[Git][java-team/tomcat9][bullseye] Fixed the HTTP/2 overhead protection triggered on data frames

Thu Oct 12 16:33:26 BST 2023


Emmanuel Bourg pushed to branch bullseye at Debian Java Maintainers / tomcat9


Commits:
f5320201 by Emmanuel Bourg at 2023-10-12T17:33:12+02:00
Fixed the HTTP/2 overhead protection triggered on data frames

- - - - -


2 changed files:

- debian/changelog
- debian/patches/CVE-2023-44487.patch


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,9 @@
+tomcat9 (9.0.43-2~deb11u8) bullseye-security; urgency=high
+
+  * Fixed the HTTP/2 overhead protection triggered on data frames
+
+ -- Emmanuel Bourg <ebourg at apache.org>  Thu, 12 Oct 2023 17:32:21 +0200
+
 tomcat9 (9.0.43-2~deb11u7) bullseye-security; urgency=high
 
   * Fix CVE-2023-45648: Request smuggling. Tomcat did not correctly parse HTTP


=====================================
debian/patches/CVE-2023-44487.patch
=====================================
@@ -2,6 +2,7 @@ Description: Improvements to HTTP/2 overhead protection.
 Origin: backport, https://github.com/apache/tomcat/commit/30cae120a61f075b1712f2e8da4daa23f1135c83
                   https://github.com/apache/tomcat/commit/94480483910f2d19561e88fb194d7b415bb527da
                   https://github.com/apache/tomcat/commit/3f0efca913b09fa3a3d9c246cc29045ac8a2befe
+                  https://github.com/apache/tomcat/commit/c551ecaa1ba4ffe50a67009a9c94efb03439ae8b
                   https://github.com/apache/tomcat/commit/6d1a9fd6642387969e4410b9989c85856b74917a
 --- a/java/org/apache/coyote/http2/Http2Protocol.java
 +++ b/java/org/apache/coyote/http2/Http2Protocol.java
@@ -77,7 +78,7 @@ Origin: backport, https://github.com/apache/tomcat/commit/30cae120a61f075b1712f2
  
 -    private void reduceOverheadCount() {
 -        overheadCount.decrementAndGet();
-+    private void reduceOverheadCount(FrameType frameType) {
++    void reduceOverheadCount(FrameType frameType) {
 +        // A non-overhead frame reduces the overhead count by
 +        // Http2Protocol.DEFAULT_OVERHEAD_REDUCTION_FACTOR. A simple browser
 +        // request is likely to have one non-overhead frame (HEADERS) and one
@@ -292,3 +293,15 @@ Origin: backport, https://github.com/apache/tomcat/commit/30cae120a61f075b1712f2
      <attribute name="overheadDataThreshold" required="false">
        <p>The threshold below which the average payload size of the current and
        previous non-final <code>DATA</code> frames will trigger an increase in
+--- a/java/org/apache/coyote/http2/Http2AsyncUpgradeHandler.java
++++ b/java/org/apache/coyote/http2/Http2AsyncUpgradeHandler.java
+@@ -203,6 +203,9 @@
+             log.debug(sm.getString("upgradeHandler.writeBody", connectionId, stream.getIdAsString(),
+                     Integer.toString(len), Boolean.valueOf(finished)));
+         }
++
++        reduceOverheadCount(FrameType.DATA);
++
+         // Need to check this now since sending end of stream will change this.
+         boolean writeable = stream.canWrite();
+         byte[] header = new byte[9];



View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/commit/f532020119a5400255f30d7654f9ec594d8991d8

-- 
View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/commit/f532020119a5400255f30d7654f9ec594d8991d8
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20231012/d2106b80/attachment.htm>
