| ... | ... | --- /dev/null |
| ... | ... | +++ b/CVE-2023-44487.patch |
| ... | ... | @@ -0,0 +1,49 @@ |
| 1 |
--- a/src/http/v2/ngx_http_v2.c 2023-04-11 04:45:34.000000000 +0300
|
|
| 2 |
+++ b/src/http/v2/ngx_http_v2.c 2023-10-20 11:09:13.223333324 +0300
|
|
| 3 |
@@ -361,6 +361,7 @@
|
|
| 4 |
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http2 read handler");
|
|
| 5 |
|
|
| 6 |
h2c->blocked = 1;
|
|
| 7 |
+ h2c->new_streams = 0;
|
|
| 8 |
|
|
| 9 |
if (c->close) {
|
|
| 10 |
c->close = 0;
|
|
| 11 |
@@ -1321,6 +1322,14 @@
|
|
| 12 |
goto rst_stream;
|
|
| 13 |
}
|
|
| 14 |
|
|
| 15 |
+ if (h2c->new_streams++ >= 2 * h2scf->concurrent_streams) {
|
|
| 16 |
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
|
|
| 17 |
+ "client sent too many streams at once");
|
|
| 18 |
+
|
|
| 19 |
+ status = NGX_HTTP_V2_REFUSED_STREAM;
|
|
| 20 |
+ goto rst_stream;
|
|
| 21 |
+ }
|
|
| 22 |
+
|
|
| 23 |
if (!h2c->settings_ack
|
|
| 24 |
&& !(h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG)
|
|
| 25 |
&& h2scf->preread_size < NGX_HTTP_V2_DEFAULT_WINDOW)
|
|
| 26 |
@@ -1386,6 +1395,12 @@
|
|
| 27 |
|
|
| 28 |
rst_stream:
|
|
| 29 |
|
|
| 30 |
+ if (h2c->refused_streams++ > ngx_max(h2scf->concurrent_streams, 100)) {
|
|
| 31 |
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
|
|
| 32 |
+ "client sent too many refused streams");
|
|
| 33 |
+ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_NO_ERROR);
|
|
| 34 |
+ }
|
|
| 35 |
+
|
|
| 36 |
if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid, status) != NGX_OK) {
|
|
| 37 |
return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR);
|
|
| 38 |
}
|
|
| 39 |
--- a/src/http/v2/ngx_http_v2.h 2023-04-11 04:45:34.000000000 +0300
|
|
| 40 |
+++ b/src/http/v2/ngx_http_v2.h 2023-10-20 11:11:35.989999994 +0300
|
|
| 41 |
@@ -124,6 +124,8 @@
|
|
| 42 |
ngx_uint_t processing;
|
|
| 43 |
ngx_uint_t frames;
|
|
| 44 |
ngx_uint_t idle;
|
|
| 45 |
+ ngx_uint_t new_streams;
|
|
| 46 |
+ ngx_uint_t refused_streams;
|
|
| 47 |
ngx_uint_t priority_limit;
|
|
| 48 |
|
|
| 49 |
ngx_uint_t pushing;
|
| ... | ... | --- a/nginx.spec |
| ... | ... | +++ b/nginx.spec |
| ... | ... | @@ -34,7 +34,7 @@ |
| 34 | 34 |
Summary: Robust, small and high performance HTTP and reverse proxy server
|
| 35 | 35 |
Name: nginx
|
| 36 | 36 |
Version: 1.24.0
|
| 37 |
Release: 2
|
|
| 37 |
Release: 3
|
|
| 38 | 38 |
Epoch: 2
|
| 39 | 39 |
# BSD License (two clause)
|
| 40 | 40 |
# http://www.freebsd.org/copyright/freebsd-license.html
|
| ... | ... | @@ -57,6 +57,8 @@ Source100: index.html |
| … | … | |
| 57 | 57 |
Source102: nginx-logo.png
|
| 58 | 58 |
Source103: 50x.html
|
| 59 | 59 |
Source104: 404.html
|
| 60 |
# https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
|
|
| 61 |
Patch0: CVE-2023-44487.patch
|
|
| 60 | 62 |
BuildRequires: systemd-units
|
| 61 | 63 |
BuildRequires: gd-devel
|
| 62 | 64 |
BuildRequires: perl-devel
|
| ... | ... | @@ -315,6 +317,8 @@ tar -xf %{SOURCE15} |
| … | … | |
| 317 | 317 |
tar -xf %{SOURCE16}
|
| 318 | 318 |
tar -xf %{SOURCE17}
|
| 319 | 319 |
|
| 320 |
%patch0 -p1
|
|
| 321 |
|
|
| 320 | 322 |
%build
|
| 321 | 323 |
%setup_compile_flags
|
| 322 | 324 |
|
:+1:
New comment