new file mode 100644

@@ -0,0 +1,59 @@

+# HG changeset patch

+# User Ruslan Ermilov <ru@nginx.com>

+# Date 1541510975 -10800

+# Node ID 1c6b6163c03945bcc65c252cc42b0af18744c085

+# Parent  fdc19a3289c1138bfe49ddbde310778ddc495729

+HTTP/2: flood detection.

+

+Fixed uncontrolled memory growth in case peer is flooding us with

+some frames (e.g., SETTINGS and PING) and doesn't read data.  Fix

+is to limit the number of allocated control frames.

+

+diff -r fdc19a3289c1 -r 1c6b6163c039 src/http/v2/ngx_http_v2.c

+--- a/src/http/v2/ngx_http_v2.c	Tue Nov 06 16:29:18 2018 +0300

+@@ -664,6 +664,7 @@

+ 

+     h2c->pool = NULL;

+     h2c->free_frames = NULL;

++    h2c->frames = 0;

+     h2c->free_fake_connections = NULL;

+ 

+ #if (NGX_HTTP_SSL)

+@@ -2895,7 +2896,7 @@

+ 

+         frame->blocked = 0;

+ 

+-    } else {

++    } else if (h2c->frames < 10000) {

+         pool = h2c->pool ? h2c->pool : h2c->connection->pool;

+ 

+         frame = ngx_pcalloc(pool, sizeof(ngx_http_v2_out_frame_t));

+@@ -2919,6 +2920,15 @@

+         frame->last = frame->first;

+ 

+         frame->handler = ngx_http_v2_frame_handler;

++

++        h2c->frames++;

++

++    } else {

++        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,

++                      "http2 flood detected");

++

++        h2c->connection->error = 1;

++        return NULL;

+     }

+ 

+ #if (NGX_DEBUG)

+diff -r fdc19a3289c1 -r 1c6b6163c039 src/http/v2/ngx_http_v2.h

+--- a/src/http/v2/ngx_http_v2.h	Tue Nov 06 16:29:18 2018 +0300

+@@ -120,6 +120,7 @@

+     ngx_http_connection_t           *http_connection;

+ 

+     ngx_uint_t                       processing;

++    ngx_uint_t                       frames;

+ 

+     ngx_uint_t                       pushing;

+     ngx_uint_t                       concurrent_pushes;

+

new file mode 100644

@@ -0,0 +1,57 @@

+# HG changeset patch

+# User Ruslan Ermilov <ru@nginx.com>

+# Date 1541510989 -10800

+# Node ID 9200b41db765fbd6709765ba2d218e78ad8e9860

+# Parent  1c6b6163c03945bcc65c252cc42b0af18744c085

+HTTP/2: limit the number of idle state switches.

+

+An attack that continuously switches HTTP/2 connection between

+idle and active states can result in excessive CPU usage.

+This is because when a connection switches to the idle state,

+all of its memory pool caches are freed.

+

+This change limits the maximum allowed number of idle state

+switches to 10 * http2_max_requests (i.e., 10000 by default).

+This limits possible CPU usage in one connection, and also

+imposes a limit on the maximum lifetime of a connection.

+

+Initially reported by Gal Goldshtein from F5 Networks.

+

+diff -r 1c6b6163c039 -r 9200b41db765 src/http/v2/ngx_http_v2.c

+--- a/src/http/v2/ngx_http_v2.c	Tue Nov 06 16:29:35 2018 +0300

+@@ -4481,12 +4481,19 @@

+ 

+ #endif

+ 

++    h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx,

++                                         ngx_http_v2_module);

++

++    if (h2c->idle++ > 10 * h2scf->max_requests) {

++        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,

++                      "http2 flood detected");

++        ngx_http_v2_finalize_connection(h2c, NGX_HTTP_V2_NO_ERROR);

++        return;

++    }

++

+     c->destroyed = 0;

+     ngx_reusable_connection(c, 0);

+ 

+-    h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx,

+-                                         ngx_http_v2_module);

+-

+     h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log);

+     if (h2c->pool == NULL) {

+         ngx_http_v2_finalize_connection(h2c, NGX_HTTP_V2_INTERNAL_ERROR);

+diff -r 1c6b6163c039 -r 9200b41db765 src/http/v2/ngx_http_v2.h

+--- a/src/http/v2/ngx_http_v2.h	Tue Nov 06 16:29:35 2018 +0300

+@@ -121,6 +121,7 @@

+ 

+     ngx_uint_t                       processing;

+     ngx_uint_t                       frames;

++    ngx_uint_t                       idle;

+ 

+     ngx_uint_t                       pushing;

+     ngx_uint_t                       concurrent_pushes;

+

@@ -1,7 +1,7 @@

 Summary:        High-performance HTTP server and reverse proxy

 Name:           nginx

 Version:        1.15.3

-Release:        4%{?dist}

+Release:        5%{?dist}

 License:        BSD-2-Clause

 URL:            http://nginx.org/download/nginx-%{version}.tar.gz

 Group:          Applications/System

@@ -13,6 +13,8 @@ Source1:        nginx.service

 Source2:        nginx-njs-0.2.1.tar.gz

 %define sha1    nginx-njs=fd8c3f2d219f175be958796e3beaa17f3b465126

 Patch0:		nginx-CVE-2018-16845.patch

+patch1:         nginx-CVE-2018-16843.patch

+patch2:         nginx-CVE-2018-16844.patch

 BuildRequires:  openssl-devel

 BuildRequires:  pcre-devel

 BuildRequires:  which

@@ -22,6 +24,8 @@ NGINX is a free, open-source, high-performance HTTP server and reverse proxy, as

 %prep

 %setup -q

 %patch0 -p1

+%patch1 -p1

+%patch2 -p1

 pushd ../

 mkdir nginx-njs

 tar -C nginx-njs -xf %{SOURCE2}

@@ -77,6 +81,8 @@ install -p -m 0644 %{SOURCE1} %{buildroot}/usr/lib/systemd/system/nginx.service

 %{_var}/log/nginx

 %changelog

+*   Mon Feb 25 2019 Ankit Jain <ankitja@vmware.com> 1.15.3-5

+-   Fix for CVE-2018-16843 and CVE-2018-16844

 *   Thu Feb 21 2019 Siju Maliakkal <smaliakkal@vmware.com> 1.15.3-4

 -   Fix CVE-2018-16845

 *   Wed Nov 07 2018 Ajay Kaher <akaher@vmware.com> 1.15.3-3