diff options
author | Mauri de Souza Meneguzzo <mauri870@gmail.com> | 2023-10-26 01:52:57 +0000 |
---|---|---|
committer | Cherry Mui <cherryyz@google.com> | 2023-10-30 21:11:25 +0000 |
commit | 434af8537ea73f66f0d2b5a29806516b4b6207ab (patch) | |
tree | 729f7fb42123d37f1bd4681fd10bb3996da40d0c | |
parent | 7b04d81cbc2e45172c17e62943a777286a3341be (diff) | |
download | go-434af8537ea73f66f0d2b5a29806516b4b6207ab.tar.gz go-434af8537ea73f66f0d2b5a29806516b4b6207ab.zip |
[release-branch.go1.21] net/http: pull http2 underflow fix from x/net/http2
After CL 534295 was merged to fix a CVE it introduced
an underflow when we try to decrement sc.curHandlers
in handlerDone.
Pull in a fix from x/net/http2:
http2: fix underflow in http2 server push
https://go-review.googlesource.com/c/net/+/535595
For #63511
Fixes #63560
Change-Id: I5c678ce7dcc53635f3ad5e4999857cb120dfc1ab
GitHub-Last-Rev: 587ffa3cafbb9da6bc82ba8a5b83313f81e5c89b
GitHub-Pull-Request: golang/go#63561
Reviewed-on: https://go-review.googlesource.com/c/go/+/535575
Run-TryBot: Mauri de Souza Meneguzzo <mauri870@gmail.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: David Chase <drchase@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
(cherry picked from commit 0046c1414c4910dfe54abfcdbe18e565dd5a60f6)
Reviewed-on: https://go-review.googlesource.com/c/go/+/537996
Reviewed-by: Cherry Mui <cherryyz@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
-rw-r--r-- | src/go.mod | 2 | ||||
-rw-r--r-- | src/go.sum | 4 | ||||
-rw-r--r-- | src/net/http/h2_bundle.go | 1 | ||||
-rw-r--r-- | src/vendor/modules.txt | 2 |
4 files changed, 5 insertions, 4 deletions
diff --git a/src/go.mod b/src/go.mod index 1731c134ce..3b24053b94 100644 --- a/src/go.mod +++ b/src/go.mod @@ -4,7 +4,7 @@ go 1.21 require ( golang.org/x/crypto v0.11.1-0.20230711161743-2e82bdd1719d - golang.org/x/net v0.12.1-0.20231010172013-695775ce641b + golang.org/x/net v0.12.1-0.20231027154334-5ca955b1789c ) require ( diff --git a/src/go.sum b/src/go.sum index f47558ac1e..caf8ff010d 100644 --- a/src/go.sum +++ b/src/go.sum @@ -1,7 +1,7 @@ golang.org/x/crypto v0.11.1-0.20230711161743-2e82bdd1719d h1:LiA25/KWKuXfIq5pMIBq1s5hz3HQxhJJSu/SUGlD+SM= golang.org/x/crypto v0.11.1-0.20230711161743-2e82bdd1719d/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio= -golang.org/x/net v0.12.1-0.20231010172013-695775ce641b h1:hR8N9NbnuDR3j/GuYomkYkAFPO6noviYh65jEgTT+lc= -golang.org/x/net v0.12.1-0.20231010172013-695775ce641b/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= +golang.org/x/net v0.12.1-0.20231027154334-5ca955b1789c h1:d+VvAxu4S13DWtf73R5eY//VaCk3aUcVdyYjM1SX7zw= +golang.org/x/net v0.12.1-0.20231027154334-5ca955b1789c/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4= diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go index 9cd6a3490f..dd59e1f4f2 100644 --- a/src/net/http/h2_bundle.go +++ b/src/net/http/h2_bundle.go @@ -7012,6 +7012,7 @@ func (sc *http2serverConn) startPush(msg *http2startPushRequest) { panic(fmt.Sprintf("newWriterAndRequestNoBody(%+v): %v", msg.url, err)) } + sc.curHandlers++ go sc.runHandler(rw, req, sc.handler.ServeHTTP) return promisedID, nil } diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt index 55df54373b..4de656b0e8 100644 --- a/src/vendor/modules.txt +++ b/src/vendor/modules.txt @@ -7,7 +7,7 @@ golang.org/x/crypto/cryptobyte/asn1 golang.org/x/crypto/hkdf golang.org/x/crypto/internal/alias golang.org/x/crypto/internal/poly1305 -# golang.org/x/net v0.12.1-0.20231010172013-695775ce641b +# golang.org/x/net v0.12.1-0.20231027154334-5ca955b1789c ## explicit; go 1.17 golang.org/x/net/dns/dnsmessage golang.org/x/net/http/httpguts |