From 1de6e0986df80d3699af603a296bc22fe00ca8b8 Mon Sep 17 00:00:00 2001
From: Kazu Yamamoto <kazu@iij.ad.jp>
Date: Wed, 11 Oct 2023 09:09:17 +0900
Subject: [PATCH] adding rstRate for CVE-2023-44487

---
 Network/HTTP2/Arch/Context.hs  | 2 ++
 Network/HTTP2/Arch/Receiver.hs | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/Network/HTTP2/Arch/Context.hs b/Network/HTTP2/Arch/Context.hs
index 18e6486d..833270be 100644
--- a/Network/HTTP2/Arch/Context.hs
+++ b/Network/HTTP2/Arch/Context.hs
@@ -88,6 +88,7 @@ data Context = Context {
   , pingRate           :: Rate
   , settingsRate       :: Rate
   , emptyFrameRate     :: Rate
+  , rstRate            :: Rate
   , mySockAddr         :: SockAddr
   , peerSockAddr       :: SockAddr
   }
@@ -118,6 +119,7 @@ newContext rinfo siz mysa peersa =
                <*> newRate
                <*> newRate
                <*> newRate
+               <*> newRate
                <*> return mysa
                <*> return peersa
    where
diff --git a/Network/HTTP2/Arch/Receiver.hs b/Network/HTTP2/Arch/Receiver.hs
index d162714d..ee946157 100644
--- a/Network/HTTP2/Arch/Receiver.hs
+++ b/Network/HTTP2/Arch/Receiver.hs
@@ -46,6 +46,9 @@ settingsRateLimit = 4
 emptyFrameRateLimit :: Int
 emptyFrameRateLimit = 4
 
+rstRateLimit :: Int
+rstRateLimit = 4
+
 ----------------------------------------------------------------
 
 frameReceiver :: Context -> Config -> IO ()
@@ -449,6 +452,9 @@ stream FrameWindowUpdate header bs _ s strm = do
 
 -- Transition (stream6)
 stream FrameRSTStream header@FrameHeader{streamId} bs ctx s strm = do
+    rate <- getRate $ rstRate ctx
+    when (rate > rstRateLimit) $
+        E.throwIO $ ConnectionErrorIsSent ProtocolError streamId "too many rst_stream"
     RSTStreamFrame err <- guardIt $ decodeRSTStreamFrame header bs
     let cc = Reset err