Project

General

Profile

Actions

Security #6892

closed

http2: oom on copying compressed headers

Added by Philippe Antoine 3 months ago. Updated about 2 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
Git IDs:

390f09692eb99809c679d3f350c7cc185d163e1a

Severity:
CRITICAL
Disclosure Date:
06/20/2024

Description

Found by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=67562

I would rate this critical : can allocate up to 4Gbytes of memory with 128 kbytes of traffic...

We have one bound of 65k for the maximum "dynamic headers table" size, but this can get multiplied by an arbitrary number of bytes representing one compressed header.

Not sure to backport it for 6 as HTTP2 is experimental there


Subtasks 2 (0 open2 closed)

Security #6893: http2: oom on copying compressed headers (7.0.x backport)ClosedPhilippe AntoineActions
Security #6972: http2: oom on copying compressed headers (6.0.x backport)ClosedPhilippe AntoineActions

Related issues 1 (0 open1 closed)

Related to Suricata - Security #6900: http2: timeout logging headersClosedPhilippe AntoineActions
Actions #1

Updated by OISF Ticketbot 3 months ago

  • Subtask #6893 added
Actions #2

Updated by OISF Ticketbot 3 months ago

  • Label deleted (Needs backport to 7.0)
Actions #3

Updated by Philippe Antoine 3 months ago

  • Private changed from No to Yes
  • Label Needs backport to 7.0 added
Actions #4

Updated by OISF Ticketbot 3 months ago

  • Label deleted (Needs backport to 7.0)
Actions #5

Updated by Victor Julien 3 months ago

  • Severity changed from MODERATE to CRITICAL
Actions #6

Updated by Philippe Antoine 3 months ago

  • Status changed from New to In Review

Gitlab MR

Actions #7

Updated by Philippe Antoine 3 months ago

Actions #8

Updated by Victor Julien 2 months ago

  • Label Needs backport to 6.0 added
Actions #9

Updated by OISF Ticketbot 2 months ago

  • Subtask #6972 added
Actions #10

Updated by OISF Ticketbot 2 months ago

  • Label deleted (Needs backport to 6.0)
Actions #11

Updated by Shivani Bhardwaj 2 months ago

  • CVE set to 2024-32663
Actions #12

Updated by Victor Julien 2 months ago

  • Status changed from In Review to Closed
  • Git IDs updated (diff)
Actions

Also available in: Atom PDF