(tomcat) branch main updated: Fix bug in HTTP/2 headers parsing

Thu, 19 Mar 2026 05:06:22 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
     new 0de12dcc92 Fix bug in HTTP/2 headers parsing
0de12dcc92 is described below

commit 0de12dcc92f307771160c16e94dffe2c0005d224
Author: Mark Thomas <[email protected]>
AuthorDate: Thu Mar 19 12:06:06 2026 +0000

    Fix bug in HTTP/2 headers parsing
---
 java/org/apache/coyote/http2/Http2Parser.java | 13 +++++++++----
 webapps/docs/changelog.xml                    |  5 +++++
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/java/org/apache/coyote/http2/Http2Parser.java 
b/java/org/apache/coyote/http2/Http2Parser.java
index bb18f92a07..e5b59d8d92 100644
--- a/java/org/apache/coyote/http2/Http2Parser.java
+++ b/java/org/apache/coyote/http2/Http2Parser.java
@@ -247,6 +247,12 @@ class Http2Parser {
             } else {
                 buffer.get(optional);
             }
+            /*
+             * The optional padLength byte and priority bytes (if any) don't 
count towards the payload size when
+             * comparing payload size to padLength as required by RFC 9113, 
section 6.2.
+             */
+            payloadSize -= optionalLen;
+
             if (padding) {
                 padLength = ByteUtil.getOneByte(optional, 0);
                 if (padLength >= payloadSize) {
@@ -255,11 +261,10 @@ class Http2Parser {
                             Http2Error.PROTOCOL_ERROR);
                 }
             }
-
-            // Ignore RFC 7450 priority data if present
-
-            payloadSize -= optionalLen;
+            // The padding does not count towards the size of payload that is 
read below.
             payloadSize -= padLength;
+
+            // Any RFC 7450 priority data was read into the byte[] optional 
above. It is ignored.
         }
 
         readHeaderPayload(streamId, payloadSize, buffer);
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 5068bccf63..5dc5cf35f5 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -222,6 +222,11 @@
         Remove support for HTTP 0.9. (markt)
       </update>
       <!-- Entries for backport and removal before 12.0.0-M1 below this line 
-->
+      <fix>
+        Fix an HTTP/2 header frame parsing bug that could result in a 
connection
+        being closed without a <code>GOAWAY</code> frame if an invalid
+        <code>HEADERS</code> frame was received. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to