51 lines
1.7 KiB
Diff
51 lines
1.7 KiB
Diff
From 97b9a8c1e595e2527654e8e4124e4ebc048548a2 Mon Sep 17 00:00:00 2001
|
|
From: Filippo Valsorda <filippo@golang.org>
|
|
Date: Wed, 19 Jan 2022 11:31:33 +0800
|
|
Subject: [PATCH] [release-branch.go1.16] net/http: update bundled
|
|
golang.org/x/net/http2
|
|
|
|
Pull in security fix
|
|
|
|
a5309b3 http2: cap the size of the server's canonical header cache
|
|
|
|
Updates #50058
|
|
Fixes CVE-2021-44716
|
|
|
|
Change-Id: Ifdd13f97fce168de5fb4b2e74ef2060d059800b9
|
|
Reviewed-on: https://go-review.googlesource.com/c/go/+/370575
|
|
Trust: Filippo Valsorda <filippo@golang.org>
|
|
Run-TryBot: Filippo Valsorda <filippo@golang.org>
|
|
Reviewed-by: Alex Rakoczy <alex@golang.org>
|
|
TryBot-Result: Gopher Robot <gobot@golang.org>
|
|
|
|
Conflict:NA
|
|
Reference:https://github.com/golang/go/commit/d0aebe3e74fe14799f97ddd3f01129697c6a290a
|
|
---
|
|
src/net/http/h2_bundle.go | 10 +++++++++-
|
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
|
|
index 3d83084..06f8808 100644
|
|
--- a/src/net/http/h2_bundle.go
|
|
+++ b/src/net/http/h2_bundle.go
|
|
@@ -4289,7 +4289,15 @@ func (sc *http2serverConn) canonicalHeader(v string) string {
|
|
sc.canonHeader = make(map[string]string)
|
|
}
|
|
cv = CanonicalHeaderKey(v)
|
|
- sc.canonHeader[v] = cv
|
|
+ // maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
|
|
+ // entries in the canonHeader cache. This should be larger than the number
|
|
+ // of unique, uncommon header keys likely to be sent by the peer, while not
|
|
+ // so high as to permit unreaasonable memory usage if the peer sends an unbounded
|
|
+ // number of unique header keys.
|
|
+ const maxCachedCanonicalHeaders = 32
|
|
+ if len(sc.canonHeader) < maxCachedCanonicalHeaders {
|
|
+ sc.canonHeader[v] = cv
|
|
+ }
|
|
return cv
|
|
}
|
|
|
|
--
|
|
2.30.0
|
|
|