[PATCH] HTTP/2: emit PROTOCOL_ERROR on invalid WINDOW_UPDATE increments

Tue Mar 28 17:25:42 UTC 2017

On Tuesday 28 March 2017 03:52:07 Piotr Sikora via nginx-devel wrote:
> # HG changeset patch
> # User Piotr Sikora <piotrsikora at google.com>
> # Date 1490516706 25200
> #      Sun Mar 26 01:25:06 2017 -0700
> # Node ID ccb36c87291e38d1a63224d143cbeaa4ee4a4287
> # Parent  22be63bf21edaa1b8ea916c7d8cd4e5fe4892061
> HTTP/2: emit PROTOCOL_ERROR on invalid WINDOW_UPDATE increments.
> 
> Signed-off-by: Piotr Sikora <piotrsikora at google.com>
> 
[..]

Here's my version of the patch.
It's made similar to ngx_http_v2_state_priority().

# HG changeset patch
# User Valentin Bartenev <vbart at nginx.com>
# Date 1490721720 -10800
#      Tue Mar 28 20:22:00 2017 +0300
# Node ID 3e798c552767068056c0251d7b6bd9ffd2587fc0
# Parent  ce37362a7a70c0acd14ba01c8c2223b366b62233
HTTP/2: rejecting zero WINDOW_UPDATE with PROTOCOL_ERROR.

It's required by RFC 7540.  While there is no real harm from such frames,
that should help to detect broken clients.

Prodded by Piotr Sikora.

diff -r ce37362a7a70 -r 3e798c552767 src/http/v2/ngx_http_v2.c

--- a/src/http/v2/ngx_http_v2.c Tue Mar 28 18:15:42 2017 +0300
+++ b/src/http/v2/ngx_http_v2.c Tue Mar 28 20:22:00 2017 +0300
@@ -2161,6 +2161,40 @@ ngx_http_v2_state_window_update(ngx_http
                    "http2 WINDOW_UPDATE frame sid:%ui window:%uz",
                    h2c->state.sid, window);
 
+    if (window == 0) {
+        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+                      "client sent WINDOW_UPDATE frame "
+                      "with incorrect window increment 0");
+
+        if (h2c->state.sid == 0) {
+            return ngx_http_v2_connection_error(h2c,
+                                                NGX_HTTP_V2_PROTOCOL_ERROR);
+        }
+
+        node = ngx_http_v2_get_node_by_id(h2c, h2c->state.sid, 0);
+
+        if (node && node->stream) {
+            if (ngx_http_v2_terminate_stream(h2c, node->stream,
+                                             NGX_HTTP_V2_PROTOCOL_ERROR)
+                == NGX_ERROR)
+            {
+                return ngx_http_v2_connection_error(h2c,
+                                                    NGX_HTTP_V2_INTERNAL_ERROR);
+            }
+
+        } else {
+            if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid,
+                                            NGX_HTTP_V2_PROTOCOL_ERROR)
+                == NGX_ERROR)
+            {
+                return ngx_http_v2_connection_error(h2c,
+                                                    NGX_HTTP_V2_INTERNAL_ERROR);
+            }
+        }
+
+        return ngx_http_v2_state_complete(h2c, pos, end);
+    }
+
     if (h2c->state.sid) {
         node = ngx_http_v2_get_node_by_id(h2c, h2c->state.sid, 0);
 

