Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerabilty dependency x/net #203

Merged
merged 2 commits into from
Jun 28, 2024
Merged

Conversation

tulioncds
Copy link

CVE-2023-45288: https://osv.dev/vulnerability/GHSA-4v7x-pqxf-cx7m

Summary
net/http, x/net/http2: close connections when receiving too many headers

Details
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

@shueybubbles
Copy link
Collaborator

@tulioncds thx for the PR. Missing a go mod tidy

Error: ../../../go/pkg/mod/github.com/!azure/azure-sdk-for-go/sdk/azcore@v1.9.1/runtime/transport_default_http_client.go:15:2: missing go.sum entry for module providing package golang.org/x/net/http2 (imported by github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime); to add:
	go get github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime@v1.9.1
Error: ../../../go/pkg/mod/github.com/jcmturner/rpc/v2@v2.0.3/mstypes/claims.go:10:2: missing go.sum entry for module providing package golang.org/x/net/http2/hpack (imported by github.com/jcmturner/rpc/v2/mstypes); to add:
	go get github.com/jcmturner/rpc/v2/mstypes@v2.0.3
Error: Process completed with exit code 1.

@tulioncds
Copy link
Author

@tulioncds please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

  • (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.
@microsoft-github-policy-service agree
  • (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.
@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement

@microsoft-github-policy-service agree

@codecov-commenter
Copy link

codecov-commenter commented Jun 27, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 74.74%. Comparing base (2395b78) to head (f820109).

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #203   +/-   ##
=======================================
  Coverage   74.74%   74.74%           
=======================================
  Files          32       32           
  Lines        6379     6379           
=======================================
  Hits         4768     4768           
  Misses       1327     1327           
  Partials      284      284           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@tulioncds tulioncds changed the title Vulnerabilty depency x/net Vulnerabilty dependency x/net Jun 27, 2024
@shueybubbles shueybubbles merged commit 9b84d9b into microsoft:main Jun 28, 2024
7 checks passed
@tulioncds tulioncds deleted the patch-1 branch July 31, 2024 13:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants