netty5

History

Norman Maurer c6c679597f HTTP2: Add protection against remote control frames that are triggered by a remote peer (#9460 ) Motivation: Due how http2 spec is defined it is possible by a remote peer to flood us with frames that will trigger control frames as response, the problem here is that the remote peer can also just stop reading these (while still produce more of these) and so may drive us to the pointer where we either run out of memory or burn all CPU. To protect against this we need to implement some kind of limit that will tear down connections that cause the above mentioned situation. See CVE-2019-9512 / CVE-2019-9514 / CVE-2019-9515 Modifications: - Add Http2ControlFrameLimitEncoder which limits the number of queued control frames that were caused because of the remote peer. - Allow to insert ths Http2ControlFrameLimitEncoder by setting AbstractHttp2ConnectionBuilder.encoderEnforceMaxQueuedControlFrames(...) to a number higher then 0. The default is 10000 which provides some protection by default but will hopefully not cause too many false-positives. - Add unit tests Result: Protect against DDOS due control frames. Fixes CVE-2019-9512 / CVE-2019-9514 / CVE-2019-9515 .	2019-08-14 10:02:24 +02:00
..
src	HTTP2: Add protection against remote control frames that are triggered by a remote peer (#9460 )	2019-08-14 10:02:24 +02:00
pom.xml	Remove duplicated declaration of dependency	2019-01-21 11:54:55 +01:00

Norman Maurer c6c679597f HTTP2: Add protection against remote control frames that are triggered by a remote peer (#9460 )

Motivation:

Due how http2 spec is defined it is possible by a remote peer to flood us with frames that will trigger control frames as response, the problem here is that the remote peer can also just stop reading these (while still produce more of these) and so may drive us to the pointer where we either run out of memory or burn all CPU. To protect against this we need to implement some kind of limit that will tear down connections that cause the above mentioned situation.

See CVE-2019-9512 / CVE-2019-9514 / CVE-2019-9515

Modifications:

- Add Http2ControlFrameLimitEncoder which limits the number of queued control frames that were caused because of the remote peer.
- Allow to insert ths Http2ControlFrameLimitEncoder by setting AbstractHttp2ConnectionBuilder.encoderEnforceMaxQueuedControlFrames(...) to a number higher then 0. The default is 10000 which provides some protection by default but will hopefully not cause too many false-positives.
- Add unit tests

Result:

Protect against DDOS due control frames. Fixes CVE-2019-9512 / CVE-2019-9514 / CVE-2019-9515 .

2019-08-14 10:02:24 +02:00

src

HTTP2: Add protection against remote control frames that are triggered by a remote peer (#9460 )

2019-08-14 10:02:24 +02:00

pom.xml

Remove duplicated declaration of dependency

2019-01-21 11:54:55 +01:00