From: Filippo Valsorda Date: Thu, 9 Dec 2021 11:32:14 +0000 (-0500) Subject: [release-branch.go1.17] net/http: update bundled golang.org/x/net/http2 X-Git-Tag: go1.17.5~1 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=48d948963c5ce7add72af5665a871caff6c1d35a;p=gostls13.git [release-branch.go1.17] net/http: update bundled golang.org/x/net/http2 Pull in security fix 84cba54 http2: cap the size of the server's canonical header cache Updates #50058 Fixes CVE-2021-44716 Change-Id: Ia89e3d22a173c6cb83f03608d5186fcd08f2956c Reviewed-on: https://go-review.googlesource.com/c/go/+/370574 Trust: Filippo Valsorda Run-TryBot: Filippo Valsorda Reviewed-by: Alex Rakoczy TryBot-Result: Gopher Robot --- diff --git a/src/go.mod b/src/go.mod index 1971741efa..ada5007793 100644 --- a/src/go.mod +++ b/src/go.mod @@ -4,7 +4,7 @@ go 1.17 require ( golang.org/x/crypto v0.0.0-20210503195802-e9a32991a82e - golang.org/x/net v0.0.0-20211201233630-85e122b1a9b3 + golang.org/x/net v0.0.0-20211209100829-84cba5454caf ) require ( diff --git a/src/go.sum b/src/go.sum index 32c714d1ed..3e181c992f 100644 --- a/src/go.sum +++ b/src/go.sum @@ -1,8 +1,8 @@ golang.org/x/crypto v0.0.0-20210503195802-e9a32991a82e h1:8foAy0aoO5GkqCvAEJ4VC4P3zksTg4X4aJCDpZzmgQI= golang.org/x/crypto v0.0.0-20210503195802-e9a32991a82e/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20211201233630-85e122b1a9b3 h1:0tKANouoxlq5b2OS7rABX92sfG5Dkz24NFtLSu09W3o= -golang.org/x/net v0.0.0-20211201233630-85e122b1a9b3/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211209100829-84cba5454caf h1:Chci/BE/+xVqrcWnObL99NS8gtXyJrhHDlygBQrggHM= +golang.org/x/net v0.0.0-20211209100829-84cba5454caf/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210511113859-b0526f3d8744 h1:yhBbb4IRs2HS9PPlAg6DMC6mUOKexJBNsLf4Z+6En1Q= diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go index 7e1195cfd7..2463118eb9 100644 --- a/src/net/http/h2_bundle.go +++ b/src/net/http/h2_bundle.go @@ -4382,7 +4382,15 @@ func (sc *http2serverConn) canonicalHeader(v string) string { sc.canonHeader = make(map[string]string) } cv = CanonicalHeaderKey(v) - sc.canonHeader[v] = cv + // maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of + // entries in the canonHeader cache. This should be larger than the number + // of unique, uncommon header keys likely to be sent by the peer, while not + // so high as to permit unreaasonable memory usage if the peer sends an unbounded + // number of unique header keys. + const maxCachedCanonicalHeaders = 32 + if len(sc.canonHeader) < maxCachedCanonicalHeaders { + sc.canonHeader[v] = cv + } return cv } diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt index 0981b7f333..bb0b4c561d 100644 --- a/src/vendor/modules.txt +++ b/src/vendor/modules.txt @@ -8,7 +8,7 @@ golang.org/x/crypto/curve25519 golang.org/x/crypto/hkdf golang.org/x/crypto/internal/subtle golang.org/x/crypto/poly1305 -# golang.org/x/net v0.0.0-20211201233630-85e122b1a9b3 +# golang.org/x/net v0.0.0-20211209100829-84cba5454caf ## explicit; go 1.17 golang.org/x/net/dns/dnsmessage golang.org/x/net/http/httpguts