Quick question about HTTP/2 CONTINUATION frames
ganeshmurthy opened this issue · comments
Is libwebsockets affected by this CVE - https://nvd.nist.gov/vuln/detail/CVE-2024-27316
If yes, is there already a patch to fix the CVE ?
More details here - https://kb.cert.org/vuls/id/421644
Lws has always constrained space for headers for h1 and h2, using CONTINUATION is no different conceptually than sending empty or whitespace header packets to endlessly extend the header phase on h1, or spamming it with data. AFAIK these are handled in both h1 and h2 by 1) a timeout for a client to deliver a transaction or it'll get hung up on, and 2) spamming headers until we run out of space in the ah being noticed and drop the stream or perhaps the whole connection.
Thank you very much for the response. Based on what you are saying it looks like libwebsockets has internal protections against an attacker that sends a large number of CONTINUATION frames. The misbehaving stream is closed or sometimes the entire connection might be closed thus protecting the server using libwebsockets from running out of memory.
I am concluding that libwebsockets is well protected against CVE-2024-27316 .
I am closing this issue.