aboutsummaryrefslogtreecommitdiffstats
path: root/src/cowboy_stream_h.erl
diff options
context:
space:
mode:
authorLoïc Hoguin <[email protected]>2019-10-02 10:44:45 +0200
committerLoïc Hoguin <[email protected]>2019-10-02 10:44:45 +0200
commitab44985a9eeb1f664f38d6049a2532d83de7fa18 (patch)
tree3d9f1045151ae38a3cf13f019134ff892c21f1b8 /src/cowboy_stream_h.erl
parente1d452411873cc11530f5e01d30b5f27e38a9423 (diff)
downloadcowboy-ab44985a9eeb1f664f38d6049a2532d83de7fa18.tar.gz
cowboy-ab44985a9eeb1f664f38d6049a2532d83de7fa18.tar.bz2
cowboy-ab44985a9eeb1f664f38d6049a2532d83de7fa18.zip
Fix HTTP/2 CVEs
A number of HTTP/2 CVEs were documented recently: https://www.kb.cert.org/vuls/id/605641/ This commit, along with a few changes and additions in Cowlib, fix or improve protection against all of them. For CVE-2019-9511, also known as Data Dribble, the new option stream_window_data_threshold can be used to control how little the DATA frames that Cowboy sends can get. For CVE-2019-9516, also known as 0-Length Headers Leak, Cowboy will now simply reject streams containing 0-length header names. For CVE-2019-9517, also known as Internal Data Buffering, the backpressure changes were already pretty good at preventing this issue, but a new option max_connection_buffer_size was added for even better control over how much memory we are willing to allocate. For CVE-2019-9512, also known as Ping Flood; CVE-2019-9515, also known as Settings Flood; CVE-2019-9518, also known as Empty Frame Flooding; and similar undocumented scenarios, a frame rate limiting mechanism was added. By default Cowboy will now allow 1000 frames every 10 seconds. This can be configured via max_received_frame_rate. For CVE-2019-9514, also known as Reset Flood, another rate limiting mechanism was added and can be configured via max_reset_stream_rate. By default Cowboy will do up to 10 stream resets every 10 seconds. Finally, nothing was done for CVE-2019-9513, also known as Resource Loop, because Cowboy does not currently implement the HTTP/2 priority mechanism (in parts because these issues were well known from the start). Tests were added for all cases except Internal Data Buffering, which I'm not sure how to test, and Resource Loop, which is not currently relevant.
Diffstat (limited to 'src/cowboy_stream_h.erl')
-rw-r--r--src/cowboy_stream_h.erl11
1 files changed, 7 insertions, 4 deletions
diff --git a/src/cowboy_stream_h.erl b/src/cowboy_stream_h.erl
index cc9e271..9397726 100644
--- a/src/cowboy_stream_h.erl
+++ b/src/cowboy_stream_h.erl
@@ -220,8 +220,8 @@ info(StreamID, Response={response, _, _, _}, State) ->
do_info(StreamID, Response, [Response], State#state{expect=undefined});
info(StreamID, Headers={headers, _, _}, State) ->
do_info(StreamID, Headers, [Headers], State#state{expect=undefined});
-%% Sending data involves the data message and the stream_buffer_full alarm.
-%% We stop sending acks when the alarm is on.
+%% Sending data involves the data message, the stream_buffer_full alarm
+%% and the connection_buffer_full alarm. We stop sending acks when an alarm is on.
info(StreamID, Data={data, _, _}, State0=#state{pid=Pid, stream_body_status=Status}) ->
State = case Status of
normal ->
@@ -233,10 +233,13 @@ info(StreamID, Data={data, _, _}, State0=#state{pid=Pid, stream_body_status=Stat
State0
end,
do_info(StreamID, Data, [Data], State);
-info(StreamID, Alarm={alarm, stream_buffer_full, on}, State) ->
+info(StreamID, Alarm={alarm, Name, on}, State)
+ when Name =:= connection_buffer_full; Name =:= stream_buffer_full ->
do_info(StreamID, Alarm, [], State#state{stream_body_status=blocking});
-info(StreamID, Alarm={alarm, stream_buffer_full, off}, State=#state{pid=Pid, stream_body_status=Status}) ->
+info(StreamID, Alarm={alarm, Name, off}, State=#state{pid=Pid, stream_body_status=Status})
+ when Name =:= connection_buffer_full; Name =:= stream_buffer_full ->
_ = case Status of
+ normal -> ok;
blocking -> ok;
blocked -> Pid ! {data_ack, self()}
end,