delta/node-new.git/src/node_http2.cc, branch try_Python3_on_macOS github.com: nodejs/node.git http2: send out pending data earlier 2019-09-07T04:03:06+00:00 Anna Henningsen anna@addaleax.net 2019-09-01T23:36:03+00:00 1cde519287b925a0be4485f3766fb5ceb60f94cd If there’s a lot of data waiting on a given stream, send it out early, if possible. This helps trigger the backpressure mechanism introduced in 8a4a1931b8b98 at a better time. PR-URL: https://github.com/nodejs/node/pull/29398 Reviewed-By: David Carlier <devnexen@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> 
If there’s a lot of data waiting on a given stream, send
it out early, if possible. This helps trigger the backpressure
mechanism introduced in 8a4a1931b8b98 at a better time.

PR-URL: https://github.com/nodejs/node/pull/29398
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
http2: do not start reading after write if new write is on wire 2019-09-04T15:15:24+00:00 Anna Henningsen anna@addaleax.net 2019-09-01T23:32:15+00:00 18cb4372d1fccb58580f82a58649454032774832 Don’t start reading more input data if we’re still busy writing output. This was overlooked in 8a4a1931b8b98. Fixes: https://github.com/nodejs/node/issues/29353 Fixes: https://github.com/nodejs/node/issues/29393 PR-URL: https://github.com/nodejs/node/pull/29399 Reviewed-By: David Carlier <devnexen@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> 
Don’t start reading more input data if we’re still busy writing output.
This was overlooked in 8a4a1931b8b98.

Fixes: https://github.com/nodejs/node/issues/29353
Fixes: https://github.com/nodejs/node/issues/29393

PR-URL: https://github.com/nodejs/node/pull/29399
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
http2: remove security revert flags 2019-08-18T23:09:28+00:00 Anna Henningsen anna@addaleax.net 2019-08-15T12:33:33+00:00 4e782c9deb03b58923f22e930ba1c5a778fbe4a5 As the comment in `node_revert.h` indicates, the master branch should not provide security revert flags. Refs: https://github.com/nodejs/node/pull/29122 PR-URL: https://github.com/nodejs/node/pull/29141 Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com> Reviewed-By: Gus Caplan <me@gus.host> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> 
As the comment in `node_revert.h` indicates, the master branch should
not provide security revert flags.

Refs: https://github.com/nodejs/node/pull/29122

PR-URL: https://github.com/nodejs/node/pull/29141
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
http2: remove callback-based padding 2019-08-18T03:13:24+00:00 Anna Henningsen anna@addaleax.net 2019-08-15T13:03:43+00:00 41637a530efb761c713a36f1465cc5ea9b976900 This option is not useful in practice, as mentioned in comments and the documentation, because the overhead of calling into JS makes it unreasonably expensive. PR-URL: https://github.com/nodejs/node/pull/29144 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com> 
This option is not useful in practice, as mentioned in comments and the
documentation, because the overhead of calling into JS makes it
unreasonably expensive.

PR-URL: https://github.com/nodejs/node/pull/29144
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
http2: remove unused FlushData() function 2019-08-17T14:31:54+00:00 Anna Henningsen anna@addaleax.net 2019-08-15T13:49:34+00:00 9b7362c460c0bd3073fd96c0151f4b670fece27a PR-URL: https://github.com/nodejs/node/pull/29145 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> 
PR-URL: https://github.com/nodejs/node/pull/29145
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
http2: allow security revert for Ping/Settings Flood 2019-08-15T07:51:53+00:00 Anna Henningsen anna@addaleax.net 2019-08-12T21:36:00+00:00 ec60b625b66288cb63d63a51b115661a8503e19e nghttp2 has updated its limit for outstanding Ping/Settings ACKs to 1000. This commit allows reverting to the old default of 10000. The associated CVEs are CVE-2019-9512/CVE-2019-9515. PR-URL: https://github.com/nodejs/node/pull/29122 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> 
nghttp2 has updated its limit for outstanding Ping/Settings ACKs
to 1000. This commit allows reverting to the old default of 10000.

The associated CVEs are CVE-2019-9512/CVE-2019-9515.

PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
http2: pause input processing if sending output 2019-08-15T07:51:53+00:00 Anna Henningsen anna@addaleax.net 2019-08-11T00:22:00+00:00 8a4a1931b8b98242abb590936c31f0c20dd2e08f If we are waiting for the ability to send more output, we should not process more input. This commit a) makes us send output earlier, during processing of input, if we accumulate a lot and b) allows interrupting the call into nghttp2 that processes input data and resuming it at a later time, if we do find ourselves in a position where we are waiting to be able to send more output. This is part of mitigating CVE-2019-9511/CVE-2019-9517. PR-URL: https://github.com/nodejs/node/pull/29122 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> 
If we are waiting for the ability to send more output, we should not
process more input. This commit a) makes us send output earlier,
during processing of input, if we accumulate a lot and b) allows
interrupting the call into nghttp2 that processes input data
and resuming it at a later time, if we do find ourselves in a position
where we are waiting to be able to send more output.

This is part of mitigating CVE-2019-9511/CVE-2019-9517.

PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
http2: stop reading from socket if writes are in progress 2019-08-15T07:51:53+00:00 Anna Henningsen anna@addaleax.net 2019-08-10T23:31:20+00:00 ba624b6766fffc11fc9a387feee58be2c5e1d8b8 If a write to the underlying socket finishes asynchronously, that means that we cannot write any more data at that point without waiting for it to finish. If this happens, we should also not be producing any more input. This is part of mitigating CVE-2019-9511/CVE-2019-9517. PR-URL: https://github.com/nodejs/node/pull/29122 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> 
If a write to the underlying socket finishes asynchronously, that
means that we cannot write any more data at that point without waiting
for it to finish. If this happens, we should also not be producing any
more input.

This is part of mitigating CVE-2019-9511/CVE-2019-9517.

PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
http2: consider 0-length non-end DATA frames an error 2019-08-15T07:51:53+00:00 Anna Henningsen anna@addaleax.net 2019-08-10T21:37:58+00:00 695e38be69a780417eef32db744528c3c78d6b0b This is intended to mitigate CVE-2019-9518. PR-URL: https://github.com/nodejs/node/pull/29122 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> 
This is intended to mitigate CVE-2019-9518.

PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
http2: shrink default `vector::reserve()` allocations 2019-08-15T07:51:52+00:00 Anna Henningsen anna@addaleax.net 2019-08-10T21:18:13+00:00 b2c7c51d0bfa1b2165be409f1cedb7b1d4beaddf Allocating memory upfront comes with overhead, and in particular, `std::vector` implementations do not necessarily return memory to the system when one might expect that (e.g. after shrinking the vector). PR-URL: https://github.com/nodejs/node/pull/29122 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> 
Allocating memory upfront comes with overhead, and in particular,
`std::vector` implementations do not necessarily return memory
to the system when one might expect that (e.g. after shrinking the
vector).

PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>