packages feed

http2 4.2.1 → 4.2.2

raw patch · 4 files changed

+14/−2 lines, 4 files

Files

ChangeLog.md view
@@ -1,7 +1,11 @@-## 4.2.1+## 4.2.2  * Adding rate limit for RST_STREAM to work around CVE-2023-44487.   [#94](https://github.com/kazu-yamamoto/http2/pull/94)++## 4.2.1++* This version is identical to v4.2.0 by accident.  ## 4.2.0 
Network/HTTP2/Arch/Context.hs view
@@ -88,6 +88,7 @@   , pingRate           :: Rate   , settingsRate       :: Rate   , emptyFrameRate     :: Rate+  , rstRate            :: Rate   , mySockAddr         :: SockAddr   , peerSockAddr       :: SockAddr   }@@ -115,6 +116,7 @@                <*> newDynamicTableForDecoding defaultDynamicTableSize 4096                <*> newTVarIO defaultWindowSize                <*> newIORef 0+               <*> newRate                <*> newRate                <*> newRate                <*> newRate
Network/HTTP2/Arch/Receiver.hs view
@@ -46,6 +46,9 @@ emptyFrameRateLimit :: Int emptyFrameRateLimit = 4 +rstRateLimit :: Int+rstRateLimit = 4+ ----------------------------------------------------------------  frameReceiver :: Context -> Config -> IO ()@@ -449,6 +452,9 @@  -- Transition (stream6) stream FrameRSTStream header@FrameHeader{streamId} bs ctx s strm = do+    rate <- getRate $ rstRate ctx+    when (rate > rstRateLimit) $+        E.throwIO $ ConnectionErrorIsSent ProtocolError streamId "too many rst_stream"     RSTStreamFrame err <- guardIt $ decodeRSTStreamFrame header bs     let cc = Reset err 
http2.cabal view
@@ -1,6 +1,6 @@ cabal-version:      >=1.10 name:               http2-version:            4.2.1+version:            4.2.2 license:            BSD3 license-file:       LICENSE maintainer:         Kazu Yamamoto <kazu@iij.ad.jp>