golang/0028-release-branch.go1.17-net-http-update-bundled-golang.patch

From 9b62e5e5e979905fd53919dfa4ad53458574ee61 Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <filippo@golang.org>
Date: Thu, 9 Dec 2021 06:32:14 -0500
Subject: [PATCH 4/6] [release-branch.go1.17] net/http: update bundled
 golang.org/x/net/http2

Pull in security fix

    84cba54 http2: cap the size of the server's canonical header cache

Updates #50058
Fixes CVE-2021-44716

Change-Id: Ia89e3d22a173c6cb83f03608d5186fcd08f2956c
Reviewed-on: https://go-review.googlesource.com/c/go/+/370574
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Alex Rakoczy <alex@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>

Conflict: NA
Reference: https://go-review.googlesource.com/c/go/+/370574
---
 src/go.mod                |  2 +-
 src/go.sum                |  4 ++--
 src/net/http/h2_bundle.go | 10 +++++++++-
 src/vendor/modules.txt    |  2 +-
 4 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/go.mod b/src/go.mod
index 386b51a6569..ada50077937 100644
--- a/src/go.mod
+++ b/src/go.mod
@@ -4,7 +4,7 @@ go 1.17
 
 require (
 	golang.org/x/crypto v0.0.0-20210503195802-e9a32991a82e
-	golang.org/x/net v0.0.0-20211101194204-95aca89e93de
+	golang.org/x/net v0.0.0-20211209100829-84cba5454caf
 )
 
 require (
diff --git a/src/go.sum b/src/go.sum
index 1f328206ecb..3e181c992f5 100644
--- a/src/go.sum
+++ b/src/go.sum
@@ -1,8 +1,8 @@
 golang.org/x/crypto v0.0.0-20210503195802-e9a32991a82e h1:8foAy0aoO5GkqCvAEJ4VC4P3zksTg4X4aJCDpZzmgQI=
 golang.org/x/crypto v0.0.0-20210503195802-e9a32991a82e/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20211101194204-95aca89e93de h1:dKoXPECQZ51dGVSkuiD9YzeNpLT4UPUY4d3xo0sWrkU=
-golang.org/x/net v0.0.0-20211101194204-95aca89e93de/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20211209100829-84cba5454caf h1:Chci/BE/+xVqrcWnObL99NS8gtXyJrhHDlygBQrggHM=
+golang.org/x/net v0.0.0-20211209100829-84cba5454caf/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210511113859-b0526f3d8744 h1:yhBbb4IRs2HS9PPlAg6DMC6mUOKexJBNsLf4Z+6En1Q=
diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
index 9112079a224..1b73da7f219 100644
--- a/src/net/http/h2_bundle.go
+++ b/src/net/http/h2_bundle.go
@@ -4382,7 +4382,15 @@ func (sc *http2serverConn) canonicalHeader(v string) string {
 		sc.canonHeader = make(map[string]string)
 	}
 	cv = CanonicalHeaderKey(v)
-	sc.canonHeader[v] = cv
+	// maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
+	// entries in the canonHeader cache. This should be larger than the number
+	// of unique, uncommon header keys likely to be sent by the peer, while not
+	// so high as to permit unreaasonable memory usage if the peer sends an unbounded
+	// number of unique header keys.
+	const maxCachedCanonicalHeaders = 32
+	if len(sc.canonHeader) < maxCachedCanonicalHeaders {
+		sc.canonHeader[v] = cv
+	}
 	return cv
 }
 
diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
index f61fc51ba82..bb0b4c561da 100644
--- a/src/vendor/modules.txt
+++ b/src/vendor/modules.txt
@@ -8,7 +8,7 @@ golang.org/x/crypto/curve25519
 golang.org/x/crypto/hkdf
 golang.org/x/crypto/internal/subtle
 golang.org/x/crypto/poly1305
-# golang.org/x/net v0.0.0-20211101194204-95aca89e93de
+# golang.org/x/net v0.0.0-20211209100829-84cba5454caf
 ## explicit; go 1.17
 golang.org/x/net/dns/dnsmessage
 golang.org/x/net/http/httpguts
-- 
2.30.0