commit d5cc31b5e6824f8b031c045fab990f31010ee8a1
Author: Tomas Korbar <tkorbar@redhat.com>
Date:   Wed Oct 18 17:02:33 2023 +0200

    Upstream #3997 PR
    
    Fix CVE-2023-44487

diff --git a/bin/varnishd/VSC_main.vsc b/bin/varnishd/VSC_main.vsc
index f6925f3..b237f86 100644
--- a/bin/varnishd/VSC_main.vsc
+++ b/bin/varnishd/VSC_main.vsc
@@ -586,6 +586,14 @@
 
 	Number of session closes with Error VCL_FAILURE (VCL failure)
 
+.. varnish_vsc:: sc_rapid_reset
+       :level: diag
+       :oneliner:      Session Err RAPID_RESET
+
+       Number of times we failed an http/2 session because it hit its
+       configured limits for the number of permitted rapid stream
+       resets.
+
 .. varnish_vsc:: client_resp_500
 	:level: diag
 	:group: wrk
diff --git a/bin/varnishd/http2/cache_http2.h b/bin/varnishd/http2/cache_http2.h
index 205b96c..36a21bc 100644
--- a/bin/varnishd/http2/cache_http2.h
+++ b/bin/varnishd/http2/cache_http2.h
@@ -184,6 +184,8 @@ struct h2_sess {
 	h2_error			error;
 
 	int				open_streams;
+	double				rst_budget;
+	vtim_real			last_rst;
 };
 
 #define ASSERT_RXTHR(h2) do {assert(h2->rxthr == pthread_self());} while(0)
diff --git a/bin/varnishd/http2/cache_http2_proto.c b/bin/varnishd/http2/cache_http2_proto.c
index 98f5dc4..270603a 100644
--- a/bin/varnishd/http2/cache_http2_proto.c
+++ b/bin/varnishd/http2/cache_http2_proto.c
@@ -43,6 +43,7 @@
 #include "vtcp.h"
 #include "vtim.h"
 
+#define H2_CUSTOM_ERRORS
 #define H2EC1(U,v,d) const struct h2_error_s H2CE_##U[1] = {{#U,d,v,0,1}};
 #define H2EC2(U,v,d) const struct h2_error_s H2SE_##U[1] = {{#U,d,v,1,0}};
 #define H2EC3(U,v,d) H2EC1(U,v,d) H2EC2(U,v,d)
@@ -301,9 +302,46 @@ h2_rx_push_promise(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
 /**********************************************************************
  */
 
+static h2_error
+h2_rapid_reset(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
+{
+	vtim_real now;
+	vtim_dur d;
+
+	CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC);
+	ASSERT_RXTHR(h2);
+	CHECK_OBJ_NOTNULL(r2, H2_REQ_MAGIC);
+
+	if (cache_param->h2_rapid_reset_limit == 0)
+		return (0);
+
+	now = VTIM_real();
+	CHECK_OBJ_NOTNULL(r2->req, REQ_MAGIC);
+	AN(r2->req->t_first);
+	if (now - r2->req->t_first > cache_param->h2_rapid_reset)
+		return (0);
+
+	d = now - h2->last_rst;
+	h2->rst_budget += cache_param->h2_rapid_reset_limit * d /
+	    cache_param->h2_rapid_reset_period;
+	h2->rst_budget = vmin_t(double, h2->rst_budget,
+	    cache_param->h2_rapid_reset_limit);
+	h2->last_rst = now;
+
+	if (h2->rst_budget < 1.0) {
+		Lck_Lock(&h2->sess->mtx);
+		VSLb(h2->vsl, SLT_Error, "H2: Hit RST limit. Closing session.");
+		Lck_Unlock(&h2->sess->mtx);
+		return (H2CE_RAPID_RESET);
+	}
+	h2->rst_budget -= 1.0;
+	return (0);
+}
+
 static h2_error v_matchproto_(h2_rxframe_f)
 h2_rx_rst_stream(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
 {
+	h2_error h2e;
 
 	CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC);
 	ASSERT_RXTHR(h2);
@@ -313,8 +351,9 @@ h2_rx_rst_stream(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
 		return (H2CE_FRAME_SIZE_ERROR);
 	if (r2 == NULL)
 		return (0);
+	h2e = h2_rapid_reset(wrk, h2, r2);
 	h2_kill_req(wrk, h2, r2, h2_streamerror(vbe32dec(h2->rxf_data)));
-	return (0);
+	return (h2e);
 }
 
 /**********************************************************************
diff --git a/bin/varnishd/http2/cache_http2_session.c b/bin/varnishd/http2/cache_http2_session.c
index de10835..720b009 100644
--- a/bin/varnishd/http2/cache_http2_session.c
+++ b/bin/varnishd/http2/cache_http2_session.c
@@ -127,6 +127,9 @@ h2_init_sess(const struct worker *wrk, struct sess *sp,
 	h2_local_settings(&h2->local_settings);
 	h2->remote_settings = H2_proto_settings;
 	h2->decode = decode;
+	h2->rst_budget = cache_param->h2_rapid_reset_limit;
+	h2->last_rst = sp->t_open;
+	AZ(isnan(h2->last_rst));
 
 	AZ(VHT_Init(h2->dectbl, h2->local_settings.header_table_size));
 
diff --git a/include/tbl/h2_error.h b/include/tbl/h2_error.h
index 02044db..0293539 100644
--- a/include/tbl/h2_error.h
+++ b/include/tbl/h2_error.h
@@ -46,6 +46,18 @@ H2_ERROR(CONNECT_ERROR,	      10,2, "TCP connection error for CONNECT method")
 H2_ERROR(ENHANCE_YOUR_CALM,   11,3, "Processing capacity exceeded")
 H2_ERROR(INADEQUATE_SECURITY, 12,1, "Negotiated TLS parameters not acceptable")
 H2_ERROR(HTTP_1_1_REQUIRED,   13,1, "Use HTTP/1.1 for the request")
+
+#ifdef H2_CUSTOM_ERRORS
+H2_ERROR(
+       /* name */      RAPID_RESET,
+       /* val */       11, /* ENHANCE_YOUR_CALM */
+       /* types */     1,
+       /* descr */     "http/2 rapid reset detected"
+)
+
+#  undef H2_CUSTOM_ERRORS
+#endif
+
 #undef H2_ERROR
 
 /*lint -restore */
diff --git a/include/tbl/params.h b/include/tbl/params.h
index deecd20..61748e4 100644
--- a/include/tbl/params.h
+++ b/include/tbl/params.h
@@ -1901,6 +1901,53 @@ PARAM(
 	/* func */      NULL
 )
 
+PARAM(
+	/* name */	h2_rapid_reset,
+	/* typ */	timeout,
+	/* min */	"0.000",
+	/* max */	NULL,
+	/* def */	"1.000",
+	/* units */	"seconds",
+	/* flags */	EXPERIMENTAL,
+	/* s-text */
+       "The upper threshold for how rapid an http/2 RST has to come for "
+       "it to be treated as suspect and subjected to the rate limits "
+       "specified by h2_rapid_reset_limit and h2_rapid_reset_period.",
+	/* l-text */    "",
+	/* func */      NULL
+)
+
+PARAM(
+	/* name */	h2_rapid_reset_limit,
+	/* typ */	uint,
+	/* min */	"0",
+	/* max */	NULL,
+	/* def */	"3600",
+	/* units */	NULL,
+	/* flags */	EXPERIMENTAL,
+	/* s-text */
+	"HTTP2 RST Allowance.\n"
+	"Specifies the maximum number of allowed stream resets issued by\n"
+	"a client over a time period before the connection is closed.\n"
+	"Setting this parameter to 0 disables the limit.",
+	/* l-text */    "",
+	/* func */      NULL
+)
+
+PARAM(
+	/* name */	h2_rapid_reset_period,
+	/* typ */	timeout,
+	/* min */	"1.000",
+	/* max */	NULL,
+	/* def */	"60.000",
+	/* units */	"seconds",
+	/* flags */	EXPERIMENTAL|WIZARD,
+	/* s-text */
+	"HTTP2 sliding window duration for h2_rapid_reset_limit.",
+	/* l-text */    "",
+	/* func */      NULL
+)
+
 #undef PARAM
 
 /*lint -restore */
diff --git a/include/tbl/sess_close.h b/include/tbl/sess_close.h
index c20e71c..de130aa 100644
--- a/include/tbl/sess_close.h
+++ b/include/tbl/sess_close.h
@@ -47,6 +47,7 @@ SESS_CLOSE(PIPE_OVERFLOW, pipe_overflow,1,	"Session pipe overflow")
 SESS_CLOSE(RANGE_SHORT,   range_short,	1,	"Insufficient data for range")
 SESS_CLOSE(REQ_HTTP20,	  req_http20,	1,	"HTTP2 not accepted")
 SESS_CLOSE(VCL_FAILURE,	  vcl_failure,	1,	"VCL failure")
+SESS_CLOSE(RAPID_RESET,	  rapid_reset,  1,      "HTTP2 rapid reset")
 #undef SESS_CLOSE
 
 /*lint -restore */
diff --git a/include/vdef.h b/include/vdef.h
index 60d833c..327d506 100644
--- a/include/vdef.h
+++ b/include/vdef.h
@@ -93,6 +93,47 @@
 #  define v_deprecated_
 #endif
 
+/**********************************************************************
+ * Find the minimum or maximum values.
+ * Only evaluate the expression once and perform type checking.
+ */
+
+/* ref: https://stackoverflow.com/a/17624752 */
+
+#define VINDIRECT(a, b, c)	a ## b ## c
+#define VCOMBINE(a, b, c)	VINDIRECT(a, b, c)
+
+#if defined(__COUNTER__)
+#	define VUNIQ_NAME(base)	VCOMBINE(base, __LINE__, __COUNTER__)
+#else
+#	define VUNIQ_NAME(base)	VCOMBINE(base, __LINE__, 0)
+#endif
+
+#ifdef _lint
+#define typeof(x) __typeof__(x)
+#endif
+
+/* ref: https://gcc.gnu.org/onlinedocs/gcc/Typeof.html */
+
+#define _vtake(op, ta, tb, a, b, _va, _vb)				\
+	({								\
+	ta _va = (a);							\
+	tb _vb = (b);							\
+	(void)(&_va == &_vb);						\
+	_va op _vb ? _va : _vb;						\
+})
+
+#define opmin <
+#define opmax >
+#define vtake(n, ta, tb, a, b)	_vtake(op ## n, ta, tb, a, b,		\
+    VUNIQ_NAME(_v ## n ## A), VUNIQ_NAME(_v ## n ## B))
+
+#define vmin(a, b)		vtake(min, typeof(a), typeof(b), a, b)
+#define vmax(a, b)		vtake(max, typeof(a), typeof(b), a, b)
+
+#define vmin_t(type, a, b)	vtake(min, type, type, a, b)
+#define vmax_t(type, a, b)	vtake(max, type, type, a, b)
+
 /*********************************************************************
  * Pointer alignment magic
  */

diff --git a/varnish-6.0.8/bin/varnishtest/tests/r03996.vtc b/varnish-6.0.8/bin/varnishtest/tests/r03996.vtc
new file mode 100644
index 0000000..d9493d1
--- /dev/null
+++ b/varnish-6.0.8/bin/varnishtest/tests/r03996.vtc
@@ -0,0 +1,59 @@
+varnishtest "h2 rapid reset"
+
+barrier b1 sock 2 -cyclic
+barrier b2 sock 5 -cyclic
+
+server s1 {
+	rxreq
+	txresp
+} -start
+
+varnish v1 -cliok "param.set feature +http2"
+varnish v1 -cliok "param.set debug +syncvsl"
+varnish v1 -cliok "param.set h2_rapid_reset_limit 3"
+varnish v1 -cliok "param.set h2_rapid_reset 5"
+
+varnish v1 -vcl+backend {
+	import vtc;
+
+	sub vcl_recv {
+		if (req.http.barrier) {
+			vtc.barrier_sync(req.http.barrier);
+		}
+		vtc.barrier_sync("${b2_sock}");
+	}
+
+} -start
+
+client c1 {
+	stream 0 {
+		rxgoaway
+		expect goaway.err == ENHANCE_YOUR_CALM
+	} -start
+
+	stream 1 {
+		txreq -hdr barrier ${b1_sock}
+		barrier b1 sync
+		txrst
+	} -run
+	stream 3 {
+		txreq -hdr barrier ${b1_sock}
+		barrier b1 sync
+		txrst
+	} -run
+	stream 5 {
+		txreq -hdr barrier ${b1_sock}
+		barrier b1 sync
+		txrst
+	} -run
+	stream 7 {
+		txreq -hdr barrier ${b1_sock}
+		barrier b1 sync
+		txrst
+	} -run
+
+	barrier b2 sync
+	stream 0 -wait
+} -run
+
+varnish v1 -expect sc_rapid_reset == 1