADER
++     frame.  This variable is reset when END_HEADERS flag is seen. */
++  size_t num_continuations;
+   /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
+   uint32_t next_stream_id;
+   /* The last stream ID this session initiated.  For client session,
+-- 
+2.47.0
+
+From 90f8bb08e4322ac9f58110a8c87a8385e424f53d Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa <[email protected]>
+Date: Sat, 9 Mar 2024 16:48:10 +0900
+Subject: [PATCH 2/2] Add nghttp2_option_set_max_continuations
+
+Signed-off-by: Muhammad Falak R Wani <[email protected]>
+---
+ doc/Makefile.am                |  1 +
+ lib/includes/nghttp2/nghttp2.h | 11 +++++++++++
+ lib/nghttp2_option.c           |  5 +++++
+ lib/nghttp2_option.h           |  5 +++++
+ lib/nghttp2_session.c          |  4 ++++
+ 5 files changed, 26 insertions(+)
+
+diff --git a/doc/Makefile.am b/doc/Makefile.am
+index 96f449ff..5636a137 100644
+--- a/doc/Makefile.am
++++ b/doc/Makefile.am
+@@ -73,6 +73,7 @@ APIDOCS= \
+ 	nghttp2_option_set_peer_max_concurrent_streams.rst \
+ 	nghttp2_option_set_server_fallback_rfc7540_priorities.rst \
+ 	nghttp2_option_set_user_recv_extension_type.rst \
++	nghttp2_option_set_max_continuations.rst \
+ 	nghttp2_option_set_max_outbound_ack.rst \
+ 	nghttp2_option_set_max_settings.rst \
+ 	nghttp2_option_set_stream_reset_rate_limit.rst \
+diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h
+index b394bde9..4d3339b5 100644
+--- a/lib/includes/nghttp2/nghttp2.h
++++ b/lib/includes/nghttp2/nghttp2.h
+@@ -2778,6 +2778,17 @@ NGHTTP2_EXTERN void
+ nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
+                                            uint64_t burst, uint64_t rate);
+ 
++/**
++ * @function
++ *
++ * This function sets the maximum number of CONTINUATION frames
++ * following an incoming HEADER frame.  If more than those frames are
++ * received, the remote endpoint is considered to be misbehaving and
++ * session will be closed.  The default value is 8.
++ */
++NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option,
++                                                         size_t val);
++
+ /**
+  * @function
+  *
+diff --git a/lib/nghttp2_option.c b/lib/nghttp2_option.c
+index 43d4e952..53144b9b 100644
+--- a/lib/nghttp2_option.c
++++ b/lib/nghttp2_option.c
+@@ -150,3 +150,8 @@ void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
+   option->stream_reset_burst = burst;
+   option->stream_reset_rate = rate;
+ }
++
++void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) {
++  option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS;
++  option->max_continuations = val;
++}
+diff --git a/lib/nghttp2_option.h b/lib/nghttp2_option.h
+index 2259e184..c89cb97f 100644
+--- a/lib/nghttp2_option.h
++++ b/lib/nghttp2_option.h
+@@ -71,6 +71,7 @@ typedef enum {
+   NGHTTP2_OPT_SERVER_FALLBACK_RFC7540_PRIORITIES = 1 << 13,
+   NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION = 1 << 14,
+   NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15,
++  NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16,
+ } nghttp2_option_flag;
+ 
+ /**
+@@ -98,6 +99,10 @@ struct nghttp2_option {
+    * NGHTTP2_OPT_MAX_SETTINGS
+    */
+   size_t max_settings;
++  /**
++   * NGHTTP2_OPT_MAX_CONTINUATIONS
++   */
++  size_t max_continuations;
+   /**
+    * Bitwise OR of nghttp2_option_flag to determine that which fields
+    * are specified.
+diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
+index 8e4d2e7e..ced7517b 100644
+--- a/lib/nghttp2_session.c
++++ b/lib/nghttp2_session.c
+@@ -585,6 +585,10 @@ static int session_new(nghttp2_session **session_ptr,
+                            option->stream_reset_burst,
+                            option->stream_reset_rate);
+     }
++
++    if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) {
++      (*session_ptr)->max_continuations = option->max_continuations;
++    }
+   }
+ 
+   rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
+-- 
+2.47.0
+

SPECS/nghttp2/nghttp2.spec

@@ -1,13 +1,14 @@
 Summary:        nghttp2 is an implementation of HTTP/2 and its header compression algorithm, HPACK.
 Name:           nghttp2
 Version:        1.57.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Applications/System
 URL:            https://nghttp2.org
 Source0:        https://github.com/nghttp2/nghttp2/releases/download/v%{version}/%{name}-%{version}.tar.xz
+Patch0:         CVE-2024-28182.patch
 BuildRequires:  gcc
 BuildRequires:  make
 %if %{with_check}
@@ -59,6 +60,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/pkgconfig/*.pc
 
 %changelog
+* Tue Oct 08 2024 Muhammad Falak <[email protected]> - 1.57.0-2
+- Address CVE-2024-28182
+
 * Wed Oct 11 2023 Dan Streetman <[email protected]> - 1.57.0-1
 - Update version to 1.57.0 to include patches for CVE-2023-44487
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -189,7 +189,7 @@ libsolv-devel-0.7.24-1.cm2.aarch64.rpm
 libssh2-1.9.0-4.cm2.aarch64.rpm
 libssh2-devel-1.9.0-4.cm2.aarch64.rpm
 krb5-1.19.4-3.cm2.aarch64.rpm
-nghttp2-1.57.0-1.cm2.aarch64.rpm
+nghttp2-1.57.0-2.cm2.aarch64.rpm
 curl-8.8.0-2.cm2.aarch64.rpm
 curl-devel-8.8.0-2.cm2.aarch64.rpm
 curl-libs-8.8.0-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -189,7 +189,7 @@ libsolv-devel-0.7.24-1.cm2.x86_64.rpm
 libssh2-1.9.0-4.cm2.x86_64.rpm
 libssh2-devel-1.9.0-4.cm2.x86_64.rpm
 krb5-1.19.4-3.cm2.x86_64.rpm
-nghttp2-1.57.0-1.cm2.x86_64.rpm
+nghttp2-1.57.0-2.cm2.x86_64.rpm
 curl-8.8.0-2.cm2.x86_64.rpm
 curl-devel-8.8.0-2.cm2.x86_64.rpm
 curl-libs-8.8.0-2.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -261,9 +261,9 @@ newt-0.52.21-5.cm2.aarch64.rpm
 newt-debuginfo-0.52.21-5.cm2.aarch64.rpm
 newt-devel-0.52.21-5.cm2.aarch64.rpm
 newt-lang-0.52.21-5.cm2.aarch64.rpm
-nghttp2-1.57.0-1.cm2.aarch64.rpm
-nghttp2-debuginfo-1.57.0-1.cm2.aarch64.rpm
-nghttp2-devel-1.57.0-1.cm2.aarch64.rpm
+nghttp2-1.57.0-2.cm2.aarch64.rpm
+nghttp2-debuginfo-1.57.0-2.cm2.aarch64.rpm
+nghttp2-devel-1.57.0-2.cm2.aarch64.rpm
 ninja-build-1.10.2-2.cm2.aarch64.rpm
 ninja-build-debuginfo-1.10.2-2.cm2.aarch64.rpm
 npth-1.6-4.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -267,9 +267,9 @@ newt-0.52.21-5.cm2.x86_64.rpm
 newt-debuginfo-0.52.21-5.cm2.x86_64.rpm
 newt-devel-0.52.21-5.cm2.x86_64.rpm
 newt-lang-0.52.21-5.cm2.x86_64.rpm
-nghttp2-1.57.0-1.cm2.x86_64.rpm
-nghttp2-debuginfo-1.57.0-1.cm2.x86_64.rpm
-nghttp2-devel-1.57.0-1.cm2.x86_64.rpm
+nghttp2-1.57.0-2.cm2.x86_64.rpm
+nghttp2-debuginfo-1.57.0-2.cm2.x86_64.rpm
+nghttp2-devel-1.57.0-2.cm2.x86_64.rpm
 ninja-build-1.10.2-2.cm2.x86_64.rpm
 ninja-build-debuginfo-1.10.2-2.cm2.x86_64.rpm
 npth-1.6-4.cm2.x86_64.rpm