This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 944332bb15bd2f3bf76ec2caeb1ff0a58a3bc628
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Oct 5 20:54:14 2023 +0100
Improvements to HTTP/2 overhead protection.
---
java/org/apache/coyote/http2/Http2Protocol.java | 19 ++++++++++++++++++-
java/org/apache/coyote/http2/Http2UpgradeHandler.java | 2 ++
webapps/docs/changelog.xml | 3 +++
webapps/docs/config/http2.xml | 9 ++++++++-
4 files changed, 31 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/coyote/http2/Http2Protocol.java
b/java/org/apache/coyote/http2/Http2Protocol.java
index bfcf50a977..6ed50c84cf 100644
--- a/java/org/apache/coyote/http2/Http2Protocol.java
+++ b/java/org/apache/coyote/http2/Http2Protocol.java
@@ -63,8 +63,10 @@ public class Http2Protocol implements UpgradeProtocol {
// Maximum amount of streams which can be concurrently executed over
// a single connection
static final int DEFAULT_MAX_CONCURRENT_STREAM_EXECUTION = 20;
-
+ // Default factor used when adjusting overhead count for overhead frames
static final int DEFAULT_OVERHEAD_COUNT_FACTOR = 10;
+ // Default factor used when adjusting overhead count for reset frames
+ static final int DEFAULT_OVERHEAD_RESET_FACTOR = 50;
// Not currently configurable. This makes the practical limit for
// overheadCountFactor to be ~20. The exact limit will vary with traffic
// patterns.
@@ -98,6 +100,7 @@ public class Http2Protocol implements UpgradeProtocol {
private int maxTrailerCount = Constants.DEFAULT_MAX_TRAILER_COUNT;
private int maxTrailerSize = Constants.DEFAULT_MAX_TRAILER_SIZE;
private int overheadCountFactor = DEFAULT_OVERHEAD_COUNT_FACTOR;
+ private int overheadResetFactor = DEFAULT_OVERHEAD_RESET_FACTOR;
private int overheadContinuationThreshold =
DEFAULT_OVERHEAD_CONTINUATION_THRESHOLD;
private int overheadDataThreshold = DEFAULT_OVERHEAD_DATA_THRESHOLD;
private int overheadWindowUpdateThreshold =
DEFAULT_OVERHEAD_WINDOW_UPDATE_THRESHOLD;
@@ -339,6 +342,20 @@ public class Http2Protocol implements UpgradeProtocol {
}
+ public int getOverheadResetFactor() {
+ return overheadResetFactor;
+ }
+
+
+ public void setOverheadResetFactor(int overheadResetFactor) {
+ if (overheadResetFactor < 0) {
+ this.overheadResetFactor = 0;
+ } else {
+ this.overheadResetFactor = overheadResetFactor;
+ }
+ }
+
+
public int getOverheadContinuationThreshold() {
return overheadContinuationThreshold;
}
diff --git a/java/org/apache/coyote/http2/Http2UpgradeHandler.java
b/java/org/apache/coyote/http2/Http2UpgradeHandler.java
index b5e5d5ce08..32298adb01 100644
--- a/java/org/apache/coyote/http2/Http2UpgradeHandler.java
+++ b/java/org/apache/coyote/http2/Http2UpgradeHandler.java
@@ -1812,6 +1812,7 @@ class Http2UpgradeHandler extends AbstractStream
implements InternalHttpUpgradeH
log.debug(sm.getString("upgradeHandler.reset.receive",
getConnectionId(), Integer.toString(streamId),
Long.toString(errorCode)));
}
+ increaseOverheadCount(FrameType.RST,
getProtocol().getOverheadResetFactor());
AbstractNonZeroStream abstractNonZeroStream =
getAbstractNonZeroStream(streamId, true);
abstractNonZeroStream.checkState(FrameType.RST);
if (abstractNonZeroStream instanceof Stream) {
@@ -1945,6 +1946,7 @@ class Http2UpgradeHandler extends AbstractStream
implements InternalHttpUpgradeH
@Override
public void priorityUpdate(int prioritizedStreamID, Priority p) throws
Http2Exception {
+ increaseOverheadCount(FrameType.PRIORITY_UPDATE);
AbstractNonZeroStream abstractNonZeroStream =
getAbstractNonZeroStream(prioritizedStreamID, true);
if (abstractNonZeroStream instanceof Stream) {
Stream stream = (Stream) abstractNonZeroStream;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index d833560c08..5d7614a1a7 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -163,6 +163,9 @@
<fix>
Align validation of HTTP trailer fields with standard fields. (markt)
</fix>
+ <fix>
+ Improvements to HTTP/2 overhead protection. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
diff --git a/webapps/docs/config/http2.xml b/webapps/docs/config/http2.xml
index 34d4c9e603..9c95189fdc 100644
--- a/webapps/docs/config/http2.xml
+++ b/webapps/docs/config/http2.xml
@@ -222,7 +222,7 @@
count starts at <code>-10 * overheadCountFactor</code>. The count is
decreased by 20 for each data frame sent or received and each headers
frame
received. The count is increased by the <code>overheadCountFactor</code>
- for each setting received, priority frame received and ping received. If
+ for each setting, priority, priority update and ping frame received. If
the overhead count exceeds zero, the connection is closed. A value of
less
than <code>1</code> disables this protection. In normal usage a value of
approximately <code>20</code> or higher will close the connection before
@@ -230,6 +230,13 @@
<code>10</code> will be used.</p>
</attribute>
+ <attribute name="overheadResetFactor" required="false">
+ <p>The amount by which the overhead count (see
+ <strong>overheadCountFactor</strong>) will be increased for each reset
+ frame received. If not specified, a default value of <code>50</code> will
+ be used. A value of less than zero will be treated as zero.</p>
+ </attribute>
+
<attribute name="overheadDataThreshold" required="false">
<p>The threshold below which the average payload size of the current and
previous non-final <code>DATA</code> frames will trigger an increase in
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
