Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

server: prohibit more than MaxConcurrentStreams handlers from running at once (#6703) #6706

Merged
merged 3 commits into from
Oct 10, 2023
Merged

server: prohibit more than MaxConcurrentStreams handlers from running at once (#6703) #6706

merged 3 commits into from
Oct 10, 2023

Conversation

dfawley
Copy link
Member

@dfawley dfawley commented Oct 10, 2023
edited by zasweq
Loading

RELEASE NOTES:

  • server: prohibit more than MaxConcurrentStreams handlers from running at once (CVE-2023-44487) -- in addition to this change, applications should ensure they do not leave running tasks behind related to the RPC before returning from method handlers, or should enforce appropriate limits on any such work.

@dfawley dfawley added the Type: Security A bug or other problem affecting security label Oct 10, 2023
@dfawley dfawley requested a review from zasweq October 10, 2023 18:43
@zasweq zasweq added this to the 1.57 Release milestone Oct 10, 2023
zasweq
zasweq approved these changes Oct 10, 2023
View reviewed changes
Copy link
Contributor

@zasweq zasweq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@zasweq zasweq merged commit 6a1400d into grpc:v1.57.x Oct 10, 2023
10 of 11 checks passed
ahrtr
ahrtr reviewed Oct 11, 2023
View reviewed changes
internal/transport/http2_server.go
if maxStreams == 0 {
maxStreams = math.MaxUint32
} else {
if config.MaxStreams != math.MaxUint32 {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it mean that it will NOT take effect any more if applications set MaxConcurrentStreams as math.MaxUint32?

Note the default value set by etcd is math.MaxUint32, reference:

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems OK, since the default maxConcurrentStreams is math.MaxUint32

bboreham
bboreham reviewed Oct 18, 2023
View reviewed changes
server.go
// concurrent calls to acquire, but also note that with synchronous calls to
// acquire, as our system does, n will never be less than -1. There are
// fairness issues (queuing) to consider if this was to be generalized.
if atomic.AddInt64(&q.n, -1) <= 0 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suspect this -1 should be 1.
Spotted by @colega

@bboreham bboreham mentioned this pull request Oct 18, 2023
Merged
@dfawley dfawley deleted the cp3 branch October 23, 2023 16:50
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 21, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bboreham bboreham bboreham left review comments

@ahrtr ahrtr ahrtr left review comments

@zasweq zasweq zasweq approved these changes

Assignees

@zasweq zasweq

Labels
Type: Security A bug or other problem affecting security
Projects
None yet
Milestone
1.57 Release
Development

Successfully merging this pull request may close these issues.
4 participants
@dfawley @bboreham @ahrtr @zasweq