From 2f97ded92b2687e4157379895d7c28ae2f6233c7 Mon Sep 17 00:00:00 2001
From: Johnny Wang <wangjiahao@openresty.com>
Date: Wed, 18 Oct 2023 15:00:46 +0800
Subject: [PATCH] bugfix: applied the patch for secrity advisory to NGINX cores
 (CVE-2023-44487). (#931)

---
 patches/patch.2023.h2.txt | 51 +++++++++++++++++++++++++++++++++++++++
 util/mirror-tarballs      | 10 ++++++++
 2 files changed, 61 insertions(+)
 create mode 100644 patches/patch.2023.h2.txt

diff --git a/patches/patch.2023.h2.txt b/patches/patch.2023.h2.txt
new file mode 100644
index 0000000..86bef58
--- /dev/null
+++ b/patches/patch.2023.h2.txt
@@ -0,0 +1,51 @@
+diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
+--- a/src/http/v2/ngx_http_v2.c
++++ b/src/http/v2/ngx_http_v2.c
+@@ -347,6 +347,7 @@ ngx_http_v2_read_handler(ngx_event_t *re
+     ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http2 read handler");
+ 
+     h2c->blocked = 1;
++    h2c->new_streams = 0;
+ 
+     if (c->close) {
+         c->close = 0;
+@@ -1284,6 +1285,14 @@ ngx_http_v2_state_headers(ngx_http_v2_co
+         goto rst_stream;
+     }
+ 
++    if (h2c->new_streams++ >= 2 * h2scf->concurrent_streams) {
++        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
++                      "client sent too many streams at once");
++
++        status = NGX_HTTP_V2_REFUSED_STREAM;
++        goto rst_stream;
++    }
++
+     if (!h2c->settings_ack
+         && !(h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG)
+         && h2scf->preread_size < NGX_HTTP_V2_DEFAULT_WINDOW)
+@@ -1349,6 +1358,12 @@ ngx_http_v2_state_headers(ngx_http_v2_co
+ 
+ rst_stream:
+ 
++    if (h2c->refused_streams++ > ngx_max(h2scf->concurrent_streams, 100)) {
++        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
++                      "client sent too many refused streams");
++        return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_NO_ERROR);
++    }
++
+     if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid, status) != NGX_OK) {
+         return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR);
+     }
+diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
+--- a/src/http/v2/ngx_http_v2.h
++++ b/src/http/v2/ngx_http_v2.h
+@@ -131,6 +131,8 @@ struct ngx_http_v2_connection_s {
+     ngx_uint_t                       processing;
+     ngx_uint_t                       frames;
+     ngx_uint_t                       idle;
++    ngx_uint_t                       new_streams;
++    ngx_uint_t                       refused_streams;
+     ngx_uint_t                       priority_limit;
+ 
+     size_t                           send_window;
diff --git a/util/mirror-tarballs b/util/mirror-tarballs
index 7d006ad..54295fa 100755
--- a/util/mirror-tarballs
+++ b/util/mirror-tarballs
@@ -503,6 +503,16 @@ if [ "$answer" = "Y" ]; then
     fi
 fi
 
+answer=`$root/util/ver-ge "$main_ver" 1.9.5`
+if [ "$answer" = "Y" ]; then
+    answer=`$root/util/ver-ge "$main_ver" 1.25.2`
+    if [ "$answer" = "N" ]; then
+        echo "$info_txt applying the patch for nginx security advisory (CVE-2023-44487)"
+        patch -p1 < $root/patches/patch.2023.h2.txt || exit 1
+        echo
+    fi
+fi
+
 echo "$info_txt applying the upstream_timeout_fields patch for nginx"
 patch -p1 < $root/patches/nginx-$main_ver-upstream_timeout_fields.patch || exit 1
 echo