aboutsummaryrefslogtreecommitdiffstats
path: root/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-1.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-1.patch')
-rw-r--r--meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-1.patch31
1 files changed, 31 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-1.patch b/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-1.patch
new file mode 100644
index 0000000000..ca181bb4b2
--- /dev/null
+++ b/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-1.patch
@@ -0,0 +1,31 @@
+From f8da73bd042f810f34d19f9eae02b46d870af394 Mon Sep 17 00:00:00 2001
+From: James M Snell <jasnell@gmail.com>
+Date: Sun, 19 Apr 2020 09:12:24 -0700
+Subject: [PATCH] Earlier check for settings flood
+
+CVE: CVE-2020-11080
+Upstream-Status: Backport [https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394.patch]
+Comment: No hunk refreshed
+Affects-version: < v1.41.0
+Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com>
+---
+ lib/nghttp2_session.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+Index: nghttp2-1.40.0/lib/nghttp2_session.c
+===================================================================
+--- nghttp2-1.40.0.orig/lib/nghttp2_session.c
++++ nghttp2-1.40.0/lib/nghttp2_session.c
+@@ -5678,6 +5678,12 @@ ssize_t nghttp2_session_mem_recv(nghttp2
+ break;
+ }
+
++ /* Check the settings flood counter early to be safe */
++ if (session->obq_flood_counter_ >= session->max_outbound_ack &&
++ !(iframe->frame.hd.flags & NGHTTP2_FLAG_ACK)) {
++ return NGHTTP2_ERR_FLOODED;
++ }
++
+ iframe->state = NGHTTP2_IB_READ_SETTINGS;
+
+ if (iframe->payloadleft) {