1From 451766789f646617157c725e20c955d4a9a70d4e Mon Sep 17 00:00:00 2001 2From: Roland Shoemaker <bracewell@google.com> 3Date: Mon, 6 Feb 2023 10:03:44 -0800 4Subject: [PATCH] net/http: update bundled golang.org/x/net/http2 5 6Disable cmd/internal/moddeps test, since this update includes PRIVATE 7track fixes. 8 9Fixes CVE-2022-41723 10Fixes #58355 11Updates #57855 12 13Change-Id: Ie870562a6f6e44e4e8f57db6a0dde1a41a2b090c 14Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728939 15Reviewed-by: Damien Neil <dneil@google.com> 16Reviewed-by: Julie Qiu <julieqiu@google.com> 17Reviewed-by: Tatiana Bradley <tatianabradley@google.com> 18Run-TryBot: Roland Shoemaker <bracewell@google.com> 19Reviewed-on: https://go-review.googlesource.com/c/go/+/468118 20TryBot-Result: Gopher Robot <gobot@golang.org> 21Run-TryBot: Michael Pratt <mpratt@google.com> 22Auto-Submit: Michael Pratt <mpratt@google.com> 23Reviewed-by: Than McIntosh <thanm@google.com> 24 25Upstream-Status: Backport [https://github.com/golang/go/commit/5c3e11bd0b5c0a86e5beffcd4339b86a902b21c3] 26CVE: CVE-2022-41723 27Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> 28--- 29 src/vendor/golang.org/x/net/http2/hpack/hpack.go | 79 +++++++++++++++--------- 30 1 file changed, 49 insertions(+), 30 deletions(-) 31 32diff --git a/src/vendor/golang.org/x/net/http2/hpack/hpack.go b/src/vendor/golang.org/x/net/http2/hpack/hpack.go 33index 85f18a2..02e80e3 100644 34--- a/src/vendor/golang.org/x/net/http2/hpack/hpack.go 35+++ b/src/vendor/golang.org/x/net/http2/hpack/hpack.go 36@@ -359,6 +359,7 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error { 37 38 var hf HeaderField 39 wantStr := d.emitEnabled || it.indexed() 40+ var undecodedName undecodedString 41 if nameIdx > 0 { 42 ihf, ok := d.at(nameIdx) 43 if !ok { 44@@ -366,15 +367,27 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error { 45 } 46 hf.Name = ihf.Name 47 } else { 48- hf.Name, buf, err = d.readString(buf, wantStr) 49+ undecodedName, buf, err = d.readString(buf) 50 if err != nil { 51 return err 52 } 53 } 54- hf.Value, buf, err = d.readString(buf, wantStr) 55+ undecodedValue, buf, err := d.readString(buf) 56 if err != nil { 57 return err 58 } 59+ if wantStr { 60+ if nameIdx <= 0 { 61+ hf.Name, err = d.decodeString(undecodedName) 62+ if err != nil { 63+ return err 64+ } 65+ } 66+ hf.Value, err = d.decodeString(undecodedValue) 67+ if err != nil { 68+ return err 69+ } 70+ } 71 d.buf = buf 72 if it.indexed() { 73 d.dynTab.add(hf) 74@@ -459,46 +472,52 @@ func readVarInt(n byte, p []byte) (i uint64, remain []byte, err error) { 75 return 0, origP, errNeedMore 76 } 77 78-// readString decodes an hpack string from p. 79+// readString reads an hpack string from p. 80 // 81-// wantStr is whether s will be used. If false, decompression and 82-// []byte->string garbage are skipped if s will be ignored 83-// anyway. This does mean that huffman decoding errors for non-indexed 84-// strings past the MAX_HEADER_LIST_SIZE are ignored, but the server 85-// is returning an error anyway, and because they're not indexed, the error 86-// won't affect the decoding state. 87-func (d *Decoder) readString(p []byte, wantStr bool) (s string, remain []byte, err error) { 88+// It returns a reference to the encoded string data to permit deferring decode costs 89+// until after the caller verifies all data is present. 90+func (d *Decoder) readString(p []byte) (u undecodedString, remain []byte, err error) { 91 if len(p) == 0 { 92- return "", p, errNeedMore 93+ return u, p, errNeedMore 94 } 95 isHuff := p[0]&128 != 0 96 strLen, p, err := readVarInt(7, p) 97 if err != nil { 98- return "", p, err 99+ return u, p, err 100 } 101 if d.maxStrLen != 0 && strLen > uint64(d.maxStrLen) { 102- return "", nil, ErrStringLength 103+ // Returning an error here means Huffman decoding errors 104+ // for non-indexed strings past the maximum string length 105+ // are ignored, but the server is returning an error anyway 106+ // and because the string is not indexed the error will not 107+ // affect the decoding state. 108+ return u, nil, ErrStringLength 109 } 110 if uint64(len(p)) < strLen { 111- return "", p, errNeedMore 112- } 113- if !isHuff { 114- if wantStr { 115- s = string(p[:strLen]) 116- } 117- return s, p[strLen:], nil 118+ return u, p, errNeedMore 119 } 120+ u.isHuff = isHuff 121+ u.b = p[:strLen] 122+ return u, p[strLen:], nil 123+} 124 125- if wantStr { 126- buf := bufPool.Get().(*bytes.Buffer) 127- buf.Reset() // don't trust others 128- defer bufPool.Put(buf) 129- if err := huffmanDecode(buf, d.maxStrLen, p[:strLen]); err != nil { 130- buf.Reset() 131- return "", nil, err 132- } 133+type undecodedString struct { 134+ isHuff bool 135+ b []byte 136+} 137+ 138+func (d *Decoder) decodeString(u undecodedString) (string, error) { 139+ if !u.isHuff { 140+ return string(u.b), nil 141+ } 142+ buf := bufPool.Get().(*bytes.Buffer) 143+ buf.Reset() // don't trust others 144+ var s string 145+ err := huffmanDecode(buf, d.maxStrLen, u.b) 146+ if err == nil { 147 s = buf.String() 148- buf.Reset() // be nice to GC 149 } 150- return s, p[strLen:], nil 151+ buf.Reset() // be nice to GC 152+ bufPool.Put(buf) 153+ return s, err 154 } 155-- 1562.7.4 157