This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 11.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit dc080cdf6f4a340f32535dd4553f9d7e926b7e0f Author: Mark Thomas <[email protected]> AuthorDate: Thu Mar 19 12:06:06 2026 +0000 Fix bug in HTTP/2 headers parsing --- java/org/apache/coyote/http2/Http2Parser.java | 13 +++++++++---- webapps/docs/changelog.xml | 9 +++++++++ 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/java/org/apache/coyote/http2/Http2Parser.java b/java/org/apache/coyote/http2/Http2Parser.java index bb18f92a07..e5b59d8d92 100644 --- a/java/org/apache/coyote/http2/Http2Parser.java +++ b/java/org/apache/coyote/http2/Http2Parser.java @@ -247,6 +247,12 @@ class Http2Parser { } else { buffer.get(optional); } + /* + * The optional padLength byte and priority bytes (if any) don't count towards the payload size when + * comparing payload size to padLength as required by RFC 9113, section 6.2. + */ + payloadSize -= optionalLen; + if (padding) { padLength = ByteUtil.getOneByte(optional, 0); if (padLength >= payloadSize) { @@ -255,11 +261,10 @@ class Http2Parser { Http2Error.PROTOCOL_ERROR); } } - - // Ignore RFC 7450 priority data if present - - payloadSize -= optionalLen; + // The padding does not count towards the size of payload that is read below. payloadSize -= padLength; + + // Any RFC 7450 priority data was read into the byte[] optional above. It is ignored. } readHeaderPayload(streamId, payloadSize, buffer); diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index bc0c6805a8..da7589de9b 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -105,6 +105,15 @@ issues do not "pop up" wrt. others). --> <section name="Tomcat 11.0.21 (markt)" rtext="in development"> + <subsection name="Coyote"> + <changelog> + <fix> + Fix an HTTP/2 header frame parsing bug that could result in a connection + being closed without a <code>GOAWAY</code> frame if an invalid + <code>HEADERS</code> frame was received. (markt) + </fix> + </changelog> + </subsection> </section> <section name="Tomcat 11.0.20 (markt)" rtext="release in progress"> <subsection name="Coyote"> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
