deleted file mode 100644

@@ -1,15 +0,0 @@

-+++ src/os/unix/ngx_files.c

-@@ -356,6 +356,11 @@

-     n = 0;

- 

-     for ( /* void */ ; cl; cl = cl->next) {

-+

-+        if (ngx_buf_special(cl->buf)) {

-+            continue;

-+        }

-+

-         size = cl->buf->last - cl->buf->pos;

- 

-         if (prev == cl->buf->pos) {

-

new file mode 100644

@@ -0,0 +1,61 @@

+

+# HG changeset patch

+# User Ruslan Ermilov <ru@nginx.com>

+# Date 1541510975 -10800

+# Node ID 1c6b6163c03945bcc65c252cc42b0af18744c085

+# Parent  fdc19a3289c1138bfe49ddbde310778ddc495729

+HTTP/2: flood detection.

+

+Fixed uncontrolled memory growth in case peer is flooding us with

+some frames (e.g., SETTINGS and PING) and doesn't read data.  Fix

+is to limit the number of allocated control frames.

+

+diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c

+index 2c62190..b9943c9 100644

+--- a/src/http/v2/ngx_http_v2.c

+@@ -635,6 +635,7 @@ ngx_http_v2_handle_connection(ngx_http_v2_connection_t *h2c)

+ 

+     h2c->pool = NULL;

+     h2c->free_frames = NULL;

++    h2c->frames = 0;

+     h2c->free_fake_connections = NULL;

+ 

+ #if (NGX_HTTP_SSL)

+@@ -2678,7 +2679,7 @@ ngx_http_v2_get_frame(ngx_http_v2_connection_t *h2c, size_t length,

+ 

+         frame->blocked = 0;

+ 

+-    } else {

++    } else if (h2c->frames < 10000) {

+         pool = h2c->pool ? h2c->pool : h2c->connection->pool;

+ 

+         frame = ngx_pcalloc(pool, sizeof(ngx_http_v2_out_frame_t));

+@@ -2702,6 +2703,15 @@ ngx_http_v2_get_frame(ngx_http_v2_connection_t *h2c, size_t length,

+         frame->last = frame->first;

+ 

+         frame->handler = ngx_http_v2_frame_handler;

++

++        h2c->frames++;

++

++    } else {

++        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,

++                      "http2 flood detected");

++

++        h2c->connection->error = 1;

++        return NULL;

+     }

+ 

+ #if (NGX_DEBUG)

+diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h

+index 42e0eb1..11f774a 100644

+--- a/src/http/v2/ngx_http_v2.h

+@@ -115,6 +115,7 @@ struct ngx_http_v2_connection_s {

+     ngx_http_connection_t           *http_connection;

+ 

+     ngx_uint_t                       processing;

++    ngx_uint_t                       frames;

+ 

+     size_t                           send_window;

+     size_t                           recv_window;

new file mode 100644

@@ -0,0 +1,59 @@

+

+# HG changeset patch

+# User Ruslan Ermilov <ru@nginx.com>

+# Date 1541510989 -10800

+# Node ID 9200b41db765fbd6709765ba2d218e78ad8e9860

+# Parent  1c6b6163c03945bcc65c252cc42b0af18744c085

+HTTP/2: limit the number of idle state switches.

+

+An attack that continuously switches HTTP/2 connection between

+idle and active states can result in excessive CPU usage.

+This is because when a connection switches to the idle state,

+all of its memory pool caches are freed.

+

+This change limits the maximum allowed number of idle state

+switches to 10 * http2_max_requests (i.e., 10000 by default).

+This limits possible CPU usage in one connection, and also

+imposes a limit on the maximum lifetime of a connection.

+

+Initially reported by Gal Goldshtein from F5 Networks.

+

+diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c

+index b9943c9..83f9c4a 100644

+--- a/src/http/v2/ngx_http_v2.c

+@@ -4237,12 +4237,19 @@ ngx_http_v2_idle_handler(ngx_event_t *rev)

+ 

+ #endif

+ 

+-    c->destroyed = 0;

+-    ngx_reusable_connection(c, 0);

+-

+     h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx,

+                                          ngx_http_v2_module);

+ 

++    if (h2c->idle++ > 10 * h2scf->max_requests) {

++        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,

++                      "http2 flood detected");

++        ngx_http_v2_finalize_connection(h2c, NGX_HTTP_V2_NO_ERROR);

++        return;

++    }

++

++    c->destroyed = 0;

++    ngx_reusable_connection(c, 0);

++

+     h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log);

+     if (h2c->pool == NULL) {

+         ngx_http_v2_finalize_connection(h2c, NGX_HTTP_V2_INTERNAL_ERROR);

+diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h

+index 11f774a..83dbea3 100644

+--- a/src/http/v2/ngx_http_v2.h

+@@ -116,6 +116,7 @@ struct ngx_http_v2_connection_s {

+ 

+     ngx_uint_t                       processing;

+     ngx_uint_t                       frames;

++    ngx_uint_t                       idle;

+ 

+     size_t                           send_window;

+     size_t                           recv_window;

@@ -1,7 +1,7 @@

 Summary:        High-performance HTTP server and reverse proxy

 Name:           nginx

 Version:        1.13.8

-Release:        5%{?dist}

+Release:        6%{?dist}

 License:        BSD-2-Clause

 URL:            http://nginx.org/download/nginx-%{version}.tar.gz

 Group:          Applications/System

@@ -12,6 +12,8 @@ Source0:        %{name}-%{version}.tar.gz

 Source1:        nginx.service

 Source2:        nginx-njs-0.2.1.tar.gz

 %define sha1    nginx-njs=fd8c3f2d219f175be958796e3beaa17f3b465126

+Patch0:         nginx-CVE-2018-16843.patch

+Patch1:         nginx-CVE-2018-16844.patch

 BuildRequires:  openssl-devel

 BuildRequires:  pcre-devel

 BuildRequires:  which

@@ -20,6 +22,8 @@ NGINX is a free, open-source, high-performance HTTP server and reverse proxy, as

 %prep

 %setup -q

+%patch0 -p1

+%patch1 -p1

 pushd ../

 mkdir nginx-njs

 tar -C nginx-njs -xf %{SOURCE2}

@@ -75,6 +79,8 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck}

 %dir %{_var}/log/nginx

 %changelog

+*   Mon Dec 17 2018 Ankit Jain <ankitja@vmware.com> 1.13.8-6

+-   Fix for CVE-2018-16843 and CVE-2018-16844

 *   Wed Nov 07 2018 Ajay Kaher <akaher@vmware.com> 1.13.8-5

 -   mark config files as non replaceable on upgrade.

 *   Mon Sep 10 2018 Keerthana K <keerthanak@vmware.com> 1.13.8-4