-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: ReadRequest can stack overflow due to recursion with very large headers #45710
Comments
@gopherbot please consider this for backport to 1.16.4 and 1.15.12, it's a security issue. /cc @golang/release FYI |
Backport issue(s) opened: #45711 (for 1.15), #45712 (for 1.16). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases. |
Change https://golang.org/cl/313069 mentions this issue: |
Change https://golang.org/cl/314596 mentions this issue: |
Change https://golang.org/cl/314649 mentions this issue: |
Change https://golang.org/cl/314650 mentions this issue: |
…aderValuesContainsToken Previously, httpguts.HeaderValuesContainsToken called a function which could recurse to the point of a stack overflow when given a very large header (~10MB). Credit to Guido Vranken who reported the crash as part of the Ethereum 2.0 bounty program. Fixes CVE-2021-31525 Updates golang/go#45710 Updates golang/go#45712 Change-Id: I2c54ce3b2acf1c5efdea66db0595b93a3f5ae5f3 Reviewed-on: https://go-review.googlesource.com/c/net/+/313069 Trust: Katie Hockman <[email protected]> Run-TryBot: Katie Hockman <[email protected]> TryBot-Result: Go Bot <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> (cherry picked from commit 89ef3d9) Reviewed-on: https://go-review.googlesource.com/c/net/+/314649 Reviewed-by: Dmitri Shuralyov <[email protected]>
…esContainsToken Previously, httpguts.HeaderValuesContainsToken called a function which could recurse to the point of a stack overflow when given a very large header (~10MB). Credit to Guido Vranken who reported the crash as part of the Ethereum 2.0 bounty program. Fixes CVE-2021-31525 Updates golang/go#45710 Updates golang/go#45711 Change-Id: I2c54ce3b2acf1c5efdea66db0595b93a3f5ae5f3 Reviewed-on: https://go-review.googlesource.com/c/net/+/313069 Trust: Katie Hockman <[email protected]> Run-TryBot: Katie Hockman <[email protected]> TryBot-Result: Go Bot <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> (cherry picked from commit 89ef3d9) Reviewed-on: https://go-review.googlesource.com/c/net/+/314650 Reviewed-by: Dmitri Shuralyov <[email protected]>
The x/net fix has been pulled into the main repo for Go 1.17 as part of CL 316251. Closing as fixed. |
fix [#45710](golang/go#45710) and CVE-2021-31525. Signed-off-by: Jintao Zhang <[email protected]>
This issue appears to have assigned CVE-2021-31525 according to https://bugzilla.redhat.com/show_bug.cgi?id=1958341 |
Fixes the following security issues: - CVE-2021-31525: ReadRequest and ReadResponse in net/http can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client. golang/go#45710 Signed-off-by: Peter Korsgaard <[email protected]>
Fixes the following security issues: - CVE-2021-31525: ReadRequest and ReadResponse in net/http can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client. golang/go#45710 Signed-off-by: Peter Korsgaard <[email protected]>
Yes, it has been assigned CVE-2021-31525. I've gone ahead and update the original comment with the content of the announcement, which had the full details. |
fix [#45710](golang/go#45710) and CVE-2021-31525. Signed-off-by: Jintao Zhang <[email protected]> (cherry picked from commit 79d800b) Signed-off-by: Derek McGowan <[email protected]>
Go 1.16.4 includes a fix for a denial-of-service in net/http: golang/go#45710 Go's error file-line formatting changed in 1.16.3, so this change updates tests to only do suffix matching on these error strings.
Go 1.16.4 includes a fix for a denial-of-service in net/http: golang/go#45710 Go's error file-line formatting changed in 1.16.3, so this change updates tests to only do suffix matching on these error strings.
Fixes the following security issues: - CVE-2021-31525: ReadRequest and ReadResponse in net/http can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client. golang/go#45710 Signed-off-by: Peter Korsgaard <[email protected]> (cherry picked from commit 1cfc01a) Signed-off-by: Peter Korsgaard <[email protected]>
fix [#45710](golang/go#45710) and CVE-2021-31525. Signed-off-by: Jintao Zhang <[email protected]> (cherry picked from commit 79d800b) Signed-off-by: Sebastiaan van Stijn <[email protected]>
fix [#45710](golang/go#45710) and CVE-2021-31525. Signed-off-by: Jintao Zhang <[email protected]>
ReadRequest
andReadResponse
in net/http can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones).Transport
andClient
are vulnerable and the program can be made to crash by a malicious server.Server
is not vulnerable by default, but can be if the default max header of 1MB is overridden by settingServer.MaxHeaderBytes
to a higher value, in which case the program can be made to crash by a malicious client.This also affects golang.org/x/net/http2/h2c and
HeaderValuesContainsToken
in golang.org/x/net/http/httpguts, and is fixed in golang.org/x/[email protected].This is CVE-2021-31525.
According to the new security policy (#44918), this will be fixed as a PUBLIC track issue.
Credit to Guido Vranken who reported the crash as part of the Ethereum 2.0 bounty program.
/cc @golang/security
The text was updated successfully, but these errors were encountered: