diff options
Diffstat (limited to 'main/nginx/CVE-2018-16844.patch')
-rw-r--r-- | main/nginx/CVE-2018-16844.patch | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/main/nginx/CVE-2018-16844.patch b/main/nginx/CVE-2018-16844.patch new file mode 100644 index 00000000000..c44930f9b86 --- /dev/null +++ b/main/nginx/CVE-2018-16844.patch @@ -0,0 +1,60 @@ +# HG changeset patch +# User Ruslan Ermilov <ru@nginx.com> +# Date 1541510989 -10800 +# Node ID 9200b41db765fbd6709765ba2d218e78ad8e9860 +# Parent 1c6b6163c03945bcc65c252cc42b0af18744c085 +HTTP/2: limit the number of idle state switches. + +An attack that continuously switches HTTP/2 connection between +idle and active states can result in excessive CPU usage. +This is because when a connection switches to the idle state, +all of its memory pool caches are freed. + +This change limits the maximum allowed number of idle state +switches to 10 * http2_max_requests (i.e., 10000 by default). +This limits possible CPU usage in one connection, and also +imposes a limit on the maximum lifetime of a connection. + +Initially reported by Gal Goldshtein from F5 Networks. + +Patch-Source: http://hg.nginx.org/nginx/rev/9200b41db765 + +diff -r 1c6b6163c039 -r 9200b41db765 src/http/v2/ngx_http_v2.c +--- a/src/http/v2/ngx_http_v2.c Tue Nov 06 16:29:35 2018 +0300 ++++ b/src/http/v2/ngx_http_v2.c Tue Nov 06 16:29:49 2018 +0300 +@@ -4481,12 +4481,19 @@ + + #endif + ++ h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx, ++ ngx_http_v2_module); ++ ++ if (h2c->idle++ > 10 * h2scf->max_requests) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "http2 flood detected"); ++ ngx_http_v2_finalize_connection(h2c, NGX_HTTP_V2_NO_ERROR); ++ return; ++ } ++ + c->destroyed = 0; + ngx_reusable_connection(c, 0); + +- h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx, +- ngx_http_v2_module); +- + h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log); + if (h2c->pool == NULL) { + ngx_http_v2_finalize_connection(h2c, NGX_HTTP_V2_INTERNAL_ERROR); +diff -r 1c6b6163c039 -r 9200b41db765 src/http/v2/ngx_http_v2.h +--- a/src/http/v2/ngx_http_v2.h Tue Nov 06 16:29:35 2018 +0300 ++++ b/src/http/v2/ngx_http_v2.h Tue Nov 06 16:29:49 2018 +0300 +@@ -121,6 +121,7 @@ + + ngx_uint_t processing; + ngx_uint_t frames; ++ ngx_uint_t idle; + + ngx_uint_t pushing; + ngx_uint_t concurrent_pushes; + + |