fix CVE-2024-27316

(cherry picked from commit 9cab331c8f9e9253a1226474e3d4e25b93902d62)
2024-04-07 07:03:46 +00:00 · 2024-04-07 07:03:46 +00:00 · 7b6adc7e5a
commit 7b6adc7e5a
parent 7f3408ee9f
2 changed files with 65 additions and 1 deletions
--- a/backport-CVE-2024-27316.patch
+++ b/backport-CVE-2024-27316.patch
@ -0,0 +1,56 @@
+From 134e28ae5abc997fe064995627b3ebe247a5d5d8 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Fri, 23 Feb 2024 15:13:56 +0100
+Subject: [PATCH] RESET stream after 100 failed incoming headers
+
+---
+ mod_http2/h2_session.c | 10 +++++++---
+ mod_http2/h2_stream.c  |  1 +
+ mod_http2/h2_stream.h  |  1 +
+ 3 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/mod_http2/h2_session.c b/mod_http2/h2_session.c
+index 1e560e47..6d379cc5 100644
+--- a/mod_http2/h2_session.c
+++ b/mod_http2/h2_session.c
+@@ -319,9 +319,13 @@ static int on_header_cb(nghttp2_session *ngh2, const nghttp2_frame *frame,
+     
+     status = h2_stream_add_header(stream, (const char *)name, namelen,
+                                   (const char *)value, valuelen);
+-    if (status != APR_SUCCESS
+-        && (!stream->rtmp
+-            || stream->rtmp->http_status == H2_HTTP_STATUS_UNSET)) {
+    if (status != APR_SUCCESS &&
+        (!stream->rtmp ||
+         stream->rtmp->http_status == H2_HTTP_STATUS_UNSET ||
+         /* We accept a certain amount of failures in order to reply
+          * with an informative HTTP error response like 413. But of the
+          * client is too wrong, we fail the request an RESET the stream */
+         stream->request_headers_failed > 100)) {
+         return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+     }
+     return 0;
+diff --git a/mod_http2/h2_stream.c b/mod_http2/h2_stream.c
+index f6c92024..ee87555f 100644
+--- a/mod_http2/h2_stream.c
+++ b/mod_http2/h2_stream.c
+@@ -813,6 +813,7 @@ apr_status_t h2_stream_add_header(h2_stream *stream,
+     
+ cleanup:
+     if (error) {
+        ++stream->request_headers_failed;
+         set_error_response(stream, error);
+         return APR_EINVAL; 
+     }
+diff --git a/mod_http2/h2_stream.h b/mod_http2/h2_stream.h
+index d68d4260..405978a4 100644
+--- a/mod_http2/h2_stream.h
+++ b/mod_http2/h2_stream.h
+@@ -91,6 +91,7 @@ struct h2_stream {
+     struct h2_request *rtmp;    /* request being assembled */
+     apr_table_t *trailers;      /* optional incoming trailers */
+     int request_headers_added;  /* number of request headers added */
+    int request_headers_failed; /* number of request headers failed to add */
+     
+     struct h2_bucket_beam *input;
+     apr_bucket_brigade *in_buffer;
--- a/mod_http2.spec
+++ b/mod_http2.spec
@ -2,12 +2,14 @@

 Name:           mod_http2
 Version:        1.15.25
-Release:        2
+Release:        3
 Summary:        Support for the HTTP/2 transport layer
 License:        ASL 2.0
 URL:            https://icing.github.io/mod_h2/
 Source0:        https://github.com/icing/mod_h2/releases/download/v%{version}/%{name}-%{version}.tar.gz
 Patch1:         fix-build-with-earlier-2.4.x-which-don-t-define-AP_S.patch
+Patch2:         backport-CVE-2024-27316.patch
+
 BuildRequires:  gcc pkgconfig httpd-devel libnghttp2-devel openssl-devel autoconf libtool hostname
 Requires:       httpd-mmn = %{_httpd_mmn}

@ -50,6 +52,12 @@ make check
 %exclude /etc/httpd/share/doc/*

 %changelog
+* Sun Apr 07 2024 gaihuiying <eaglegai@163.com> - 1.15.25-3
+- Type:cves
+- CVE:CVE-2024-27316
+- SUG:NA
+- DESC:fix CVE-2024-27316
+
 * Wed Oct 19 2022 gaihuiying <eaglegai@163.com> - 1.15.25-2
 - Typebugfix
 - ID:NA