Skip to content

Commit

Permalink
[internal-branch.go1.20-vendor] http2: fix underflow in http2 server …
Browse files Browse the repository at this point in the history
…push

After CL 534215 was merged to fix a CVE it introduced
an underflow when we try to decrement sc.curHandlers
in handlerDone.

The func startPush calls runHandler without incrementing
curHandlers. Seems to only affect users of http.Pusher.

For golang/go#63511
For golang/go#63740

Change-Id: Ic537c27c9945c2c2d4306ddb04e9527b65cee320
GitHub-Last-Rev: 249fe55
GitHub-Pull-Request: #197
Reviewed-on: https://go-review.googlesource.com/c/net/+/535595
Reviewed-by: Damien Neil <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Run-TryBot: Mauri de Souza Meneguzzo <[email protected]>
(cherry picked from commit 37479d6)
Reviewed-on: https://go-review.googlesource.com/c/net/+/537956
Reviewed-by: Dmitri Shuralyov <[email protected]>
Auto-Submit: Dmitri Shuralyov <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
  • Loading branch information
mauri870 authored and gopherbot committed Oct 27, 2023
1 parent 16ed2c8 commit b8c2abf
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions http2/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -3204,6 +3204,7 @@ func (sc *serverConn) startPush(msg *startPushRequest) {
panic(fmt.Sprintf("newWriterAndRequestNoBody(%+v): %v", msg.url, err))
}

sc.curHandlers++
go sc.runHandler(rw, req, sc.handler.ServeHTTP)
return promisedID, nil
}
Expand Down

0 comments on commit b8c2abf

Please sign in to comment.