netty5

History

Norman Maurer 7003dbdc08 HTTP2: Guard against empty DATA frames (without end_of_stream flag) set (#9461 ) Motivation: It is possible for a remote peer to flood the server / client with empty DATA frames (without end_of_stream flag) set and so cause high CPU usage without the possibility to ever hit a limit. We need to guard against this. See CVE-2019-9518 Modifications: - Add a new config option to AbstractHttp2ConnectionBuilder and sub-classes which allows to set the max number of consecutive empty DATA frames (without end_of_stream flag). After this limit is hit we will close the connection. A limit of 10 is used by default. - Add unit tests Result: Guards against CVE-2019-9518	2019-08-13 19:07:10 +02:00
..
src	HTTP2: Guard against empty DATA frames (without end_of_stream flag) set (#9461 )	2019-08-13 19:07:10 +02:00
pom.xml	[maven-release-plugin] prepare for next development iteration	2019-07-24 09:05:57 +00:00

HTTP2: Guard against empty DATA frames (without end_of_stream flag) set (#9461 )

Motivation:

It is possible for a remote peer to flood the server / client with empty DATA frames (without end_of_stream flag) set and so cause high CPU usage without the possibility to ever hit a limit. We need to guard against this.

See CVE-2019-9518

Modifications:

- Add a new config option to AbstractHttp2ConnectionBuilder and sub-classes which allows to set the max number of consecutive empty DATA frames (without end_of_stream flag). After this limit is hit we will close the connection. A limit of 10 is used by default.
- Add unit tests

Result:

Guards against CVE-2019-9518

2019-08-13 19:07:10 +02:00

src

HTTP2: Guard against empty DATA frames (without end_of_stream flag) set (#9461 )

2019-08-13 19:07:10 +02:00

pom.xml

[maven-release-plugin] prepare for next development iteration

2019-07-24 09:05:57 +00:00