Allocation of Resources Without Limits or Throttling

Summary

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of "SETTINGS" frames to the peer. Since the RFC requires that the peer reply with one acknowledgment per "SETTINGS" frame, an empty "SETTINGS" frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. This issue affects Cpp-h2o versions prior to 2.2.6, Cpp-trafficserver versions 6.0.0 through 6.2.3, 7.0.0 through 7.1.6 and 8.0.0 through 8.0.3, and Maven-io.netty:netty-codec-http2 and Maven-io.netty:netty-all versions prior to 4.1.39.Final.