netty5

History

Norman Maurer 6283a78e4f HTTP2: Guard against empty DATA frames (without end_of_stream flag) set (#9461 ) Motivation: It is possible for a remote peer to flood the server / client with empty DATA frames (without end_of_stream flag) set and so cause high CPU usage without the possibility to ever hit a limit. We need to guard against this. See CVE-2019-9518 Modifications: - Add a new config option to AbstractHttp2ConnectionBuilder and sub-classes which allows to set the max number of consecutive empty DATA frames (without end_of_stream flag). After this limit is hit we will close the connection. A limit of 10 is used by default. - Add unit tests Result: Guards against CVE-2019-9518	2019-08-14 10:02:32 +02:00
..
java/io/netty/handler/codec/http2	HTTP2: Guard against empty DATA frames (without end_of_stream flag) set (#9461 )	2019-08-14 10:02:32 +02:00
resources/io/netty/handler/codec/http2/testdata	Fix failing h2spec tests 8.1.2.1 related to pseudo-headers validation	2018-01-29 19:42:56 -08:00

Norman Maurer 6283a78e4f HTTP2: Guard against empty DATA frames (without end_of_stream flag) set (#9461 )

Motivation:

It is possible for a remote peer to flood the server / client with empty DATA frames (without end_of_stream flag) set and so cause high CPU usage without the possibility to ever hit a limit. We need to guard against this.

See CVE-2019-9518

Modifications:

- Add a new config option to AbstractHttp2ConnectionBuilder and sub-classes which allows to set the max number of consecutive empty DATA frames (without end_of_stream flag). After this limit is hit we will close the connection. A limit of 10 is used by default.
- Add unit tests

Result:

Guards against CVE-2019-9518

2019-08-14 10:02:32 +02:00

java/io/netty/handler/codec/http2

HTTP2: Guard against empty DATA frames (without end_of_stream flag) set (#9461 )

2019-08-14 10:02:32 +02:00

resources/io/netty/handler/codec/http2/testdata

Fix failing h2spec tests 8.1.2.1 related to pseudo-headers validation

2018-01-29 19:42:56 -08:00