From a220be62476f30b39a7e701797777a6f3aabd599 Mon Sep 17 00:00:00 2001 From: Thibault Charbonnier Date: Fri, 20 Mar 2020 11:26:42 -0700 Subject: [PATCH] Revert "bugfix: applied the patch for security advisory to NGINX cores < 1.14.1 and < 1.15.6 (CVE-2019-9511 CVE-2019-9513 CVE-2019-9516)." This reverts commit aa16a49e9355edc1448cf739f655a1d836f45131. --- patches/patch.2019.h2.txt | 136 -------------------------------------- util/mirror-tarballs | 48 -------------- 2 files changed, 184 deletions(-) delete mode 100644 patches/patch.2019.h2.txt diff --git a/patches/patch.2019.h2.txt b/patches/patch.2019.h2.txt deleted file mode 100644 index 9dd0e88..0000000 --- a/patches/patch.2019.h2.txt +++ /dev/null @@ -1,136 +0,0 @@ ---- src/http/v2/ngx_http_v2.c -+++ src/http/v2/ngx_http_v2.c -@@ -1546,6 +1546,14 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos, - header->name.len = h2c->state.field_end - h2c->state.field_start; - header->name.data = h2c->state.field_start; - -+ if (header->name.len == 0) { -+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, -+ "client sent zero header name length"); -+ -+ return ngx_http_v2_connection_error(h2c, -+ NGX_HTTP_V2_PROTOCOL_ERROR); -+ } -+ - return ngx_http_v2_state_field_len(h2c, pos, end); - } - -@@ -3249,10 +3257,6 @@ ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header) - ngx_uint_t i; - ngx_http_core_srv_conf_t *cscf; - -- if (header->name.len == 0) { -- return NGX_ERROR; -- } -- - r->invalid_header = 0; - - cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); ---- src/http/v2/ngx_http_v2.c -+++ src/http/v2/ngx_http_v2.c -@@ -4369,6 +4369,8 @@ ngx_http_v2_close_stream(ngx_http_v2_stream_t *stream, ngx_int_t rc) - */ - pool = stream->pool; - -+ h2c->frames -= stream->frames; -+ - ngx_http_free_request(stream->request, rc); - - if (pool != h2c->state.pool) { ---- src/http/v2/ngx_http_v2.h -+++ src/http/v2/ngx_http_v2.h -@@ -192,6 +192,8 @@ struct ngx_http_v2_stream_s { - - ngx_buf_t *preread; - -+ ngx_uint_t frames; -+ - ngx_http_v2_out_frame_t *free_frames; - ngx_chain_t *free_frame_headers; - ngx_chain_t *free_bufs; ---- src/http/v2/ngx_http_v2_filter_module.c -+++ src/http/v2/ngx_http_v2_filter_module.c -@@ -1669,22 +1669,34 @@ static ngx_http_v2_out_frame_t * - ngx_http_v2_filter_get_data_frame(ngx_http_v2_stream_t *stream, - size_t len, ngx_chain_t *first, ngx_chain_t *last) - { -- u_char flags; -- ngx_buf_t *buf; -- ngx_chain_t *cl; -- ngx_http_v2_out_frame_t *frame; -+ u_char flags; -+ ngx_buf_t *buf; -+ ngx_chain_t *cl; -+ ngx_http_v2_out_frame_t *frame; -+ ngx_http_v2_connection_t *h2c; - - frame = stream->free_frames; -+ h2c = stream->connection; - - if (frame) { - stream->free_frames = frame->next; - -- } else { -+ } else if (h2c->frames < 10000) { - frame = ngx_palloc(stream->request->pool, - sizeof(ngx_http_v2_out_frame_t)); - if (frame == NULL) { - return NULL; - } -+ -+ stream->frames++; -+ h2c->frames++; -+ -+ } else { -+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, -+ "http2 flood detected"); -+ -+ h2c->connection->error = 1; -+ return NULL; - } - - flags = last->buf->last_buf ? NGX_HTTP_V2_END_STREAM_FLAG : 0; ---- src/http/v2/ngx_http_v2.c -+++ src/http/v2/ngx_http_v2.c -@@ -273,6 +273,7 @@ ngx_http_v2_init(ngx_event_t *rev) - h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module); - - h2c->concurrent_pushes = h2scf->concurrent_pushes; -+ h2c->priority_limit = h2scf->concurrent_streams; - - h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log); - if (h2c->pool == NULL) { -@@ -1804,6 +1805,13 @@ ngx_http_v2_state_priority(ngx_http_v2_connection_t *h2c, u_char *pos, - return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR); - } - -+ if (--h2c->priority_limit == 0) { -+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, -+ "client sent too many PRIORITY frames"); -+ -+ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_ENHANCE_YOUR_CALM); -+ } -+ - if (end - pos < NGX_HTTP_V2_PRIORITY_SIZE) { - return ngx_http_v2_state_save(h2c, pos, end, - ngx_http_v2_state_priority); -@@ -3120,6 +3128,8 @@ ngx_http_v2_create_stream(ngx_http_v2_connection_t *h2c, ngx_uint_t push) - h2c->processing++; - } - -+ h2c->priority_limit += h2scf->concurrent_streams; -+ - return stream; - } - ---- src/http/v2/ngx_http_v2.h -+++ src/http/v2/ngx_http_v2.h -@@ -122,6 +122,7 @@ struct ngx_http_v2_connection_s { - ngx_uint_t processing; - ngx_uint_t frames; - ngx_uint_t idle; -+ ngx_uint_t priority_limit; - - ngx_uint_t pushing; - ngx_uint_t concurrent_pushes; - diff --git a/util/mirror-tarballs b/util/mirror-tarballs index cea5ef4..51156f4 100755 --- a/util/mirror-tarballs +++ b/util/mirror-tarballs @@ -404,54 +404,6 @@ if [ "$main_ver" = "1.13.6" ]; then echo fi -answer=`$root/util/ver-ge "$main_ver" 1.9.5` -if [ "$answer" = "Y" ]; then - answer=`$root/util/ver-ge "$main_ver" 1.14.1` - if [ "$answer" = "N" ]; then - echo "$info_txt applying the patch for nginx security advisory (CVE-2018-16843 CVE-2018-16844)" - patch -p0 < $root/patches/patch.2018.h2.txt || exit 1 - echo - elif [ `$root/util/ver-ge "$main_ver" 1.15.0` = "Y" ]; then - answer=`$root/util/ver-ge "$main_ver" 1.15.6` - if [ "$answer" = "N" ]; then - echo "$info_txt applying the patch for nginx security advisory (CVE-2018-16843 CVE-2018-16844)" - patch -p0 < $root/patches/patch.2018.h2.txt || exit 1 - echo - fi - fi -fi - -answer=`$root/util/ver-ge "$main_ver" 1.14.1` -if [ "$answer" = "N" ]; then - echo "$info_txt applying the patch for nginx security advisory (CVE-2018-16845)" - patch -p0 < $root/patches/patch.2018.mp4.txt || exit 1 - echo -else - answer=`$root/util/ver-ge "$main_ver" 1.15.6` - if [ "$answer" = "N" ]; then - echo "$info_txt applying the patch for nginx security advisory (CVE-2018-16845)" - patch -p0 < $root/patches/patch.2018.mp4.txt || exit 1 - echo - fi -fi - -answer=`$root/util/ver-ge "$main_ver" 1.9.5` -if [ "$answer" = "Y" ]; then - answer=`$root/util/ver-ge "$main_ver" 1.16.1` - if [ "$answer" = "N" ]; then - echo "$info_txt applying the patch for nginx security advisory (CVE-2019-9511 CVE-2019-9513 CVE-2019-9516)" - patch -p0 < $root/patches/patch.2019.h2.txt || exit 1 - echo - elif [ `$root/util/ver-ge "$main_ver" 1.17.0` = "Y" ]; then - answer=`$root/util/ver-ge "$main_ver" 1.17.3` - if [ "$answer" = "N" ]; then - echo "$info_txt applying the patch for nginx security advisory (CVE-2019-9511 CVE-2019-9513 CVE-2019-9516)" - patch -p0 < $root/patches/patch.2019.h2.txt || exit 1 - echo - fi - fi -fi - rm -f *.patch || exit 1 echo "$info_txt applying the always_enable_cc_feature_tests patch to nginx"