Closed Bug 1291814 Opened 8 years ago Closed 8 years ago

enforce increasing h2 push ids

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Version:
50 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla51
Tracking Flags:
Tracking Status
firefox51 --- fixed

People

(Reporter: mcmanus, Assigned: mcmanus)

Details

(Whiteboard: [spdy][necko-active])

Attachments

(1 file)

enforce h2 increasing push ids
3.01 KB, patch
u408661
: review+
Details | Diff | Splinter Review 
There is a public blackhat attack today against h2 servers where stream ids are recycled instead of being always increasing. It looks like they got a server to have a UAF problem.

The same technique could be used against the client via server push - we don't enforce that the stream ids are increasing.

however I'm pretty confident nothing particularly bad would happen - if the stream still existed we would reset the push (so you wouldn't be able to attach and then wait for it to be freed prematurely), and if the stream no longer existed we would accept it but it would go through the normal lifecycle just like if it were a bigger ID.

nonetheless, its not cool and 7540 tells us to reset the connection with protocol error in this case. Let's do that.

        Attachment #8777481 -
        Flags: review?(hurley)

    
  
Assignee: nobody → mcmanus
Status: NEW → ASSIGNED

    
  

        Attachment #8777481 -
        Flags: review?(hurley) → review+

    
  
Keywords: checkin-needed

    
    

    
  
Pushed by cbook@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/4563f1ee1d06
enforce h2 increasing push ids. r=hurley
Keywords: checkin-needed

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/4563f1ee1d06
Status: ASSIGNED → RESOLVED
Closed: 8 years ago

          status-firefox51:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: