From 1e4a302630aeb7367ba0e31dc469f6919e766e5d Mon Sep 17 00:00:00 2001 From: Christos Trochalakis Date: Wed, 7 Nov 2018 14:48:22 +0200 Subject: [PATCH] Adapt HTTP/2 flood detection to nginx 1.10.3 To mitigate CVE-2018-16843 the allocated frames has to be checked in ngx_http_v2_send_settings() as well since SETTINGS frames are handled separately before 1.13.2 (http://hg.nginx.org/nginx/rev/79de0d2aa432) Thanks to Nginx's Maxim Dounin for his help. --- src/http/v2/ngx_http_v2.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c index 1d28fd6b..c8769e39 100644 --- a/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c @@ -1969,7 +1969,9 @@ ngx_http_v2_state_settings(ngx_http_v2_connection_t *h2c, u_char *pos, return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR); } - ngx_http_v2_send_settings(h2c, 1); + if (ngx_http_v2_send_settings(h2c, 1) == NGX_ERROR) { + return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR); + } return ngx_http_v2_state_settings_params(h2c, pos, end); } @@ -2453,6 +2455,13 @@ ngx_http_v2_send_settings(ngx_http_v2_connection_t *h2c, ngx_uint_t ack) ngx_log_debug1(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0, "http2 send SETTINGS frame ack:%ui", ack); + if (h2c->frames++ > 10000) { + ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, + "http2 flood detected"); + h2c->connection->error = 1; + return NGX_ERROR; + } + frame = ngx_palloc(h2c->pool, sizeof(ngx_http_v2_out_frame_t)); if (frame == NULL) { return NGX_ERROR; -- 2.19.1