Uncontrolled Resource Consumption in github.com/golang/net

Summary

As part of a class of vulnerabilities known as "HTTP/2 CONTINUATION Flood," an attacker can exploit the HTTP/2 protocol's CONTINUATION frame handling in certain implementations to cause a Denial-of-Service (DoS) attack by forcing an HTTP/2 endpoint to process and decode arbitrary amounts of header data. Maintaining 'HPACK' state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed 'MaxHeaderBytes', no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request that is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. This affects "golang.org/x/net/http2" versions prior to 0.23.0, and "net/http" versions prior to 1.21.9, and 1.22.0-x prior to 1.22.2.