net/http: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)

[neild]

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

This issue is also fixed in golang.org/x/net/http2, for users manually configuring HTTP/2.

Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

This is a PRIVATE issue for CVE-2022-41723, tracked in http://b/262602307 and fixed by http://tg/1688184.

[rolandshoemaker]

@gopherbot please open backport issues.

[gopherbot]

Backport issue(s) opened: #58355 (for 1.19), #58356 (for 1.20).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/468118 mentions this issue: [release-branch.go1.19] net/http: update bundled golang.org/x/net/http2

[gopherbot]

Change https://go.dev/cl/468122 mentions this issue: [release-branch.go1.20] net/http: update bundled golang.org/x/net/http2

[gopherbot]

Change https://go.dev/cl/468135 mentions this issue: http2/hpack: avoid quadratic complexity in hpack decoding