http2: treat non-EOF empty frames like other invalid frames

addaleax · targos · commit d8da265c81fb · 2021-06-11T09:30:22.000+02:00
Use the existing mechanism that we have to keep track of invalid frames for treating this specific kind of invalid frame. The commit that originally introduced this check was 695e38b, which was supposed to proected against CVE-2019-9518, which in turn was specifically about a *flood* of empty data frames. While these are still invalid frames either way, it makes sense to be forgiving here and just treat them like other invalid frames, i.e. to allow a small (configurable) number of them. Fixes: #37849 PR-URL: #37875 Backport-PR-URL: #38673 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
diff --git a/src/node_http2.cc b/src/node_http2.cc
@@ -1277,7 +1277,11 @@ int Http2Session::HandleDataFrame(const nghttp2_frame* frame) {
       frame->hd.flags & NGHTTP2_FLAG_END_STREAM) {
     stream->EmitRead(UV_EOF);
   } else if (frame->hd.length == 0) {
-    return 1;  // Consider 0-length frame without END_STREAM an error.
+    if (invalid_frame_count_++ > js_fields_->max_invalid_frames) {
+      Debug(this, "rejecting empty-frame-without-END_STREAM flood\n");
+      // Consider a flood of 0-length frames without END_STREAM an error.
+      return 1;
+    }
   }
   return 0;
 }
diff --git a/test/fixtures/emptyframe.http2 b/test/fixtures/emptyframe.http2
diff --git a/test/parallel/test-http2-empty-frame-without-eof.js b/test/parallel/test-http2-empty-frame-without-eof.js
@@ -0,0 +1,39 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+const { readSync } = require('../common/fixtures');
+const net = require('net');
+const http2 = require('http2');
+const { once } = require('events');
+
+async function main() {
+  const blobWithEmptyFrame = readSync('emptyframe.http2');
+  const server = net.createServer((socket) => {
+    socket.end(blobWithEmptyFrame);
+  }).listen(0);
+  await once(server, 'listening');
+
+  for (const maxSessionInvalidFrames of [0, 2]) {
+    const client = http2.connect(`http://localhost:${server.address().port}`, {
+      maxSessionInvalidFrames
+    });
+    const stream = client.request({
+      ':method': 'GET',
+      ':path': '/'
+    });
+    if (maxSessionInvalidFrames) {
+      stream.on('error', common.mustNotCall());
+      client.on('error', common.mustNotCall());
+    } else {
+      stream.on('error', common.mustCall());
+      client.on('error', common.mustCall());
+    }
+    stream.resume();
+    await once(stream, 'end');
+    client.close();
+  }
+  server.close();
+}
+
+main().then(common.mustCall());

Original file line number	Diff line number	Diff line change
`@@ -1277,7 +1277,11 @@ int Http2Session::HandleDataFrame(const nghttp2_frame* frame) {`
`1277`	`1277`	`frame->hd.flags & NGHTTP2_FLAG_END_STREAM) {`
`1278`	`1278`	`stream->EmitRead(UV_EOF);`
`1279`	`1279`	`} else if (frame->hd.length == 0) {`
`1280`		`- return 1; // Consider 0-length frame without END_STREAM an error.`
	`1280`	`+ if (invalid_frame_count_++ > js_fields_->max_invalid_frames) {`
	`1281`	`+ Debug(this, "rejecting empty-frame-without-END_STREAM flood\n");`
	`1282`	`+ // Consider a flood of 0-length frames without END_STREAM an error.`
	`1283`	`+ return 1;`
	`1284`	`+ }`
`1281`	`1285`	`}`
`1282`	`1286`	`return 0;`
`1283`	`1287`	`}`