This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit a0e40a0d9e0e731e633f687827631a08ee199cb3 Author: Mark Thomas <[email protected]> AuthorDate: Thu Mar 19 12:06:06 2026 +0000 Fix bug in HTTP/2 headers parsing --- java/org/apache/coyote/http2/Http2Parser.java | 13 +++++++++---- webapps/docs/changelog.xml | 5 +++++ 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/java/org/apache/coyote/http2/Http2Parser.java b/java/org/apache/coyote/http2/Http2Parser.java index bf2912eb73..6779ea0e83 100644 --- a/java/org/apache/coyote/http2/Http2Parser.java +++ b/java/org/apache/coyote/http2/Http2Parser.java @@ -264,6 +264,12 @@ class Http2Parser { } else { buffer.get(optional); } + /* + * The optional padLength byte and priority bytes (if any) don't count towards the payload size when + * comparing payload size to padLength as required by RFC 9113, section 6.2. + */ + payloadSize -= optionalLen; + if (padding) { padLength = ByteUtil.getOneByte(optional, 0); if (padLength >= payloadSize) { @@ -272,11 +278,10 @@ class Http2Parser { Http2Error.PROTOCOL_ERROR); } } - - // Ignore RFC 7450 priority data if present - - payloadSize -= optionalLen; + // The padding does not count towards the size of payload that is read below. payloadSize -= padLength; + + // Any RFC 7450 priority data was read into the byte[] optional above. It is ignored. } readHeaderPayload(streamId, payloadSize, buffer); diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index d519e43144..f09df0311d 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -111,6 +111,11 @@ Align buffer reuse of the OpenSSLEngine for tomcat-native with the FFM code. (remm) </update> + <fix> + Fix an HTTP/2 header frame parsing bug that could result in a connection + being closed without a <code>GOAWAY</code> frame if an invalid + <code>HEADERS</code> frame was received. (markt) + </fix> </changelog> </subsection> </section> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
