http2: allow security revert for Ping/Settings Flood

nghttp2 has updated its limit for outstanding Ping/Settings ACKs to 1000. This commit allows reverting to the old default of 10000. The associated CVEs are CVE-2019-9512/CVE-2019-9515. PR-URL: https://github.com/nodejs/node/pull/29122 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
2019-08-12 23:36:00 +02:00 · 2019-08-12 23:36:00 +02:00 · ec60b625b6
commit ec60b625b6
parent 8a4a1931b8
2 changed files with 4 additions and 0 deletions
--- a/src/node_http2.cc
+++ b/src/node_http2.cc
@ -151,6 +151,9 @@ Http2Options::Http2Options(Environment* env, nghttp2_session_type type) {
        buffer[IDX_OPTIONS_PEER_MAX_CONCURRENT_STREAMS]);
  }

+  if (IsReverted(SECURITY_REVERT_CVE_2019_9512))
+    nghttp2_option_set_max_outbound_ack(options_, 10000);
+
  // The padding strategy sets the mechanism by which we determine how much
  // additional frame padding to apply to DATA and HEADERS frames. Currently
  // this is set on a per-session basis, but eventually we may switch to
--- a/src/node_revert.h
+++ b/src/node_revert.h
@ -16,6 +16,7 @@
 namespace node {

 #define SECURITY_REVERSIONS(XX)                                            \
+  XX(CVE_2019_9512, "CVE-2019-9512", "HTTP/2 Ping/Settings Flood")         \
  XX(CVE_2019_9514, "CVE-2019-9514", "HTTP/2 Reset Flood")                 \
  XX(CVE_2019_9516, "CVE-2019-9516", "HTTP/2 0-Length Headers Leak")       \
  XX(CVE_2019_9518, "CVE-2019-9518", "HTTP/2 Empty DATA Frame Flooding")   \