diff options
| author | Filippo Valsorda <filippo@golang.org> | 2021-12-09 06:13:31 -0500 |
|---|---|---|
| committer | Alex Rakoczy <alex@golang.org> | 2021-12-09 13:10:36 +0000 |
| commit | d0aebe3e74fe14799f97ddd3f01129697c6a290a (patch) | |
| tree | b98aa26533e9608973c6baf90a8f24a0172c5c9e /src/net/http/h2_bundle.go | |
| parent | 99950270f3cf52cccc6966d8668ff21b573bb6f5 (diff) | |
| download | go-d0aebe3e74fe14799f97ddd3f01129697c6a290a.tar.gz go-d0aebe3e74fe14799f97ddd3f01129697c6a290a.zip | |
[release-branch.go1.16] net/http: update bundled golang.org/x/net/http2
Pull in security fix
a5309b3 http2: cap the size of the server's canonical header cache
Updates #50058
Fixes CVE-2021-44716
Change-Id: Ifdd13f97fce168de5fb4b2e74ef2060d059800b9
Reviewed-on: https://go-review.googlesource.com/c/go/+/370575
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Alex Rakoczy <alex@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Diffstat (limited to 'src/net/http/h2_bundle.go')
| -rw-r--r-- | src/net/http/h2_bundle.go | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go index 735f1b5eac..6a0c1acf5f 100644 --- a/src/net/http/h2_bundle.go +++ b/src/net/http/h2_bundle.go @@ -4373,7 +4373,15 @@ func (sc *http2serverConn) canonicalHeader(v string) string { sc.canonHeader = make(map[string]string) } cv = CanonicalHeaderKey(v) - sc.canonHeader[v] = cv + // maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of + // entries in the canonHeader cache. This should be larger than the number + // of unique, uncommon header keys likely to be sent by the peer, while not + // so high as to permit unreaasonable memory usage if the peer sends an unbounded + // number of unique header keys. + const maxCachedCanonicalHeaders = 32 + if len(sc.canonHeader) < maxCachedCanonicalHeaders { + sc.canonHeader[v] = cv + } return cv } |