1From 618120c165669c00a1606505defea6ca755cdc27 Mon Sep 17 00:00:00 2001 2From: Damien Neil <dneil@google.com> 3Date: Wed, 30 Nov 2022 16:46:33 -0500 4Subject: [PATCH] [release-branch.go1.19] net/http: update bundled 5 golang.org/x/net/http2 6 7Disable cmd/internal/moddeps test, since this update includes PRIVATE 8track fixes. 9 10For #56350. 11For #57009. 12Fixes CVE-2022-41717. 13 14Change-Id: I5c6ce546add81f361dcf0d5123fa4eaaf8f0a03b 15Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1663835 16Reviewed-by: Tatiana Bradley <tatianabradley@google.com> 17Reviewed-by: Julie Qiu <julieqiu@google.com> 18Reviewed-on: https://go-review.googlesource.com/c/go/+/455363 19TryBot-Result: Gopher Robot <gobot@golang.org> 20Run-TryBot: Jenny Rakoczy <jenny@golang.org> 21Reviewed-by: Michael Pratt <mpratt@google.com> 22 23Upstream-Status: Backport [https://github.com/golang/go/commit/618120c165669c00a1606505defea6ca755cdc27] 24CVE: CVE-2022-41717 25Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> 26--- 27 src/cmd/internal/moddeps/moddeps_test.go | 1 + 28 src/net/http/h2_bundle.go | 18 +++++++++++------- 29 2 files changed, 12 insertions(+), 7 deletions(-) 30 31diff --git a/src/cmd/internal/moddeps/moddeps_test.go b/src/cmd/internal/moddeps/moddeps_test.go 32index 3306e29..d48d43f 100644 33--- a/src/cmd/internal/moddeps/moddeps_test.go 34+++ b/src/cmd/internal/moddeps/moddeps_test.go 35@@ -34,6 +34,7 @@ import ( 36 // See issues 36852, 41409, and 43687. 37 // (Also see golang.org/issue/27348.) 38 func TestAllDependencies(t *testing.T) { 39+ t.Skip("TODO(#57009): 1.19.4 contains unreleased changes from vendored modules") 40 t.Skip("TODO(#53977): 1.18.5 contains unreleased changes from vendored modules") 41 42 goBin := testenv.GoToolPath(t) 43diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go 44index 6e2ef30..9d6abd8 100644 45--- a/src/net/http/h2_bundle.go 46+++ b/src/net/http/h2_bundle.go 47@@ -4189,6 +4189,7 @@ type http2serverConn struct { 48 headerTableSize uint32 49 peerMaxHeaderListSize uint32 // zero means unknown (default) 50 canonHeader map[string]string // http2-lower-case -> Go-Canonical-Case 51+ canonHeaderKeysSize int // canonHeader keys size in bytes 52 writingFrame bool // started writing a frame (on serve goroutine or separate) 53 writingFrameAsync bool // started a frame on its own goroutine but haven't heard back on wroteFrameCh 54 needsFrameFlush bool // last frame write wasn't a flush 55@@ -4368,6 +4369,13 @@ func (sc *http2serverConn) condlogf(err error, format string, args ...interface{ 56 } 57 } 58 59+// maxCachedCanonicalHeadersKeysSize is an arbitrarily-chosen limit on the size 60+// of the entries in the canonHeader cache. 61+// This should be larger than the size of unique, uncommon header keys likely to 62+// be sent by the peer, while not so high as to permit unreasonable memory usage 63+// if the peer sends an unbounded number of unique header keys. 64+const http2maxCachedCanonicalHeadersKeysSize = 2048 65+ 66 func (sc *http2serverConn) canonicalHeader(v string) string { 67 sc.serveG.check() 68 http2buildCommonHeaderMapsOnce() 69@@ -4383,14 +4391,10 @@ func (sc *http2serverConn) canonicalHeader(v string) string { 70 sc.canonHeader = make(map[string]string) 71 } 72 cv = CanonicalHeaderKey(v) 73- // maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of 74- // entries in the canonHeader cache. This should be larger than the number 75- // of unique, uncommon header keys likely to be sent by the peer, while not 76- // so high as to permit unreaasonable memory usage if the peer sends an unbounded 77- // number of unique header keys. 78- const maxCachedCanonicalHeaders = 32 79- if len(sc.canonHeader) < maxCachedCanonicalHeaders { 80+ size := 100 + len(v)*2 // 100 bytes of map overhead + key + value 81+ if sc.canonHeaderKeysSize+size <= http2maxCachedCanonicalHeadersKeysSize { 82 sc.canonHeader[v] = cv 83+ sc.canonHeaderKeysSize += size 84 } 85 return cv 86 } 87-- 882.25.1 89 90