Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
http2/hpack: avoid quadratic complexity in hpack decoding
When parsing a field literal containing two Huffman-encoded strings, don't decode the first string until verifying all data is present. Avoids forced quadratic complexity when repeatedly parsing a partial field, repeating the Huffman decoding of the string on each iteration. Thanks to Philippe Antoine (Catena cyber) for reporting this issue. Fixes golang/go#57855 Fixes CVE-2022-41723 Change-Id: I58a743df450a4a4923dddd5cf6bb0592b0a7bdf3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1688184 TryBot-Result: Security TryBots <[email protected]> Reviewed-by: Julie Qiu <[email protected]> Run-TryBot: Damien Neil <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/net/+/468135 Run-TryBot: Michael Pratt <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Than McIntosh <[email protected]> Auto-Submit: Michael Pratt <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
- Loading branch information