netty5

History

Norman Maurer 6283a78e4f HTTP2: Guard against empty DATA frames (without end_of_stream flag) set (#9461 ) Motivation: It is possible for a remote peer to flood the server / client with empty DATA frames (without end_of_stream flag) set and so cause high CPU usage without the possibility to ever hit a limit. We need to guard against this. See CVE-2019-9518 Modifications: - Add a new config option to AbstractHttp2ConnectionBuilder and sub-classes which allows to set the max number of consecutive empty DATA frames (without end_of_stream flag). After this limit is hit we will close the connection. A limit of 10 is used by default. - Add unit tests Result: Guards against CVE-2019-9518	2019-08-14 10:02:32 +02:00
..
src	HTTP2: Guard against empty DATA frames (without end_of_stream flag) set (#9461 )	2019-08-14 10:02:32 +02:00
pom.xml	Remove duplicated declaration of dependency	2019-01-21 11:54:55 +01:00

Norman Maurer 6283a78e4f HTTP2: Guard against empty DATA frames (without end_of_stream flag) set (#9461 )

Motivation:

It is possible for a remote peer to flood the server / client with empty DATA frames (without end_of_stream flag) set and so cause high CPU usage without the possibility to ever hit a limit. We need to guard against this.

See CVE-2019-9518

Modifications:

- Add a new config option to AbstractHttp2ConnectionBuilder and sub-classes which allows to set the max number of consecutive empty DATA frames (without end_of_stream flag). After this limit is hit we will close the connection. A limit of 10 is used by default.
- Add unit tests

Result:

Guards against CVE-2019-9518

2019-08-14 10:02:32 +02:00

src

HTTP2: Guard against empty DATA frames (without end_of_stream flag) set (#9461 )

2019-08-14 10:02:32 +02:00

pom.xml

Remove duplicated declaration of dependency

2019-01-21 11:54:55 +01:00