From 7b6adc7e5a44d34820ec84f9fb34ec3f4402b732 Mon Sep 17 00:00:00 2001 From: eaglegai Date: Sun, 7 Apr 2024 07:03:46 +0000 Subject: [PATCH] fix CVE-2024-27316 (cherry picked from commit 9cab331c8f9e9253a1226474e3d4e25b93902d62) --- backport-CVE-2024-27316.patch | 56 +++++++++++++++++++++++++++++++++++ mod_http2.spec | 10 ++++++- 2 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-27316.patch diff --git a/backport-CVE-2024-27316.patch b/backport-CVE-2024-27316.patch new file mode 100644 index 0000000..86b7986 --- /dev/null +++ b/backport-CVE-2024-27316.patch @@ -0,0 +1,56 @@ +From 134e28ae5abc997fe064995627b3ebe247a5d5d8 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Fri, 23 Feb 2024 15:13:56 +0100 +Subject: [PATCH] RESET stream after 100 failed incoming headers + +--- + mod_http2/h2_session.c | 10 +++++++--- + mod_http2/h2_stream.c | 1 + + mod_http2/h2_stream.h | 1 + + 3 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/mod_http2/h2_session.c b/mod_http2/h2_session.c +index 1e560e47..6d379cc5 100644 +--- a/mod_http2/h2_session.c ++++ b/mod_http2/h2_session.c +@@ -319,9 +319,13 @@ static int on_header_cb(nghttp2_session *ngh2, const nghttp2_frame *frame, + + status = h2_stream_add_header(stream, (const char *)name, namelen, + (const char *)value, valuelen); +- if (status != APR_SUCCESS +- && (!stream->rtmp +- || stream->rtmp->http_status == H2_HTTP_STATUS_UNSET)) { ++ if (status != APR_SUCCESS && ++ (!stream->rtmp || ++ stream->rtmp->http_status == H2_HTTP_STATUS_UNSET || ++ /* We accept a certain amount of failures in order to reply ++ * with an informative HTTP error response like 413. But of the ++ * client is too wrong, we fail the request an RESET the stream */ ++ stream->request_headers_failed > 100)) { + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } + return 0; +diff --git a/mod_http2/h2_stream.c b/mod_http2/h2_stream.c +index f6c92024..ee87555f 100644 +--- a/mod_http2/h2_stream.c ++++ b/mod_http2/h2_stream.c +@@ -813,6 +813,7 @@ apr_status_t h2_stream_add_header(h2_stream *stream, + + cleanup: + if (error) { ++ ++stream->request_headers_failed; + set_error_response(stream, error); + return APR_EINVAL; + } +diff --git a/mod_http2/h2_stream.h b/mod_http2/h2_stream.h +index d68d4260..405978a4 100644 +--- a/mod_http2/h2_stream.h ++++ b/mod_http2/h2_stream.h +@@ -91,6 +91,7 @@ struct h2_stream { + struct h2_request *rtmp; /* request being assembled */ + apr_table_t *trailers; /* optional incoming trailers */ + int request_headers_added; /* number of request headers added */ ++ int request_headers_failed; /* number of request headers failed to add */ + + struct h2_bucket_beam *input; + apr_bucket_brigade *in_buffer; diff --git a/mod_http2.spec b/mod_http2.spec index ab1afc8..be2e7ed 100644 --- a/mod_http2.spec +++ b/mod_http2.spec @@ -2,12 +2,14 @@ Name: mod_http2 Version: 1.15.25 -Release: 2 +Release: 3 Summary: Support for the HTTP/2 transport layer License: ASL 2.0 URL: https://icing.github.io/mod_h2/ Source0: https://github.com/icing/mod_h2/releases/download/v%{version}/%{name}-%{version}.tar.gz Patch1: fix-build-with-earlier-2.4.x-which-don-t-define-AP_S.patch +Patch2: backport-CVE-2024-27316.patch + BuildRequires: gcc pkgconfig httpd-devel libnghttp2-devel openssl-devel autoconf libtool hostname Requires: httpd-mmn = %{_httpd_mmn} @@ -50,6 +52,12 @@ make check %exclude /etc/httpd/share/doc/* %changelog +* Sun Apr 07 2024 gaihuiying - 1.15.25-3 +- Type:cves +- CVE:CVE-2024-27316 +- SUG:NA +- DESC:fix CVE-2024-27316 + * Wed Oct 19 2022 gaihuiying - 1.15.25-2 - Typebugfix - ID:NA