http2 4.2.1 → 4.2.2
raw patch · 4 files changed
+14/−2 lines, 4 files
Files
- ChangeLog.md +5/−1
- Network/HTTP2/Arch/Context.hs +2/−0
- Network/HTTP2/Arch/Receiver.hs +6/−0
- http2.cabal +1/−1
ChangeLog.md view
@@ -1,7 +1,11 @@-## 4.2.1+## 4.2.2 * Adding rate limit for RST_STREAM to work around CVE-2023-44487. [#94](https://github.com/kazu-yamamoto/http2/pull/94)++## 4.2.1++* This version is identical to v4.2.0 by accident. ## 4.2.0
Network/HTTP2/Arch/Context.hs view
@@ -88,6 +88,7 @@ , pingRate :: Rate , settingsRate :: Rate , emptyFrameRate :: Rate+ , rstRate :: Rate , mySockAddr :: SockAddr , peerSockAddr :: SockAddr }@@ -115,6 +116,7 @@ <*> newDynamicTableForDecoding defaultDynamicTableSize 4096 <*> newTVarIO defaultWindowSize <*> newIORef 0+ <*> newRate <*> newRate <*> newRate <*> newRate
Network/HTTP2/Arch/Receiver.hs view
@@ -46,6 +46,9 @@ emptyFrameRateLimit :: Int emptyFrameRateLimit = 4 +rstRateLimit :: Int+rstRateLimit = 4+ ---------------------------------------------------------------- frameReceiver :: Context -> Config -> IO ()@@ -449,6 +452,9 @@ -- Transition (stream6) stream FrameRSTStream header@FrameHeader{streamId} bs ctx s strm = do+ rate <- getRate $ rstRate ctx+ when (rate > rstRateLimit) $+ E.throwIO $ ConnectionErrorIsSent ProtocolError streamId "too many rst_stream" RSTStreamFrame err <- guardIt $ decodeRSTStreamFrame header bs let cc = Reset err
http2.cabal view
@@ -1,6 +1,6 @@ cabal-version: >=1.10 name: http2-version: 4.2.1+version: 4.2.2 license: BSD3 license-file: LICENSE maintainer: Kazu Yamamoto <kazu@iij.ad.jp>