Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

http2: treat non-EOF empty frames like other invalid frames #37875

Closed
wants to merge 4 commits into from
Closed

http2: treat non-EOF empty frames like other invalid frames #37875

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
fd15502
http2: fix setting options before handle exists
addaleax Mar 23, 2021
515cab2
http2: treat non-EOF empty frames like other invalid frames
addaleax Mar 23, 2021
752cb85
fixup! http2: fix setting options before handle exists
addaleax Mar 23, 2021
a087881
fixup! http2: fix setting options before handle exists
addaleax Mar 23, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 46 additions & 8 deletions lib/internal/http2/core.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,16 @@ const {
Promise,
PromisePrototypeCatch,
ReflectApply,
ReflectGet,
ReflectGetPrototypeOf,
ReflectSet,
RegExpPrototypeTest,
SafeArrayIterator,
SafeMap,
SafeSet,
StringPrototypeSlice,
Symbol,
TypedArrayPrototypeSet,
TypedArrayPrototypeGetLength,
Uint32Array,
Uint8Array,
} = primordials;
Expand Down Expand Up @@ -960,6 +962,36 @@ const validateSettings = hideStackFrames((settings) => {
}
});

// Wrap a typed array in a proxy, and allow selectively copying the entries
// that have explicitly been set to another typed array.
function trackAssignmentsTypedArray(typedArray) {
const typedArrayLength = TypedArrayPrototypeGetLength(typedArray);
const modifiedEntries = new Uint8Array(typedArrayLength);

function copyAssigned(target) {
for (let i = 0; i < typedArrayLength; i++) {
if (modifiedEntries[i]) {
target[i] = typedArray[i];
}
}
}

return new Proxy(typedArray, {
get(obj, prop, receiver) {
if (prop === 'copyAssigned') {
return copyAssigned;
}
return ReflectGet(obj, prop, receiver);
},
set(obj, prop, value) {
if (`${+prop}` === prop) {
modifiedEntries[prop] = 1;
}
return ReflectSet(obj, prop, value);
}
});
}

// Creates the internal binding.Http2Session handle for an Http2Session
// instance. This occurs only after the socket connection has been
// established. Note: the binding.Http2Session will take over ownership
Expand Down Expand Up @@ -990,10 +1022,13 @@ function setupHandle(socket, type, options) {
handle.consume(socket._handle);

this[kHandle] = handle;
if (this[kNativeFields])
TypedArrayPrototypeSet(handle.fields, this[kNativeFields]);
else
this[kNativeFields] = handle.fields;
if (this[kNativeFields]) {
// If some options have already been set before the handle existed, copy
// those (and only those) that have manually been set over.
this[kNativeFields].copyAssigned(handle.fields);
}

this[kNativeFields] = handle.fields;

if (socket.encrypted) {
this[kAlpnProtocol] = socket.alpnProtocol;
Expand Down Expand Up @@ -1045,7 +1080,8 @@ function cleanupSession(session) {
session[kProxySocket] = undefined;
session[kSocket] = undefined;
session[kHandle] = undefined;
session[kNativeFields] = new Uint8Array(kSessionUint8FieldCount);
session[kNativeFields] = trackAssignmentsTypedArray(
new Uint8Array(kSessionUint8FieldCount));
if (handle)
handle.ondone = null;
if (socket) {
Expand Down Expand Up @@ -1213,8 +1249,10 @@ class Http2Session extends EventEmitter {
setupFn();
}

if (!this[kNativeFields])
this[kNativeFields] = new Uint8Array(kSessionUint8FieldCount);
if (!this[kNativeFields]) {
this[kNativeFields] = trackAssignmentsTypedArray(
new Uint8Array(kSessionUint8FieldCount));
}
this.on('newListener', sessionListenerAdded);
this.on('removeListener', sessionListenerRemoved);

Expand Down
6 changes: 5 additions & 1 deletion src/node_http2.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1335,7 +1335,11 @@ int Http2Session::HandleDataFrame(const nghttp2_frame* frame) {
frame->hd.flags & NGHTTP2_FLAG_END_STREAM) {
stream->EmitRead(UV_EOF);
} else if (frame->hd.length == 0) {
return 1; // Consider 0-length frame without END_STREAM an error.
if (invalid_frame_count_++ > js_fields_->max_invalid_frames) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should invalid_frame_count be reset if valid frames come through? Pertaining to #37849, if an end server is sending EOF frames after every valid frame, would this solution only allow for single requests in a session?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So... I don't think we'd want to reset after every valid frame, or at least I think that would be a bit separate from this PR.

What would makes sense to me is to make this a ratio of invalid frames/total frames that is being limited, rather than the total # of invalid frames ... but that feels a bit out of scope here :/ In any case, users who do wish to allow for a large number of invalid frames can set the maxSessionInvalidFrames option to a large value, if they are connecting to problematic servers.

Debug(this, "rejecting empty-frame-without-END_STREAM flood\n");
// Consider a flood of 0-length frames without END_STREAM an error.
return 1;
}
}
return 0;
}
Expand Down
Binary file added test/fixtures/emptyframe.http2
View file
Open in desktop
Binary file not shown.
39 changes: 39 additions & 0 deletions test/parallel/test-http2-empty-frame-without-eof.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
'use strict';
const common = require('../common');
if (!common.hasCrypto)
common.skip('missing crypto');
const { readSync } = require('../common/fixtures');
const net = require('net');
const http2 = require('http2');
const { once } = require('events');

async function main() {
const blobWithEmptyFrame = readSync('emptyframe.http2');
const server = net.createServer((socket) => {
socket.end(blobWithEmptyFrame);
}).listen(0);
await once(server, 'listening');

for (const maxSessionInvalidFrames of [0, 2]) {
const client = http2.connect(`http://localhost:${server.address().port}`, {
maxSessionInvalidFrames
});
const stream = client.request({
':method': 'GET',
':path': '/'
});
if (maxSessionInvalidFrames) {
stream.on('error', common.mustNotCall());
client.on('error', common.mustNotCall());
} else {
stream.on('error', common.mustCall());
client.on('error', common.mustCall());
}
stream.resume();
await once(stream, 'end');
client.close();
}
server.close();
}

main().then(common.mustCall());