From eadd8d48832f2cbc1dd81c69a60b3387c3981997 Mon Sep 17 00:00:00 2001
From: Go Compiler Team <team+go-compiler@tracker.debian.org>
Date: Thu, 20 Apr 2023 15:32:58 +0100
Subject: [PATCH] CVE-2021-44716

Origin: https://github.com/golang/net/commit/491a49abca63de5e07ef554052d180a1b5fe2d70
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2022-01-21

From 491a49abca63de5e07ef554052d180a1b5fe2d70 Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Mon, 6 Dec 2021 14:31:43 -0800
Subject: [PATCH] http2: cap the size of the server's canonical header cache

The HTTP/2 server keeps a per-connection cache mapping header keys
to their canonicalized form (e.g., "foo-bar" => "Foo-Bar"). Cap the
maximum size of this cache to prevent a peer sending many unique
header keys from causing unbounded memory growth.

Cap chosen arbitrarily at 32 entries. Since this cache does not
include common headers (e.g., "content-type"), 32 seems like more
than enough for almost all normal uses.

Fixes #50058
Fixes CVE-2021-44716

Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/net/+/369794
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Trust: Damien Neil <dneil@google.com>
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>

Gbp-Pq: Name CVE-2021-44716.patch
---
 src/net/http/h2_bundle.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
index 6182495..91ad72b 100644
--- a/src/net/http/h2_bundle.go
+++ b/src/net/http/h2_bundle.go
@@ -4473,7 +4473,15 @@ func (sc *http2serverConn) canonicalHeader(v string) string {
 		sc.canonHeader = make(map[string]string)
 	}
 	cv = CanonicalHeaderKey(v)
-	sc.canonHeader[v] = cv
+	// maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
+	// entries in the canonHeader cache. This should be larger than the number
+	// of unique, uncommon header keys likely to be sent by the peer, while not
+	// so high as to permit unreaasonable memory usage if the peer sends an unbounded
+	// number of unique header keys.
+	const maxCachedCanonicalHeaders = 32
+	if len(sc.canonHeader) < maxCachedCanonicalHeaders {
+		sc.canonHeader[v] = cv
+	}
 	return cv
 }
 
-- 
2.30.2