From f8da73bd042f810f34d19f9eae02b46d870af394 Mon Sep 17 00:00:00 2001
From: James M Snell <jasnell@gmail.com>
Date: Sun, 19 Apr 2020 09:12:24 -0700
Subject: [PATCH] Earlier check for settings flood

CVE: CVE-2020-11080
Upstream-Status: Backport [https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394.patch]
Comment: No hunk refreshed
Affects-version: < v1.41.0
Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com>
---
 lib/nghttp2_session.c | 6 ++++++
 1 file changed, 6 insertions(+)

Index: nghttp2-1.40.0/lib/nghttp2_session.c
===================================================================
--- nghttp2-1.40.0.orig/lib/nghttp2_session.c
+++ nghttp2-1.40.0/lib/nghttp2_session.c
@@ -5678,6 +5678,12 @@ ssize_t nghttp2_session_mem_recv(nghttp2
           break;
         }
 
+        /* Check the settings flood counter early to be safe */
+        if (session->obq_flood_counter_ >= session->max_outbound_ack &&
+            !(iframe->frame.hd.flags & NGHTTP2_FLAG_ACK)) {
+          return NGHTTP2_ERR_FLOODED;
+        }
+
         iframe->state = NGHTTP2_IB_READ_SETTINGS;
 
         if (iframe->payloadleft) {