| From d39489045b5aa73e27713e3cbacb8832c1140ec8 Mon Sep 17 00:00:00 2001 |
| From: Chen Qi <Qi.Chen@windriver.com> |
| Date: Wed, 9 Aug 2023 13:33:45 +0800 |
| Subject: [PATCH] fix CVE-2023-32732 |
| |
| CVE: CVE-2023-32732 |
| |
| Upstream-Status: Backport [https://github.com/grpc/grpc/pull/32309/commits/6a7850ef4f042ac26559854266dddc79bfbc75b2] |
| The original patch is adjusted to fit the current 1.50.1 version. |
| |
| Signed-off-by: Chen Qi <Qi.Chen@windriver.com> |
| --- |
| .../ext/transport/chttp2/transport/hpack_parser.cc | 10 +++++++--- |
| src/core/ext/transport/chttp2/transport/internal.h | 2 -- |
| src/core/ext/transport/chttp2/transport/parsing.cc | 6 ++---- |
| 3 files changed, 9 insertions(+), 9 deletions(-) |
| |
| diff --git a/src/core/ext/transport/chttp2/transport/hpack_parser.cc b/src/core/ext/transport/chttp2/transport/hpack_parser.cc |
| index f2e49022dc3..cd459d15238 100644 |
| --- a/src/core/ext/transport/chttp2/transport/hpack_parser.cc |
| +++ b/src/core/ext/transport/chttp2/transport/hpack_parser.cc |
| @@ -1211,12 +1211,16 @@ class HPackParser::Parser { |
| "). GRPC_ARG_MAX_METADATA_SIZE can be set to increase this limit.", |
| *frame_length_, metadata_size_limit_); |
| if (metadata_buffer_ != nullptr) metadata_buffer_->Clear(); |
| + // StreamId is used as a signal to skip this stream but keep the connection |
| + // alive |
| return input_->MaybeSetErrorAndReturn( |
| [] { |
| return grpc_error_set_int( |
| - GRPC_ERROR_CREATE_FROM_STATIC_STRING( |
| - "received initial metadata size exceeds limit"), |
| - GRPC_ERROR_INT_GRPC_STATUS, GRPC_STATUS_RESOURCE_EXHAUSTED); |
| + grpc_error_set_int( |
| + GRPC_ERROR_CREATE_FROM_STATIC_STRING( |
| + "received initial metadata size exceeds limit"), |
| + GRPC_ERROR_INT_GRPC_STATUS, GRPC_STATUS_RESOURCE_EXHAUSTED), |
| + GRPC_ERROR_INT_STREAM_ID, 0); |
| }, |
| false); |
| } |
| diff --git a/src/core/ext/transport/chttp2/transport/internal.h b/src/core/ext/transport/chttp2/transport/internal.h |
| index 4a2f4261d83..f8b544d9583 100644 |
| --- a/src/core/ext/transport/chttp2/transport/internal.h |
| +++ b/src/core/ext/transport/chttp2/transport/internal.h |
| @@ -542,8 +542,6 @@ struct grpc_chttp2_stream { |
| |
| grpc_core::Timestamp deadline = grpc_core::Timestamp::InfFuture(); |
| |
| - /** saw some stream level error */ |
| - grpc_error_handle forced_close_error = GRPC_ERROR_NONE; |
| /** how many header frames have we received? */ |
| uint8_t header_frames_received = 0; |
| /** number of bytes received - reset at end of parse thread execution */ |
| diff --git a/src/core/ext/transport/chttp2/transport/parsing.cc b/src/core/ext/transport/chttp2/transport/parsing.cc |
| index 980f13543f6..afe6da190b6 100644 |
| --- a/src/core/ext/transport/chttp2/transport/parsing.cc |
| +++ b/src/core/ext/transport/chttp2/transport/parsing.cc |
| @@ -22,6 +22,7 @@ |
| #include <string.h> |
| |
| #include <string> |
| +#include <utility> |
| |
| #include "absl/base/attributes.h" |
| #include "absl/status/status.h" |
| @@ -719,10 +720,7 @@ static grpc_error_handle parse_frame_slice(grpc_chttp2_transport* t, |
| } |
| grpc_chttp2_parsing_become_skip_parser(t); |
| if (s) { |
| - s->forced_close_error = err; |
| - grpc_chttp2_add_rst_stream_to_next_write(t, t->incoming_stream_id, |
| - GRPC_HTTP2_PROTOCOL_ERROR, |
| - &s->stats.outgoing); |
| + grpc_chttp2_cancel_stream(t, s, std::exchange(err, absl::OkStatus())); |
| } else { |
| GRPC_ERROR_UNREF(err); |
| } |
| -- |
| 2.34.1 |
| |