From 998fdce3ae5954735157da43c285022a8bff707f Mon Sep 17 00:00:00 2001 From: Mauri de Souza Meneguzzo Date: Thu, 26 Oct 2023 01:52:57 +0000 Subject: [release-branch.go1.20] net/http: pull http2 underflow fix from x/net/http2 After CL 534295 was merged to fix a CVE it introduced an underflow when we try to decrement sc.curHandlers in handlerDone. Pull in a fix from x/net/http2: http2: fix underflow in http2 server push https://go-review.googlesource.com/c/net/+/535595 For #63511 Fixes #63740 Change-Id: I5c678ce7dcc53635f3ad5e4999857cb120dfc1ab GitHub-Last-Rev: 587ffa3cafbb9da6bc82ba8a5b83313f81e5c89b GitHub-Pull-Request: golang/go#63561 Reviewed-on: https://go-review.googlesource.com/c/go/+/535575 Run-TryBot: Mauri de Souza Meneguzzo Reviewed-by: Dmitri Shuralyov Reviewed-by: Dmitri Shuralyov Reviewed-by: David Chase Auto-Submit: Dmitri Shuralyov TryBot-Result: Gopher Robot (cherry picked from commit 0046c1414c4910dfe54abfcdbe18e565dd5a60f6) Reviewed-on: https://go-review.googlesource.com/c/go/+/538095 LUCI-TryBot-Result: Go LUCI Reviewed-by: Cherry Mui --- src/go.mod | 2 +- src/go.sum | 4 ++-- src/net/http/h2_bundle.go | 1 + src/vendor/modules.txt | 2 +- 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/src/go.mod b/src/go.mod index 2c59e161a2..7a15940c88 100644 --- a/src/go.mod +++ b/src/go.mod @@ -4,7 +4,7 @@ go 1.20 require ( golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a - golang.org/x/net v0.4.1-0.20231010172015-16ed2c89e550 + golang.org/x/net v0.4.1-0.20231027154331-b8c2abfc1559 ) require ( diff --git a/src/go.sum b/src/go.sum index 38e6e5b4ce..3ab018e39e 100644 --- a/src/go.sum +++ b/src/go.sum @@ -1,7 +1,7 @@ golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a h1:diz9pEYuTIuLMJLs3rGDkeaTsNyRs6duYdFyPAxzE/U= golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= -golang.org/x/net v0.4.1-0.20231010172015-16ed2c89e550 h1:esz6u1pHwcbo5lZtgSvsbxnii8/20eN+qlwyXIuCDf0= -golang.org/x/net v0.4.1-0.20231010172015-16ed2c89e550/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= +golang.org/x/net v0.4.1-0.20231027154331-b8c2abfc1559 h1:ZYA0bvgfxBB+JecyQpRCT/HUR/bSwdk6OJUhJ3CNLxg= +golang.org/x/net v0.4.1-0.20231027154331-b8c2abfc1559/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ= golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM= diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go index 1f6d264c16..e719b5d23f 100644 --- a/src/net/http/h2_bundle.go +++ b/src/net/http/h2_bundle.go @@ -6948,6 +6948,7 @@ func (sc *http2serverConn) startPush(msg *http2startPushRequest) { panic(fmt.Sprintf("newWriterAndRequestNoBody(%+v): %v", msg.url, err)) } + sc.curHandlers++ go sc.runHandler(rw, req, sc.handler.ServeHTTP) return promisedID, nil } diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt index 5961133127..7563827b22 100644 --- a/src/vendor/modules.txt +++ b/src/vendor/modules.txt @@ -7,7 +7,7 @@ golang.org/x/crypto/cryptobyte/asn1 golang.org/x/crypto/hkdf golang.org/x/crypto/internal/alias golang.org/x/crypto/internal/poly1305 -# golang.org/x/net v0.4.1-0.20231010172015-16ed2c89e550 +# golang.org/x/net v0.4.1-0.20231027154331-b8c2abfc1559 ## explicit; go 1.17 golang.org/x/net/dns/dnsmessage golang.org/x/net/http/httpguts -- cgit v1.2.3-54-g00ecf