net/http: ReadRequest can stack overflow due to recursion with very large headers #45710
Labels
FrozenDueToAge
NeedsFix
The path to resolution is known, but the work has not been done.
release-blocker
Security
Milestone
Comments
|
@gopherbot please consider this for backport to 1.16.4 and 1.15.12, it's a security issue. /cc @golang/release FYI |
|
Backport issue(s) opened: #45711 (for 1.15), #45712 (for 1.16). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases. |
odeke-em
changed the title
|
Change https://golang.org/cl/313069 mentions this issue: |
|
Change https://golang.org/cl/314596 mentions this issue: |
|
Change https://golang.org/cl/314649 mentions this issue: |
dmitshur
added
the
NeedsFix
|
Change https://golang.org/cl/314650 mentions this issue: |
gopherbot
pushed a commit
to golang/net
that referenced
this issue
Apr 28, 2021
…aderValuesContainsToken Previously, httpguts.HeaderValuesContainsToken called a function which could recurse to the point of a stack overflow when given a very large header (~10MB). Credit to Guido Vranken who reported the crash as part of the Ethereum 2.0 bounty program. Fixes CVE-2021-31525 Updates golang/go#45710 Updates golang/go#45712 Change-Id: I2c54ce3b2acf1c5efdea66db0595b93a3f5ae5f3 Reviewed-on: https://go-review.googlesource.com/c/net/+/313069 Trust: Katie Hockman <katie@golang.org> Run-TryBot: Katie Hockman <katie@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> (cherry picked from commit 89ef3d9) Reviewed-on: https://go-review.googlesource.com/c/net/+/314649 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
gopherbot
pushed a commit
to golang/net
that referenced
this issue
Apr 28, 2021
…esContainsToken Previously, httpguts.HeaderValuesContainsToken called a function which could recurse to the point of a stack overflow when given a very large header (~10MB). Credit to Guido Vranken who reported the crash as part of the Ethereum 2.0 bounty program. Fixes CVE-2021-31525 Updates golang/go#45710 Updates golang/go#45711 Change-Id: I2c54ce3b2acf1c5efdea66db0595b93a3f5ae5f3 Reviewed-on: https://go-review.googlesource.com/c/net/+/313069 Trust: Katie Hockman <katie@golang.org> Run-TryBot: Katie Hockman <katie@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> (cherry picked from commit 89ef3d9) Reviewed-on: https://go-review.googlesource.com/c/net/+/314650 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
|
The x/net fix has been pulled into the main repo for Go 1.17 as part of CL 316251. Closing as fixed. |
This was referenced May 6, 2021
AkihiroSuda
pushed a commit
to containerd/containerd
that referenced
this issue
May 7, 2021
fix [#45710](golang/go#45710) and CVE-2021-31525. Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
15 tasks
|
This issue appears to have assigned CVE-2021-31525 according to https://bugzilla.redhat.com/show_bug.cgi?id=1958341 |
buildroot-auto-update
pushed a commit
to buildroot/buildroot
that referenced
this issue
May 8, 2021
Fixes the following security issues: - CVE-2021-31525: ReadRequest and ReadResponse in net/http can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client. golang/go#45710 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
buildroot-auto-update
pushed a commit
to buildroot/buildroot
that referenced
this issue
May 8, 2021
Fixes the following security issues: - CVE-2021-31525: ReadRequest and ReadResponse in net/http can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client. golang/go#45710 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
Yes, it has been assigned CVE-2021-31525. I've gone ahead and update the original comment with the content of the announcement, which had the full details. |
dmcgowan
pushed a commit
to dmcgowan/containerd
that referenced
this issue
May 10, 2021
fix [#45710](golang/go#45710) and CVE-2021-31525. Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com> (cherry picked from commit 79d800b) Signed-off-by: Derek McGowan <derek@mcg.dev>
olix0r
added a commit
to linkerd/linkerd2
that referenced
this issue
May 24, 2021
Go 1.16.4 includes a fix for a denial-of-service in net/http: golang/go#45710 Go's error file-line formatting changed in 1.16.3, so this change updates tests to only do suffix matching on these error strings.
olix0r
added a commit
to linkerd/linkerd2
that referenced
this issue
May 24, 2021
Go 1.16.4 includes a fix for a denial-of-service in net/http: golang/go#45710 Go's error file-line formatting changed in 1.16.3, so this change updates tests to only do suffix matching on these error strings.
buildroot-auto-update
pushed a commit
to buildroot/buildroot
that referenced
this issue
Sep 14, 2021
Fixes the following security issues: - CVE-2021-31525: ReadRequest and ReadResponse in net/http can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client. golang/go#45710 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 1cfc01a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
thaJeztah
pushed a commit
to thaJeztah/containerd
that referenced
this issue
Sep 15, 2021
fix [#45710](golang/go#45710) and CVE-2021-31525. Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com> (cherry picked from commit 79d800b) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
fahedouch
pushed a commit
to fahedouch/containerd
that referenced
this issue
Oct 15, 2021
fix [#45710](golang/go#45710) and CVE-2021-31525. Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
ReadRequestandReadResponsein net/http can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones).TransportandClientare vulnerable and the program can be made to crash by a malicious server.Serveris not vulnerable by default, but can be if the default max header of 1MB is overridden by settingServer.MaxHeaderBytesto a higher value, in which case the program can be made to crash by a malicious client.This also affects golang.org/x/net/http2/h2c and
HeaderValuesContainsTokenin golang.org/x/net/http/httpguts, and is fixed in golang.org/x/net@v0.0.0-20210428140749-89ef3d95e781.This is CVE-2021-31525.
According to the new security policy (#44918), this will be fixed as a PUBLIC track issue.
Credit to Guido Vranken who reported the crash as part of the Ethereum 2.0 bounty program.
/cc @golang/security
The text was updated successfully, but these errors were encountered: