c6c679597f
Motivation: Due how http2 spec is defined it is possible by a remote peer to flood us with frames that will trigger control frames as response, the problem here is that the remote peer can also just stop reading these (while still produce more of these) and so may drive us to the pointer where we either run out of memory or burn all CPU. To protect against this we need to implement some kind of limit that will tear down connections that cause the above mentioned situation. See CVE-2019-9512 / CVE-2019-9514 / CVE-2019-9515 Modifications: - Add Http2ControlFrameLimitEncoder which limits the number of queued control frames that were caused because of the remote peer. - Allow to insert ths Http2ControlFrameLimitEncoder by setting AbstractHttp2ConnectionBuilder.encoderEnforceMaxQueuedControlFrames(...) to a number higher then 0. The default is 10000 which provides some protection by default but will hopefully not cause too many false-positives. - Add unit tests Result: Protect against DDOS due control frames. Fixes CVE-2019-9512 / CVE-2019-9514 / CVE-2019-9515 . |
||
---|---|---|
.. | ||
src | ||
pom.xml |