This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 944332bb15bd2f3bf76ec2caeb1ff0a58a3bc628 Author: Mark Thomas <ma...@apache.org> AuthorDate: Thu Oct 5 20:54:14 2023 +0100 Improvements to HTTP/2 overhead protection. --- java/org/apache/coyote/http2/Http2Protocol.java | 19 ++++++++++++++++++- java/org/apache/coyote/http2/Http2UpgradeHandler.java | 2 ++ webapps/docs/changelog.xml | 3 +++ webapps/docs/config/http2.xml | 9 ++++++++- 4 files changed, 31 insertions(+), 2 deletions(-) diff --git a/java/org/apache/coyote/http2/Http2Protocol.java b/java/org/apache/coyote/http2/Http2Protocol.java index bfcf50a977..6ed50c84cf 100644 --- a/java/org/apache/coyote/http2/Http2Protocol.java +++ b/java/org/apache/coyote/http2/Http2Protocol.java @@ -63,8 +63,10 @@ public class Http2Protocol implements UpgradeProtocol { // Maximum amount of streams which can be concurrently executed over // a single connection static final int DEFAULT_MAX_CONCURRENT_STREAM_EXECUTION = 20; - + // Default factor used when adjusting overhead count for overhead frames static final int DEFAULT_OVERHEAD_COUNT_FACTOR = 10; + // Default factor used when adjusting overhead count for reset frames + static final int DEFAULT_OVERHEAD_RESET_FACTOR = 50; // Not currently configurable. This makes the practical limit for // overheadCountFactor to be ~20. The exact limit will vary with traffic // patterns. @@ -98,6 +100,7 @@ public class Http2Protocol implements UpgradeProtocol { private int maxTrailerCount = Constants.DEFAULT_MAX_TRAILER_COUNT; private int maxTrailerSize = Constants.DEFAULT_MAX_TRAILER_SIZE; private int overheadCountFactor = DEFAULT_OVERHEAD_COUNT_FACTOR; + private int overheadResetFactor = DEFAULT_OVERHEAD_RESET_FACTOR; private int overheadContinuationThreshold = DEFAULT_OVERHEAD_CONTINUATION_THRESHOLD; private int overheadDataThreshold = DEFAULT_OVERHEAD_DATA_THRESHOLD; private int overheadWindowUpdateThreshold = DEFAULT_OVERHEAD_WINDOW_UPDATE_THRESHOLD; @@ -339,6 +342,20 @@ public class Http2Protocol implements UpgradeProtocol { } + public int getOverheadResetFactor() { + return overheadResetFactor; + } + + + public void setOverheadResetFactor(int overheadResetFactor) { + if (overheadResetFactor < 0) { + this.overheadResetFactor = 0; + } else { + this.overheadResetFactor = overheadResetFactor; + } + } + + public int getOverheadContinuationThreshold() { return overheadContinuationThreshold; } diff --git a/java/org/apache/coyote/http2/Http2UpgradeHandler.java b/java/org/apache/coyote/http2/Http2UpgradeHandler.java index b5e5d5ce08..32298adb01 100644 --- a/java/org/apache/coyote/http2/Http2UpgradeHandler.java +++ b/java/org/apache/coyote/http2/Http2UpgradeHandler.java @@ -1812,6 +1812,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH log.debug(sm.getString("upgradeHandler.reset.receive", getConnectionId(), Integer.toString(streamId), Long.toString(errorCode))); } + increaseOverheadCount(FrameType.RST, getProtocol().getOverheadResetFactor()); AbstractNonZeroStream abstractNonZeroStream = getAbstractNonZeroStream(streamId, true); abstractNonZeroStream.checkState(FrameType.RST); if (abstractNonZeroStream instanceof Stream) { @@ -1945,6 +1946,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH @Override public void priorityUpdate(int prioritizedStreamID, Priority p) throws Http2Exception { + increaseOverheadCount(FrameType.PRIORITY_UPDATE); AbstractNonZeroStream abstractNonZeroStream = getAbstractNonZeroStream(prioritizedStreamID, true); if (abstractNonZeroStream instanceof Stream) { Stream stream = (Stream) abstractNonZeroStream; diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index d833560c08..5d7614a1a7 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -163,6 +163,9 @@ <fix> Align validation of HTTP trailer fields with standard fields. (markt) </fix> + <fix> + Improvements to HTTP/2 overhead protection. (markt) + </fix> </changelog> </subsection> <subsection name="Jasper"> diff --git a/webapps/docs/config/http2.xml b/webapps/docs/config/http2.xml index 34d4c9e603..9c95189fdc 100644 --- a/webapps/docs/config/http2.xml +++ b/webapps/docs/config/http2.xml @@ -222,7 +222,7 @@ count starts at <code>-10 * overheadCountFactor</code>. The count is decreased by 20 for each data frame sent or received and each headers frame received. The count is increased by the <code>overheadCountFactor</code> - for each setting received, priority frame received and ping received. If + for each setting, priority, priority update and ping frame received. If the overhead count exceeds zero, the connection is closed. A value of less than <code>1</code> disables this protection. In normal usage a value of approximately <code>20</code> or higher will close the connection before @@ -230,6 +230,13 @@ <code>10</code> will be used.</p> </attribute> + <attribute name="overheadResetFactor" required="false"> + <p>The amount by which the overhead count (see + <strong>overheadCountFactor</strong>) will be increased for each reset + frame received. If not specified, a default value of <code>50</code> will + be used. A value of less than zero will be treated as zero.</p> + </attribute> + <attribute name="overheadDataThreshold" required="false"> <p>The threshold below which the average payload size of the current and previous non-final <code>DATA</code> frames will trigger an increase in --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org