Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

chore(http2): pull 3528 up to master #3530

Merged
merged 1 commit into from
Jan 19, 2024
Merged

chore(http2): pull 3528 up to master #3530

merged 1 commit into from
Jan 19, 2024

Conversation

Noah-Kennedy
Copy link
Contributor

Pulls #3528 to master.

@Noah-Kennedy
feat(http2): add config for max_local_error_reset_streams in server
ad9186f 
This change exposes a tunable for the max_local_error_reset_streams parameter in h2.
@seanmonstar seanmonstar merged commit d7680e3 into hyperium:master Jan 19, 2024
21 checks passed
@Noah-Kennedy Noah-Kennedy deleted the noah/add-h2-config branch January 19, 2024 18:19
magurotuna added a commit to magurotuna/hyper that referenced this pull request Nov 14, 2024
@magurotuna
fix(http2): pass proper value to h2 max_local_error_reset_streams
c6caefd 
`max_local_error_reset_streams` via the server builder to hyper
v0.14.29. It was then pulled in to hyper v1.2.0 as well in hyperium#3530, where
the wrong parameter `max_pending_accept_reset_streams` is passed to h2's
builder as `max_local_error_reset_streams`.

This could lead to significant impact especially when a hyper user does
not set `max_pending_accept_reset_streams`, because its default value is
`None` and passing `None` to h2's `max_local_error_reset_streams` method
will make the server vulnerable to DOS attacks.
magurotuna added a commit to magurotuna/hyper that referenced this pull request Nov 14, 2024
@magurotuna
fix(http2): pass proper value to h2 max_local_error_reset_streams
a1f81b9 
The patch hyperium#3528 added the ability for hyper users to configure
`max_local_error_reset_streams` via the server builder to hyper
v0.14.29. It was then pulled in to hyper v1.2.0 as well in hyperium#3530, where
the wrong parameter `max_pending_accept_reset_streams` is passed to h2's
builder as `max_local_error_reset_streams`.

This could lead to significant impact especially when a hyper user does
not set `max_pending_accept_reset_streams`, because its default value is
`None` and passing `None` to h2's `max_local_error_reset_streams` method
will make the server vulnerable to DOS attacks.

This issue has been fixed in this patch, simply by passing the correct
value to the h2's builder method.
@magurotuna magurotuna mentioned this pull request Nov 14, 2024
Merged
seanmonstar pushed a commit that referenced this pull request Nov 15, 2024
@magurotuna @seanmonstar
fix(http2): pass proper value to h2 max_local_error_reset_streams
4a20147 
The patch #3528 added the ability for hyper users to configure
`max_local_error_reset_streams` via the server builder to hyper
v0.14.29. It was then pulled in to hyper v1.2.0 as well in #3530, where
the wrong parameter `max_pending_accept_reset_streams` is passed to h2's
builder as `max_local_error_reset_streams`.

This could lead to significant impact especially when a hyper user does
not set `max_pending_accept_reset_streams`, because its default value is
`None` and passing `None` to h2's `max_local_error_reset_streams` method
will make the server vulnerable to DOS attacks.

This issue has been fixed in this patch, simply by passing the correct
value to the h2's builder method.
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@seanmonstar seanmonstar seanmonstar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Noah-Kennedy @seanmonstar