[Git][java-team/tomcat9][buster] 2 commits: Update CVE-2023-44487.patch
Markus Koschany (@apo)
gitlab at salsa.debian.org
Mon Oct 16 21:27:37 BST 2023
Markus Koschany pushed to branch buster at Debian Java Maintainers / tomcat9
Commits:
64a998ce by Markus Koschany at 2023-10-16T20:52:35+02:00
Update CVE-2023-44487.patch
- - - - -
e0987541 by Markus Koschany at 2023-10-16T21:02:55+02:00
Update changelog
- - - - -
2 changed files:
- debian/changelog
- debian/patches/CVE-2023-44487.patch
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,12 @@
+tomcat9 (9.0.31-1~deb10u10) buster-security; urgency=high
+
+ * Team upload.
+ * A regression was discovered in the Http2UpgradeHandler class of Tomcat 9
+ introduced by the patch to fix CVE-2023-44487 (Rapid Reset Attack). A wrong
+ value for the overheadcount variable forced connections to close early.
+
+ -- Markus Koschany <apo at debian.org> Mon, 16 Oct 2023 20:53:15 +0200
+
tomcat9 (9.0.31-1~deb10u9) buster-security; urgency=high
* Team upload.
=====================================
debian/patches/CVE-2023-44487.patch
=====================================
@@ -7,14 +7,15 @@ Origin: https://github.com/apache/tomcat/commit/94480483910f2d19561e88fb194d7b41
Origin: https://github.com/apache/tomcat/commit/3f0efca913b09fa3a3d9c246cc29045ac8a2befe
Origin: https://github.com/apache/tomcat/commit/6d1a9fd6642387969e4410b9989c85856b74917a
Origin: https://github.com/apache/tomcat/commit/c551ecaa1ba4ffe50a67009a9c94efb03439ae8b
+Origin: https://github.com/apache/tomcat/commit/caafb952f77107fb4730546e60bf5d7756ef4c5a
---
java/org/apache/coyote/http2/Http2AsyncParser.java | 9 ++-
.../coyote/http2/Http2AsyncUpgradeHandler.java | 3 +
- java/org/apache/coyote/http2/Http2Protocol.java | 25 ++++++-
- .../apache/coyote/http2/Http2UpgradeHandler.java | 78 +++++++++++++++++-----
+ java/org/apache/coyote/http2/Http2Protocol.java | 25 +++++-
+ .../apache/coyote/http2/Http2UpgradeHandler.java | 88 +++++++++++++++++-----
.../apache/coyote/http2/LocalStrings.properties | 1 +
webapps/docs/config/http2.xml | 7 ++
- 6 files changed, 100 insertions(+), 23 deletions(-)
+ 6 files changed, 109 insertions(+), 24 deletions(-)
diff --git a/java/org/apache/coyote/http2/Http2AsyncParser.java b/java/org/apache/coyote/http2/Http2AsyncParser.java
index 827105a..c088e1e 100644
@@ -111,10 +112,34 @@ index ed23505..2ff219b 100644
return overheadContinuationThreshold;
}
diff --git a/java/org/apache/coyote/http2/Http2UpgradeHandler.java b/java/org/apache/coyote/http2/Http2UpgradeHandler.java
-index 1a72851..348d706 100644
+index 1a72851..545698c 100644
--- a/java/org/apache/coyote/http2/Http2UpgradeHandler.java
+++ b/java/org/apache/coyote/http2/Http2UpgradeHandler.java
-@@ -342,7 +342,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
+@@ -141,7 +141,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
+ private Queue<StreamRunnable> queuedRunnable = null;
+
+ // Track 'overhead' frames vs 'request/response' frames
+- private final AtomicLong overheadCount = new AtomicLong(-10);
++ private final AtomicLong overheadCount;
+ private volatile int lastNonFinalDataPayload;
+ private volatile int lastWindowUpdate;
+
+@@ -152,6 +152,14 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
+ this.adapter = adapter;
+ this.connectionId = Integer.toString(connectionIdGenerator.getAndIncrement());
+
++ // Defaults to -10 * the count factor.
++ // i.e. when the connection opens, 10 'overhead' frames in a row will
++ // cause the connection to be closed.
++ // Over time the count should be a slowly decreasing negative number.
++ // Therefore, the longer a connection is 'well-behaved', the greater
++ // tolerance it will have for a period of 'bad' behaviour.
++ overheadCount = new AtomicLong(-10 * protocol.getOverheadCountFactor());
++
+ lastNonFinalDataPayload = protocol.getOverheadDataThreshold() * 2;
+ lastWindowUpdate = protocol.getOverheadWindowUpdateThreshold() * 2;
+
+@@ -342,7 +350,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
stream.close(se);
}
}
@@ -123,7 +148,7 @@ index 1a72851..348d706 100644
throw new ConnectionException(
sm.getString("upgradeHandler.tooMuchOverhead", connectionId),
Http2Error.ENHANCE_YOUR_CALM);
-@@ -742,7 +742,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
+@@ -742,7 +750,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
Integer.toString(len)));
}
@@ -132,7 +157,7 @@ index 1a72851..348d706 100644
// Need to check this now since sending end of stream will change this.
boolean writeable = stream.canWrite();
-@@ -1307,13 +1307,54 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
+@@ -1307,13 +1315,54 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
}
@@ -147,11 +172,9 @@ index 1a72851..348d706 100644
+ // Requests and responses with bodies will create additional
+ // non-overhead frames, further reducing the overhead count.
+ updateOverheadCount(frameType, Http2Protocol.DEFAULT_OVERHEAD_REDUCTION_FACTOR);
- }
-
-
-- private void increaseOverheadCount() {
-- overheadCount.addAndGet(getProtocol().getOverheadCountFactor());
++ }
++
++
+ private void increaseOverheadCount(FrameType frameType) {
+ // An overhead frame increases the overhead count by
+ // overheadCountFactor. By default, this means an overhead frame
@@ -183,15 +206,17 @@ index 1a72851..348d706 100644
+ log.debug(sm.getString("upgradeHandler.overheadChange",
+ connectionId, frameType.name(), Long.valueOf(newOverheadCount)));
+ }
-+ }
-+
-+
+ }
+
+
+- private void increaseOverheadCount() {
+- overheadCount.addAndGet(getProtocol().getOverheadCountFactor());
+ boolean isOverheadLimitExceeded() {
+ return overheadCount.get() > 0;
}
-@@ -1372,7 +1413,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
+@@ -1372,7 +1421,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
@Override
public ByteBuffer startRequestBodyFrame(int streamId, int payloadSize, boolean endOfStream) throws Http2Exception {
// DATA frames reduce the overhead count ...
@@ -200,7 +225,7 @@ index 1a72851..348d706 100644
// .. but lots of small payloads are inefficient so that will increase
// the overhead count unless it is the final DATA frame where small
-@@ -1391,7 +1432,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
+@@ -1391,7 +1440,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
average = 1;
}
if (average < overheadThreshold) {
@@ -209,7 +234,7 @@ index 1a72851..348d706 100644
}
}
-@@ -1457,7 +1498,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
+@@ -1457,7 +1506,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
log.debug(sm.getString("upgradeHandler.noNewStreams",
connectionId, Integer.toString(streamId)));
}
@@ -218,7 +243,7 @@ index 1a72851..348d706 100644
// Stateless so a static can be used to save on GC
return HEADER_SINK;
}
-@@ -1483,7 +1524,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
+@@ -1483,7 +1532,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
getConnectionId(), Integer.valueOf(streamId)), Http2Error.PROTOCOL_ERROR);
}
@@ -227,7 +252,7 @@ index 1a72851..348d706 100644
Stream stream = getStream(streamId, false);
if (stream == null) {
-@@ -1508,9 +1549,9 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
+@@ -1508,9 +1557,9 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
if (payloadSize < overheadThreshold) {
if (payloadSize == 0) {
// Avoid division by zero
@@ -239,7 +264,7 @@ index 1a72851..348d706 100644
}
}
}
-@@ -1528,13 +1569,13 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
+@@ -1528,13 +1577,13 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
if (localSettings.getMaxConcurrentStreams() < activeRemoteStreamCount.incrementAndGet()) {
setConnectionTimeoutForStreamCount(activeRemoteStreamCount.decrementAndGet());
// Ignoring maxConcurrentStreams increases the overhead count
@@ -255,7 +280,7 @@ index 1a72851..348d706 100644
processStreamOnContainerThread(stream);
}
-@@ -1552,6 +1593,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
+@@ -1552,6 +1601,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
@Override
public void reset(int streamId, long errorCode) throws Http2Exception {
@@ -263,7 +288,7 @@ index 1a72851..348d706 100644
Stream stream = getStream(streamId, true);
stream.checkState(FrameType.RST);
stream.receiveReset(errorCode);
-@@ -1561,7 +1603,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
+@@ -1561,7 +1611,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
@Override
public void setting(Setting setting, long value) throws ConnectionException {
@@ -272,7 +297,7 @@ index 1a72851..348d706 100644
// Possible with empty settings frame
if (setting == null) {
-@@ -1610,7 +1652,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
+@@ -1610,7 +1660,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
@Override
public void pingReceive(byte[] payload, boolean ack) throws IOException {
if (!ack) {
@@ -281,7 +306,7 @@ index 1a72851..348d706 100644
}
pingManager.receivePing(payload, ack);
}
-@@ -1646,7 +1688,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
+@@ -1646,7 +1696,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
// Check for small increments which are inefficient
if (average < overheadThreshold) {
// The smaller the increment, the larger the overhead
@@ -290,7 +315,7 @@ index 1a72851..348d706 100644
}
incrementWindowSize(increment);
-@@ -1660,7 +1702,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
+@@ -1660,7 +1710,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
BacklogTracker tracker = backLogStreams.get(stream);
if (tracker == null || increment < tracker.getRemainingReservation()) {
// The smaller the increment, the larger the overhead
View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/compare/e71e6118d788a4fdc846cc3dd0773b056b6e93c0...e0987541c9c719f27ae9304c93bebdfe1ed28efb
--
View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/compare/e71e6118d788a4fdc846cc3dd0773b056b6e93c0...e0987541c9c719f27ae9304c93bebdfe1ed28efb
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20231016/d55c1c13/attachment.htm>
More information about the pkg-java-commits
mailing list