mirror
/
go
mirror of https://github.com/golang/go.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[release-branch.go1.21] net/http: update bundled golang.org/x/net/http2 

Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.

Fixes CVE-2023-45288
For #65051
Fixes #65387

Change-Id: I17da6da2fe0dd70062b49f94377875acb34829a1
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2197267
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/576075
TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
Commit-Queue: Dmitri Shuralyov <dmitshur@golang.org>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Than McIntosh <thanm@google.com>
This commit is contained in:
Damien Neil 2024-03-28 16:49:40 -07:00 committed by Gopher Robot
parent 30d8550669
commit ae5913347d
2 changed files with 33 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/cmd/internal/moddeps/moddeps_test.go
View File

@ -33,6 +33,8 @@ import (
// See issues 36852, 41409, and 43687. // See issues 36852, 41409, and 43687.
// (Also see golang.org/issue/27348.) // (Also see golang.org/issue/27348.)
func TestAllDependencies(t *testing.T) { func TestAllDependencies(t *testing.T) {
t.Skip("TODO(#65051): 1.21.9 contains unreleased changes from vendored modules")
goBin := testenv.GoToolPath(t) goBin := testenv.GoToolPath(t)
// Ensure that all packages imported within GOROOT // Ensure that all packages imported within GOROOT

31
src/net/http/h2_bundle.go
View File

@ -2966,6 +2966,7 @@ func (fr *http2Framer) readMetaFrame(hf *http2HeadersFrame) (*http2MetaHeadersFr
if size > remainSize { if size > remainSize {
hdec.SetEmitEnabled(false) hdec.SetEmitEnabled(false)
mh.Truncated = true mh.Truncated = true
remainSize = 0
return return
} }
remainSize -= size remainSize -= size
@ -2978,6 +2979,36 @@ func (fr *http2Framer) readMetaFrame(hf *http2HeadersFrame) (*http2MetaHeadersFr
var hc http2headersOrContinuation = hf var hc http2headersOrContinuation = hf
for { for {
frag := hc.HeaderBlockFragment() frag := hc.HeaderBlockFragment()
// Avoid parsing large amounts of headers that we will then discard.
// If the sender exceeds the max header list size by too much,
// skip parsing the fragment and close the connection.
//
// "Too much" is either any CONTINUATION frame after we've already
// exceeded the max header list size (in which case remainSize is 0),
// or a frame whose encoded size is more than twice the remaining
// header list bytes we're willing to accept.
if int64(len(frag)) > int64(2*remainSize) {
if http2VerboseLogs {
log.Printf("http2: header list too large")
}
// It would be nice to send a RST_STREAM before sending the GOAWAY,
// but the struture of the server's frame writer makes this difficult.
return nil, http2ConnectionError(http2ErrCodeProtocol)
}
// Also close the connection after any CONTINUATION frame following an
// invalid header, since we stop tracking the size of the headers after
// an invalid one.
if invalid != nil {
if http2VerboseLogs {
log.Printf("http2: invalid header: %v", invalid)
}
// It would be nice to send a RST_STREAM before sending the GOAWAY,
// but the struture of the server's frame writer makes this difficult.
return nil, http2ConnectionError(http2ErrCodeProtocol)
}
if _, err := hdec.Write(frag); err != nil { if _, err := hdec.Write(frag); err != nil {
return nil, http2ConnectionError(http2ErrCodeCompression) return nil, http2ConnectionError(http2ErrCodeCompression)
} }