Go to file
Norman Maurer c6c679597f HTTP2: Add protection against remote control frames that are triggered by a remote peer (#9460)
Motivation:

Due how http2 spec is defined it is possible by a remote peer to flood us with frames that will trigger control frames as response, the problem here is that the remote peer can also just stop reading these (while still produce more of these) and so may drive us to the pointer where we either run out of memory or burn all CPU. To protect against this we need to implement some kind of limit that will tear down connections that cause the above mentioned situation.

See CVE-2019-9512 / CVE-2019-9514 / CVE-2019-9515

Modifications:

- Add Http2ControlFrameLimitEncoder which limits the number of queued control frames that were caused because of the remote peer.
- Allow to insert ths Http2ControlFrameLimitEncoder by setting AbstractHttp2ConnectionBuilder.encoderEnforceMaxQueuedControlFrames(...) to a number higher then 0. The default is 10000 which provides some protection by default but will hopefully not cause too many false-positives.
- Add unit tests

Result:

Protect against DDOS due control frames. Fixes CVE-2019-9512 / CVE-2019-9514 / CVE-2019-9515 .
2019-08-14 10:02:24 +02:00
.github Change the netty.io homepage scheme(http -> https) (#9344) 2019-07-09 21:10:14 +02:00
.mvn support publishing snapshots from docker based ci (#8634) 2018-12-07 06:16:39 +01:00
all Always include classes from all native transports no matter on which platfrom netty-all is build (#9111) 2019-04-30 23:24:14 +02:00
bom Change the netty.io homepage scheme(http -> https) (#9344) 2019-07-09 21:10:14 +02:00
buffer Use alloc().heapBuffer(...) to allocate new heap buffer. 2019-08-13 10:52:52 +02:00
codec Change the netty.io homepage scheme(http -> https) (#9344) 2019-07-09 21:10:14 +02:00
codec-dns Pre-decompressed DNS record RData that may contain compression pointers (#9311) 2019-07-02 19:39:21 +02:00
codec-haproxy HAProxyMessageDecoder not correctly handle delimiter in all cases (#9282) 2019-06-27 21:59:09 +02:00
codec-http Set the ORIGIN header from a custom headers if present (#9435) 2019-08-11 08:22:31 +02:00
codec-http2 HTTP2: Add protection against remote control frames that are triggered by a remote peer (#9460) 2019-08-14 10:02:24 +02:00
codec-memcache codec-memcache: copy metadata in binary full request response (#9160) 2019-05-22 11:06:16 +02:00
codec-mqtt MqttConnectPayload.toString() should use Arrays.toString() instead of [].toString() (#9292) 2019-06-27 21:55:28 +02:00
codec-redis migrate java8: use requireNonNull (#8840) 2019-02-04 10:32:25 +01:00
codec-smtp SmtpRequestEncoderTest ByteBuf leak (#9075) 2019-04-19 08:47:28 +02:00
codec-socks migrate java8: use requireNonNull (#8840) 2019-02-04 10:32:25 +01:00
codec-stomp use checkPositive/checkPositiveOrZero (#8835) 2019-02-04 15:55:07 +01:00
codec-xml Change the netty.io homepage scheme(http -> https) (#9344) 2019-07-09 21:10:14 +02:00
common Try to load native linux libraries with matching classifier first (#9411) 2019-08-12 08:48:58 +02:00
dev-tools Update version number to start working on Netty 5 2018-11-20 15:49:57 +01:00
docker Use delegated docker mount option to speedup builds (#9441) 2019-08-13 10:27:33 +02:00
example Use allocator when constructing ByteBufHolder sub-types or use Unpool… (#9377) 2019-07-18 10:36:03 +02:00
handler Always wrap X509ExtendedTrustManager when using OpenSSL and JDK < 11 (#9443) 2019-08-13 10:26:56 +02:00
handler-proxy Remove code that accounts for changing EventExecutors in DefaultPromise (#8996) 2019-04-03 10:36:55 +02:00
license Use Table lookup for HPACK decoder (#9307) 2019-07-02 20:13:19 +02:00
microbench Change the netty.io homepage scheme(http -> https) (#9344) 2019-07-09 21:10:14 +02:00
resolver Close delegate resolver from RoundRobinInetAddressResolver (#9214) 2019-06-04 05:14:28 -07:00
resolver-dns Fix flaky DnsNameResolverTest.testTruncatedWithTcpFallback (#9262) 2019-06-21 09:29:15 +02:00
tarball Update version number to start working on Netty 5 2018-11-20 15:49:57 +01:00
testsuite Add support for loopbackmode and accessing the configured interface when using epoll native transport with multicast (#9218) 2019-06-07 13:45:45 -07:00
testsuite-autobahn Use allocator when constructing ByteBufHolder sub-types or use Unpool… (#9377) 2019-07-18 10:36:03 +02:00
testsuite-http2 Use allocator when constructing ByteBufHolder sub-types or use Unpool… (#9377) 2019-07-18 10:36:03 +02:00
testsuite-native-image remove unused imports (#9287) 2019-06-26 21:16:16 +02:00
testsuite-osgi Adjust testsuite-osgi to resolve bundles from local build (#8944) 2019-03-18 09:56:08 +01:00
testsuite-shading Use maven plugin to prevent API/ABI breakage as part of build process (#8904) 2019-03-01 19:48:29 +01:00
transport Motivation: 2019-08-03 10:31:48 +00:00
transport-native-epoll Do not cache local/remote address when creating EpollDatagramChannel with InternetProtocolFamily (#9436) 2019-08-11 09:09:26 +02:00
transport-native-kqueue Fix native-build/target/lib wanted but build in native-build/target/lib64 (#9410) 2019-08-07 07:58:04 +00:00
transport-native-unix-common Added UDP multicast (with caveats: getInterface, getNetworkInterface, block or loopback-mode-disabled operations). 2019-05-25 10:06:13 +02:00
transport-native-unix-common-tests Merge ChannelInboundHandler and ChannelOutboundHandler into ChannelHa… (#8957) 2019-03-28 09:28:27 +00:00
transport-sctp Deprecate ChannelInboundHandlerAdapter and ChannelOutboundHandlerAdapter (#8929) 2019-03-13 09:46:10 +01:00
.fbprefs Updated Find Bugs configuration 2009-03-04 10:33:09 +00:00
.gitattributes Include mvn wrapper to make setup of development env easier 2018-01-26 08:13:17 +01:00
.gitignore Add .gitignore for docker-sync stuff 2019-03-19 14:04:21 +01:00
CONTRIBUTING.md Change the netty.io homepage scheme(http -> https) (#9344) 2019-07-09 21:10:14 +02:00
LICENSE.txt Relicensed to Apache License v2 2009-08-28 07:15:49 +00:00
mvnw Include mvn wrapper to make setup of development env easier 2018-01-26 08:13:17 +01:00
mvnw.cmd Include mvn wrapper to make setup of development env easier 2018-01-26 08:13:17 +01:00
NOTICE.txt Change the netty.io homepage scheme(http -> https) (#9344) 2019-07-09 21:10:14 +02:00
pom.xml Try to load native linux libraries with matching classifier first (#9411) 2019-08-12 08:48:58 +02:00
README.md Change the netty.io homepage scheme(http -> https) (#9344) 2019-07-09 21:10:14 +02:00
run-example.sh Drop SPDY support (#8845) 2019-02-07 09:25:31 +01:00

Netty Project

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.

How to build

For the detailed information about building and developing Netty, please visit the developer guide. This page only gives very basic information.

You require the following to build Netty:

Note that this is build-time requirement. JDK 5 (for 3.x) or 6 (for 4.0+) is enough to run your Netty-based application.

Branches to look

Development of all versions takes place in each branch whose name is identical to <majorVersion>.<minorVersion>. For example, the development of 3.9 and 4.0 resides in the branch '3.9' and the branch '4.0' respectively.

Usage with JDK 9

Netty can be used in modular JDK9 applications as a collection of automatic modules. The module names follow the reverse-DNS style, and are derived from subproject names rather than root packages due to historical reasons. They are listed below:

  • io.netty.all
  • io.netty.buffer
  • io.netty.codec
  • io.netty.codec.dns
  • io.netty.codec.haproxy
  • io.netty.codec.http
  • io.netty.codec.http2
  • io.netty.codec.memcache
  • io.netty.codec.mqtt
  • io.netty.codec.redis
  • io.netty.codec.smtp
  • io.netty.codec.socks
  • io.netty.codec.stomp
  • io.netty.codec.xml
  • io.netty.common
  • io.netty.handler
  • io.netty.handler.proxy
  • io.netty.resolver
  • io.netty.resolver.dns
  • io.netty.transport
  • io.netty.transport.epoll (native omitted - reserved keyword in Java)
  • io.netty.transport.kqueue (native omitted - reserved keyword in Java)
  • io.netty.transport.unix.common (native omitted - reserved keyword in Java)
  • io.netty.transport.rxtx
  • io.netty.transport.sctp
  • io.netty.transport.udt

Automatic modules do not provide any means to declare dependencies, so you need to list each used module separately in your module-info file.