Created
October 11, 2023 12:02
-
-
Save Habbie/3bcc612067267a51633343bc508cdf70 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/community/dnsdist/APKBUILD b/community/dnsdist/APKBUILD | |
| index 1a1f7b8f568..a9e244e361d 100644 | |
| --- a/community/dnsdist/APKBUILD | |
| +++ b/community/dnsdist/APKBUILD | |
| @@ -1,7 +1,7 @@ | |
| # Maintainer: Peter van Dijk <[email protected]> | |
| pkgname=dnsdist | |
| pkgver=1.8.1 | |
| -pkgrel=0 | |
| +pkgrel=1 | |
| pkgdesc="dnsdist is a highly DNS-, DoS-, and abuse-aware loadbalancer." | |
| url="https://dnsdist.org/" | |
| # s390x blocked by h2o | |
| @@ -13,7 +13,7 @@ checkdepends="findutils" | |
| makedepends=" | |
| boost-dev | |
| fstrm-dev | |
| - h2o-dev | |
| + h2o-dev>=2.2.6-r10 | |
| libedit-dev | |
| libsodium-dev | |
| lmdb-dev | |
| diff --git a/community/h2o/APKBUILD b/community/h2o/APKBUILD | |
| index 93bb8f17ff3..22dbcf350b8 100644 | |
| --- a/community/h2o/APKBUILD | |
| +++ b/community/h2o/APKBUILD | |
| @@ -3,7 +3,7 @@ | |
| # Maintainer: | |
| pkgname=h2o | |
| pkgver=2.2.6 | |
| -pkgrel=9 | |
| +pkgrel=10 | |
| pkgdesc="An optimized HTTP/1, HTTP/2 server written in C" | |
| url="https://h2o.examp1e.net" | |
| arch="all !s390x" | |
| @@ -58,6 +58,7 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/h2o/h2o/archive/v$pkgver.tar | |
| increasewaitforserverstartintests.patch | |
| fix-ruby-3.0-compat.patch | |
| ruby-file-exists.patch | |
| + cve-2023-44487.patch | |
| " | |
| options="!check" # various tests fails | |
| @@ -115,4 +116,5 @@ a5df628f200475f5db6eb9d1714e955cd33c2de3081ee5f770929833a4cb9e5030fe338c23bcfb51 | |
| 26c4f34bdcb82cdca00b81e8c3223a1c517f912f433e99ae4a9aa16481db2cd23fc77f65773932f8c6e30cb5e34d5d37e0e7a022518a6a13db75d8e16fee2ab4 increasewaitforserverstartintests.patch | |
| 8d5f6f6232fba5b36f4bdba2d3c815add434b5f1d063241639cf963b5caea53ff9d459b60cd391d6b043fa17ca022e5bde7a04aec60185ff791d167d518eba74 fix-ruby-3.0-compat.patch | |
| d872bb6e91d96500c325d02a5a0df9d500831255752f088ee03b1f87ca45293fb10f281b8bed730824937833466f00ddbaa9c0282c4975bb88a2aade1743284f ruby-file-exists.patch | |
| +7968a7fdf547b32af454e01f51ee588c8de5db0b2d14e9d7582eed83241c339b922307207803c7f6f9d93c899e03922b38ac6eda0ead85d56e066109d14733b6 cve-2023-44487.patch | |
| " | |
| diff --git a/community/h2o/cve-2023-44487.patch b/community/h2o/cve-2023-44487.patch | |
| new file mode 100644 | |
| index 00000000000..15dc933346a | |
| --- /dev/null | |
| +++ b/community/h2o/cve-2023-44487.patch | |
| @@ -0,0 +1,254 @@ | |
| +commit d07b601a5549798f8e500582336756e04dfd25c5 | |
| +Author: Remi Gacogne <[email protected]> | |
| +Date: Tue Oct 10 15:47:57 2023 +0200 | |
| + | |
| + [http2] delay processing requests upon observing suspicious behavior | |
| + | |
| + Backport of 94fbc54b6c9309912fe3d53e7b63408bbe9a1b0d to v2.2.x | |
| + | |
| +and | |
| + | |
| +commit e47cd15ff1fec9211088c809cb92593800dd4da2 | |
| +Author: Peter van Dijk <[email protected]> | |
| +Date: Wed Oct 11 11:39:48 2023 +0200 | |
| + | |
| + bump soname | |
| + | |
| + | |
| + | |
| +diff --git a/include/h2o.h b/include/h2o.h | |
| +index 57877bd12..409cd5c21 100644 | |
| +--- a/include/h2o.h | |
| ++++ b/include/h2o.h | |
| +@@ -378,6 +378,10 @@ struct st_h2o_globalconf_t { | |
| + * list of callbacks | |
| + */ | |
| + h2o_protocol_callbacks_t callbacks; | |
| ++ /** | |
| ++ * milliseconds to delay processing requests when suspicious behavior is detected | |
| ++ */ | |
| ++ uint64_t dos_delay; | |
| + } http2; | |
| + | |
| + struct { | |
| +@@ -590,6 +594,10 @@ struct st_h2o_context_t { | |
| + * timeout entry used for graceful shutdown | |
| + */ | |
| + h2o_timeout_entry_t _graceful_shutdown_timeout; | |
| ++ /* | |
| ++ * dos timeout | |
| ++ */ | |
| ++ h2o_timeout_t dos_delay_timeout; | |
| + struct { | |
| + /** | |
| + * counter for http2 errors internally emitted by h2o | |
| +diff --git a/include/h2o/http2_internal.h b/include/h2o/http2_internal.h | |
| +index 5cfc4d820..b9cf40092 100644 | |
| +--- a/include/h2o/http2_internal.h | |
| ++++ b/include/h2o/http2_internal.h | |
| +@@ -179,6 +179,7 @@ struct st_h2o_http2_stream_t { | |
| + h2o_linklist_t link; | |
| + h2o_http2_scheduler_openref_t scheduler; | |
| + } _refs; | |
| ++ unsigned reset_by_peer : 1; | |
| + h2o_send_state_t send_state; /* state of the ostream, only used in push mode */ | |
| + /* placed at last since it is large and has it's own ctor */ | |
| + h2o_req_t req; | |
| +@@ -232,6 +233,13 @@ struct st_h2o_http2_conn_t { | |
| + } _write; | |
| + h2o_cache_t *push_memo; | |
| + h2o_http2_casper_t *casper; | |
| ++ /** | |
| ++ * DoS mitigation; the idea here is to delay processing requests when observing suspicious behavior | |
| ++ */ | |
| ++ struct { | |
| ++ h2o_timeout_entry_t process_delay; | |
| ++ size_t reset_budget; /* RST_STREAM frames are considered suspicious when this value goes down to zero */ | |
| ++ } dos_mitigation; | |
| + }; | |
| + | |
| + int h2o_http2_update_peer_settings(h2o_http2_settings_t *settings, const uint8_t *src, size_t len, const char **err_desc); | |
| +diff --git a/lib/core/config.c b/lib/core/config.c | |
| +index ce1d32018..08e43a6d3 100644 | |
| +--- a/lib/core/config.c | |
| ++++ b/lib/core/config.c | |
| +@@ -189,6 +189,7 @@ void h2o_config_init(h2o_globalconf_t *config) | |
| + config->http2.latency_optimization.min_rtt = 50; // milliseconds | |
| + config->http2.latency_optimization.max_additional_delay = 10; | |
| + config->http2.latency_optimization.max_cwnd = 65535; | |
| ++ config->http2.dos_delay = 100; /* 100ms processing delay when observing suspicious behavior */ | |
| + config->http2.callbacks = H2O_HTTP2_CALLBACKS; | |
| + config->mimemap = h2o_mimemap_create(); | |
| + | |
| +diff --git a/lib/core/configurator.c b/lib/core/configurator.c | |
| +index 891770cc2..4731ba270 100644 | |
| +--- a/lib/core/configurator.c | |
| ++++ b/lib/core/configurator.c | |
| +@@ -531,6 +531,12 @@ static int on_config_http2_casper(h2o_configurator_command_t *cmd, h2o_configura | |
| + return 0; | |
| + } | |
| + | |
| ++ | |
| ++static int on_config_http2_dos_delay(h2o_configurator_command_t *cmd, h2o_configurator_context_t *ctx, yoml_t *node) | |
| ++{ | |
| ++ return config_timeout(cmd, node, &ctx->globalconf->http2.dos_delay); | |
| ++} | |
| ++ | |
| + static int assert_is_mimetype(h2o_configurator_command_t *cmd, yoml_t *node) | |
| + { | |
| + if (node->type != YOML_TYPE_SCALAR) { | |
| +@@ -910,6 +916,9 @@ void h2o_configurator__init_core(h2o_globalconf_t *conf) | |
| + on_config_http2_push_preload); | |
| + h2o_configurator_define_command(&c->super, "http2-casper", H2O_CONFIGURATOR_FLAG_GLOBAL | H2O_CONFIGURATOR_FLAG_HOST, | |
| + on_config_http2_casper); | |
| ++ h2o_configurator_define_command(&c->super, "http2-dos-delay", | |
| ++ H2O_CONFIGURATOR_FLAG_GLOBAL | H2O_CONFIGURATOR_FLAG_EXPECT_SCALAR, | |
| ++ on_config_http2_dos_delay); | |
| + h2o_configurator_define_command(&c->super, "file.mime.settypes", | |
| + (H2O_CONFIGURATOR_FLAG_ALL_LEVELS & ~H2O_CONFIGURATOR_FLAG_EXTENSION) | | |
| + H2O_CONFIGURATOR_FLAG_EXPECT_MAPPING, | |
| +diff --git a/lib/core/context.c b/lib/core/context.c | |
| +index 8d1101381..ac4b0aaf0 100644 | |
| +--- a/lib/core/context.c | |
| ++++ b/lib/core/context.c | |
| +@@ -101,6 +101,7 @@ void h2o_context_init(h2o_context_t *ctx, h2o_loop_t *loop, h2o_globalconf_t *co | |
| + h2o_linklist_init_anchor(&ctx->http1._conns); | |
| + h2o_timeout_init(ctx->loop, &ctx->http2.idle_timeout, config->http2.idle_timeout); | |
| + h2o_timeout_init(ctx->loop, &ctx->http2.graceful_shutdown_timeout, config->http2.graceful_shutdown_timeout); | |
| ++ h2o_timeout_init(ctx->loop, &ctx->http2.dos_delay_timeout, config->http2.dos_delay); | |
| + h2o_linklist_init_anchor(&ctx->http2._conns); | |
| + ctx->proxy.client_ctx.loop = loop; | |
| + h2o_timeout_init(ctx->loop, &ctx->proxy.io_timeout, config->proxy.io_timeout); | |
| +@@ -146,6 +147,7 @@ void h2o_context_dispose(h2o_context_t *ctx) | |
| + h2o_timeout_dispose(ctx->loop, &ctx->http1.req_timeout); | |
| + h2o_timeout_dispose(ctx->loop, &ctx->http2.idle_timeout); | |
| + h2o_timeout_dispose(ctx->loop, &ctx->http2.graceful_shutdown_timeout); | |
| ++ h2o_timeout_dispose(ctx->loop, &ctx->http2.dos_delay_timeout); | |
| + h2o_timeout_dispose(ctx->loop, &ctx->proxy.io_timeout); | |
| + /* what should we do here? assert(!h2o_linklist_is_empty(&ctx->http2._conns); */ | |
| + | |
| +diff --git a/lib/http2/connection.c b/lib/http2/connection.c | |
| +index e2da29304..4910e3309 100644 | |
| +--- a/lib/http2/connection.c | |
| ++++ b/lib/http2/connection.c | |
| +@@ -161,7 +161,6 @@ static void update_idle_timeout(h2o_http2_conn_t *conn) | |
| + h2o_timeout_unlink(&conn->_timeout_entry); | |
| + | |
| + if (conn->num_streams.pull.half_closed + conn->num_streams.push.half_closed == 0) { | |
| +- assert(h2o_linklist_is_empty(&conn->_pending_reqs)); | |
| + conn->_timeout_entry.cb = on_idle_timeout; | |
| + h2o_timeout_link(conn->super.ctx->loop, &conn->super.ctx->http2.idle_timeout, &conn->_timeout_entry); | |
| + } | |
| +@@ -175,6 +174,9 @@ static int can_run_requests(h2o_http2_conn_t *conn) | |
| + | |
| + static void run_pending_requests(h2o_http2_conn_t *conn) | |
| + { | |
| ++ if (h2o_timeout_is_linked(&conn->dos_mitigation.process_delay)) | |
| ++ return; | |
| ++ | |
| + while (!h2o_linklist_is_empty(&conn->_pending_reqs) && can_run_requests(conn)) { | |
| + /* fetch and detach a pending stream */ | |
| + h2o_http2_stream_t *stream = H2O_STRUCT_FROM_MEMBER(h2o_http2_stream_t, _refs.link, conn->_pending_reqs.next); | |
| +@@ -226,6 +228,16 @@ void h2o_http2_conn_unregister_stream(h2o_http2_conn_t *conn, h2o_http2_stream_t | |
| + assert(h2o_http2_scheduler_is_open(&stream->_refs.scheduler)); | |
| + h2o_http2_scheduler_close(&stream->_refs.scheduler); | |
| + | |
| ++ /* Decrement reset_budget if the stream was reset by peer, otherwise increment. By doing so, we penalize connections that | |
| ++ * generate resets for >50% of requests. */ | |
| ++ if (stream->reset_by_peer) { | |
| ++ if (conn->dos_mitigation.reset_budget > 0) | |
| ++ --conn->dos_mitigation.reset_budget; | |
| ++ } else { | |
| ++ if (conn->dos_mitigation.reset_budget < conn->super.ctx->globalconf->http2.max_concurrent_requests_per_connection) | |
| ++ ++conn->dos_mitigation.reset_budget; | |
| ++ } | |
| ++ | |
| + switch (stream->state) { | |
| + case H2O_HTTP2_STREAM_STATE_IDLE: | |
| + case H2O_HTTP2_STREAM_STATE_RECV_HEADERS: | |
| +@@ -272,6 +284,8 @@ void close_connection_now(h2o_http2_conn_t *conn) | |
| + h2o_hpack_dispose_header_table(&conn->_output_header_table); | |
| + assert(h2o_linklist_is_empty(&conn->_pending_reqs)); | |
| + h2o_timeout_unlink(&conn->_timeout_entry); | |
| ++ if (h2o_timeout_is_linked(&conn->dos_mitigation.process_delay)) | |
| ++ h2o_timeout_unlink(&conn->dos_mitigation.process_delay); | |
| + h2o_buffer_dispose(&conn->_write.buf); | |
| + if (conn->_write.buf_in_flight != NULL) | |
| + h2o_buffer_dispose(&conn->_write.buf_in_flight); | |
| +@@ -797,11 +811,19 @@ static int handle_rst_stream_frame(h2o_http2_conn_t *conn, h2o_http2_frame_t *fr | |
| + return H2O_HTTP2_ERROR_PROTOCOL; | |
| + } | |
| + | |
| +- stream = h2o_http2_conn_get_stream(conn, frame->stream_id); | |
| +- if (stream != NULL) { | |
| ++ if ((stream = h2o_http2_conn_get_stream(conn, frame->stream_id)) == NULL) | |
| ++ return 0; | |
| ++ | |
| + /* reset the stream */ | |
| ++ stream->reset_by_peer = 1; | |
| + h2o_http2_stream_reset(conn, stream); | |
| +- } | |
| ++ | |
| ++ /* setup process delay if we've just ran out of reset budget */ | |
| ++ if (conn->dos_mitigation.reset_budget == 0 && conn->super.ctx->globalconf->http2.dos_delay != 0 && | |
| ++ !h2o_timeout_is_linked(&conn->dos_mitigation.process_delay)) | |
| ++ h2o_timeout_link(conn->super.ctx->loop, &conn->super.ctx->http2.dos_delay_timeout, | |
| ++ &conn->dos_mitigation.process_delay); | |
| ++ | |
| + /* TODO log */ | |
| + | |
| + return 0; | |
| +@@ -1204,6 +1226,14 @@ static h2o_iovec_t log_priority_actual_weight(h2o_req_t *req) | |
| + return h2o_iovec_init(s, len); | |
| + } | |
| + | |
| ++static void on_dos_process_delay(h2o_timeout_entry_t *timer) | |
| ++{ | |
| ++ h2o_http2_conn_t *conn = H2O_STRUCT_FROM_MEMBER(h2o_http2_conn_t, dos_mitigation.process_delay, timer); | |
| ++ | |
| ++ assert(!h2o_timeout_is_linked(&conn->dos_mitigation.process_delay)); | |
| ++ run_pending_requests(conn); | |
| ++} | |
| ++ | |
| + static h2o_http2_conn_t *create_conn(h2o_context_t *ctx, h2o_hostconf_t **hosts, h2o_socket_t *sock, struct timeval connected_at) | |
| + { | |
| + static const h2o_conn_callbacks_t callbacks = { | |
| +@@ -1240,6 +1270,9 @@ static h2o_http2_conn_t *create_conn(h2o_context_t *ctx, h2o_hostconf_t **hosts, | |
| + conn->_write.timeout_entry.cb = emit_writereq; | |
| + h2o_http2_window_init(&conn->_write.window, &conn->peer_settings); | |
| + | |
| ++ conn->dos_mitigation.process_delay.cb = on_dos_process_delay; | |
| ++ conn->dos_mitigation.reset_budget = conn->super.ctx->globalconf->http2.max_concurrent_requests_per_connection; | |
| ++ | |
| + return conn; | |
| + } | |
| + | |
| +--- a/CMakeLists.txt | |
| ++++ b/CMakeLists.txt | |
| +@@ -29,9 +29,9 @@ SET(VERSION_MINOR "2") | |
| + SET(VERSION_PATCH "6") | |
| + SET(VERSION_PRERELEASE "") | |
| + SET(VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}${VERSION_PRERELEASE}") | |
| +-SET(LIBRARY_VERSION_MAJOR "0") | |
| +-SET(LIBRARY_VERSION_MINOR "13") | |
| +-SET(LIBRARY_VERSION_PATCH "6") | |
| ++SET(LIBRARY_VERSION_MAJOR "1") | |
| ++SET(LIBRARY_VERSION_MINOR "0") | |
| ++SET(LIBRARY_VERSION_PATCH "0") | |
| + SET(LIBRARY_VERSION "${LIBRARY_VERSION_MAJOR}.${LIBRARY_VERSION_MINOR}.${LIBRARY_VERSION_PATCH}${VERSION_PRERELEASE}") | |
| + SET(LIBRARY_SOVERSION "${LIBRARY_VERSION_MAJOR}.${LIBRARY_VERSION_MINOR}") | |
| + | |
| +--- a/include/h2o/version.h | |
| ++++ b/include/h2o/version.h | |
| +@@ -28,8 +28,8 @@ | |
| + #define H2O_VERSION_MINOR 2 | |
| + #define H2O_VERSION_PATCH 6 | |
| + | |
| +-#define H2O_LIBRARY_VERSION_MAJOR 0 | |
| +-#define H2O_LIBRARY_VERSION_MINOR 13 | |
| +-#define H2O_LIBRARY_VERSION_PATCH 6 | |
| ++#define H2O_LIBRARY_VERSION_MAJOR 1 | |
| ++#define H2O_LIBRARY_VERSION_MINOR 0 | |
| ++#define H2O_LIBRARY_VERSION_PATCH 0 | |
| + | |
| + #endif |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment