CVE-2021-44716

author Filippo Valsorda <filippo@golang.org>

Thu, 9 Dec 2021 11:32:14 +0000 (06:32 -0500)

committer Shengjing Zhu <zhsj@debian.org>

Sat, 4 Dec 2021 09:37:57 +0000 (09:37 +0000)
author Filippo Valsorda <filippo@golang.org>
Thu, 9 Dec 2021 11:32:14 +0000 (06:32 -0500)
committer Shengjing Zhu <zhsj@debian.org>
Sat, 4 Dec 2021 09:37:57 +0000 (09:37 +0000)
diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go

index 3d830847022c2bb75f4db9ad348a5b0571d4dc1d..06f8808dc6254e3de060cc1c590f0fce61bf4c79 100644 (file)
--- a/src/net/http/h2_bundle.go
+++ b/src/net/http/h2_bundle.go
@@ -4289,7 +4289,15 @@ func (sc *http2serverConn) canonicalHeader(v string) string {
                 sc.canonHeader = make(map[string]string)
         }
         cv = CanonicalHeaderKey(v)
-       sc.canonHeader[v] = cv
+       // maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
+       // entries in the canonHeader cache. This should be larger than the number
+       // of unique, uncommon header keys likely to be sent by the peer, while not
+       // so high as to permit unreaasonable memory usage if the peer sends an unbounded
+       // number of unique header keys.
+       const maxCachedCanonicalHeaders = 32
+       if len(sc.canonHeader) < maxCachedCanonicalHeaders {
+               sc.canonHeader[v] = cv
+       }
         return cv
  }
author	Filippo Valsorda <filippo@golang.org>
	Thu, 9 Dec 2021 11:32:14 +0000 (06:32 -0500)
committer	Shengjing Zhu <zhsj@debian.org>
	Sat, 4 Dec 2021 09:37:57 +0000 (09:37 +0000)