mirror of
https://github.com/golang/net.git
synced 2026-03-31 18:37:08 +09:00
89ef3d95e7
Previously, httpguts.HeaderValuesContainsToken called a function which could recurse to the point of a stack overflow when given a very large header (~10MB). Credit to Guido Vranken who reported the crash as part of the Ethereum 2.0 bounty program. Fixes CVE-2021-31525 Fixes golang/go#45710 Change-Id: I2c54ce3b2acf1c5efdea66db0595b93a3f5ae5f3 Reviewed-on: https://go-review.googlesource.com/c/net/+/313069 Trust: Katie Hockman <katie@golang.org> Run-TryBot: Katie Hockman <katie@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org>