1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
From d39489045b5aa73e27713e3cbacb8832c1140ec8 Mon Sep 17 00:00:00 2001
From: Chen Qi <Qi.Chen@windriver.com>
Date: Wed, 9 Aug 2023 13:33:45 +0800
Subject: [PATCH] fix CVE-2023-32732
CVE: CVE-2023-32732
Upstream-Status: Backport [https://github.com/grpc/grpc/pull/32309/commits/6a7850ef4f042ac26559854266dddc79bfbc75b2]
The original patch is adjusted to fit the current 1.50.1 version.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
.../ext/transport/chttp2/transport/hpack_parser.cc | 10 +++++++---
src/core/ext/transport/chttp2/transport/internal.h | 2 --
src/core/ext/transport/chttp2/transport/parsing.cc | 6 ++----
3 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/core/ext/transport/chttp2/transport/hpack_parser.cc b/src/core/ext/transport/chttp2/transport/hpack_parser.cc
index f2e49022dc3..cd459d15238 100644
--- a/src/core/ext/transport/chttp2/transport/hpack_parser.cc
+++ b/src/core/ext/transport/chttp2/transport/hpack_parser.cc
@@ -1211,12 +1211,16 @@ class HPackParser::Parser {
"). GRPC_ARG_MAX_METADATA_SIZE can be set to increase this limit.",
*frame_length_, metadata_size_limit_);
if (metadata_buffer_ != nullptr) metadata_buffer_->Clear();
+ // StreamId is used as a signal to skip this stream but keep the connection
+ // alive
return input_->MaybeSetErrorAndReturn(
[] {
return grpc_error_set_int(
- GRPC_ERROR_CREATE_FROM_STATIC_STRING(
- "received initial metadata size exceeds limit"),
- GRPC_ERROR_INT_GRPC_STATUS, GRPC_STATUS_RESOURCE_EXHAUSTED);
+ grpc_error_set_int(
+ GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+ "received initial metadata size exceeds limit"),
+ GRPC_ERROR_INT_GRPC_STATUS, GRPC_STATUS_RESOURCE_EXHAUSTED),
+ GRPC_ERROR_INT_STREAM_ID, 0);
},
false);
}
diff --git a/src/core/ext/transport/chttp2/transport/internal.h b/src/core/ext/transport/chttp2/transport/internal.h
index 4a2f4261d83..f8b544d9583 100644
--- a/src/core/ext/transport/chttp2/transport/internal.h
+++ b/src/core/ext/transport/chttp2/transport/internal.h
@@ -542,8 +542,6 @@ struct grpc_chttp2_stream {
grpc_core::Timestamp deadline = grpc_core::Timestamp::InfFuture();
- /** saw some stream level error */
- grpc_error_handle forced_close_error = GRPC_ERROR_NONE;
/** how many header frames have we received? */
uint8_t header_frames_received = 0;
/** number of bytes received - reset at end of parse thread execution */
diff --git a/src/core/ext/transport/chttp2/transport/parsing.cc b/src/core/ext/transport/chttp2/transport/parsing.cc
index 980f13543f6..afe6da190b6 100644
--- a/src/core/ext/transport/chttp2/transport/parsing.cc
+++ b/src/core/ext/transport/chttp2/transport/parsing.cc
@@ -22,6 +22,7 @@
#include <string.h>
#include <string>
+#include <utility>
#include "absl/base/attributes.h"
#include "absl/status/status.h"
@@ -719,10 +720,7 @@ static grpc_error_handle parse_frame_slice(grpc_chttp2_transport* t,
}
grpc_chttp2_parsing_become_skip_parser(t);
if (s) {
- s->forced_close_error = err;
- grpc_chttp2_add_rst_stream_to_next_write(t, t->incoming_stream_id,
- GRPC_HTTP2_PROTOCOL_ERROR,
- &s->stats.outgoing);
+ grpc_chttp2_cancel_stream(t, s, std::exchange(err, absl::OkStatus()));
} else {
GRPC_ERROR_UNREF(err);
}
--
2.34.1
|
