Bug-fix: fixes a potential 'End Stream Headers' vulnerability and adds test coverage for various HTTP/2 stream reset exploits

ok2c · ok2c · commit 38d26fc2ba12 · 2025-08-14T11:52:44.000+02:00
diff --git a/httpcore5-h2/src/main/java/org/apache/hc/core5/http2/impl/nio/AbstractH2StreamMultiplexer.java b/httpcore5-h2/src/main/java/org/apache/hc/core5/http2/impl/nio/AbstractH2StreamMultiplexer.java
@@ -756,7 +756,9 @@ private void consumeFrame(final RawFrame frame) throws HttpException, IOExceptio
                 H2Stream stream = streamMap.get(streamId);
                 if (stream == null) {
                     acceptHeaderFrame();
-
+                    if (streamId <= lastStreamId.get()) {
+                        throw new H2ConnectionException(H2Error.STREAM_CLOSED, "Stream closed");
+                    }
                     if (idGenerator.isSameSide(streamId)) {
                         throw new H2ConnectionException(H2Error.PROTOCOL_ERROR, "Illegal stream id: " + streamId);
                     }
@@ -814,7 +816,6 @@ private void consumeFrame(final RawFrame frame) throws HttpException, IOExceptio
 
                 final H2Stream stream = getValidStream(streamId);
                 try {
-
                     consumeContinuationFrame(frame, stream);
                 } catch (final H2StreamResetException ex) {
                     stream.localReset(ex);
@@ -1024,6 +1025,9 @@ private void consumeFrame(final RawFrame frame) throws HttpException, IOExceptio
     }
 
     private void consumeDataFrame(final RawFrame frame, final H2Stream stream) throws HttpException, IOException {
+        if (stream.isRemoteClosed()) {
+            throw new H2StreamResetException(H2Error.STREAM_CLOSED, "Stream already closed");
+        }
         final int streamId = stream.getId();
         final ByteBuffer payload = frame.getPayloadContent();
         if (payload != null) {
@@ -1037,9 +1041,6 @@ private void consumeDataFrame(final RawFrame frame, final H2Stream stream) throw
                 maximizeWindow(0, connInputWindow);
             }
         }
-        if (stream.isRemoteClosed()) {
-            throw new H2StreamResetException(H2Error.STREAM_CLOSED, "Stream already closed");
-        }
         if (frame.isFlagSet(FrameFlag.END_STREAM)) {
             stream.setRemoteEndStream();
         }
@@ -1081,6 +1082,9 @@ List<Header> decodeHeaders(final ByteBuffer payload) throws HttpException {
     }
 
     private void consumeHeaderFrame(final RawFrame frame, final H2Stream stream) throws HttpException, IOException {
+        if (stream.isRemoteClosed()) {
+            throw new H2StreamResetException(H2Error.STREAM_CLOSED, "Stream already closed");
+        }
         final int streamId = stream.getId();
         if (!frame.isFlagSet(FrameFlag.END_HEADERS)) {
             continuation = new Continuation(streamId, frame.getType(), frame.isFlagSet(FrameFlag.END_STREAM));
@@ -1099,9 +1103,6 @@ private void consumeHeaderFrame(final RawFrame frame, final H2Stream stream) thr
             if (streamListener != null) {
                 streamListener.onHeaderInput(this, streamId, headers);
             }
-            if (stream.isRemoteClosed()) {
-                throw new H2StreamResetException(H2Error.STREAM_CLOSED, "Stream already closed");
-            }
             if (stream.isLocalReset()) {
                 return;
             }
@@ -1115,6 +1116,9 @@ private void consumeHeaderFrame(final RawFrame frame, final H2Stream stream) thr
     }
 
     private void consumeContinuationFrame(final RawFrame frame, final H2Stream stream) throws HttpException, IOException {
+        if (stream.isRemoteClosed()) {
+            throw new H2StreamResetException(H2Error.STREAM_CLOSED, "Stream already closed");
+        }
         final int streamId = frame.getStreamId();
         final ByteBuffer payload = frame.getPayload();
         continuation.copyPayload(payload);
@@ -1126,9 +1130,6 @@ private void consumeContinuationFrame(final RawFrame frame, final H2Stream strea
             if (streamListener != null) {
                 streamListener.onHeaderInput(this, streamId, headers);
             }
-            if (stream.isRemoteClosed()) {
-                throw new H2StreamResetException(H2Error.STREAM_CLOSED, "Stream already closed");
-            }
             if (stream.isLocalReset()) {
                 return;
             }
diff --git a/httpcore5-h2/src/test/java/org/apache/hc/core5/http2/impl/nio/TestAbstractH2StreamMultiplexer.java b/httpcore5-h2/src/test/java/org/apache/hc/core5/http2/impl/nio/TestAbstractH2StreamMultiplexer.java
@@ -30,7 +30,9 @@
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.List;
+import java.util.concurrent.locks.Lock;
 
 import org.apache.hc.core5.function.Supplier;
 import org.apache.hc.core5.http.Header;
@@ -44,6 +46,8 @@
 import org.apache.hc.core5.http.nio.command.ExecutableCommand;
 import org.apache.hc.core5.http.protocol.HttpProcessor;
 import org.apache.hc.core5.http2.H2ConnectionException;
+import org.apache.hc.core5.http2.H2Error;
+import org.apache.hc.core5.http2.H2StreamResetException;
 import org.apache.hc.core5.http2.WritableByteChannelMock;
 import org.apache.hc.core5.http2.config.H2Config;
 import org.apache.hc.core5.http2.frame.DefaultFrameFactory;
@@ -72,17 +76,22 @@ class TestAbstractH2StreamMultiplexer {
     @Mock
     ProtocolIOSession protocolIOSession;
     @Mock
+    Lock lock;
+    @Mock
     HttpProcessor httpProcessor;
     @Mock
     H2StreamListener h2StreamListener;
     @Mock
     H2StreamHandler streamHandler;
     @Captor
     ArgumentCaptor<List<Header>> headersCaptor;
+    @Captor
+    ArgumentCaptor<Exception> exceptionCaptor;
 
     @BeforeEach
     void prepareMocks() {
         MockitoAnnotations.openMocks(this);
+        Mockito.when(protocolIOSession.getLock()).thenReturn(lock);
     }
 
     static class H2StreamMultiplexerImpl extends AbstractH2StreamMultiplexer {
@@ -270,5 +279,264 @@ void testInputHeaderContinuationFrame() throws IOException, HttpException {
         Mockito.verify(streamHandler).consumeHeader(headersCaptor.capture(), ArgumentMatchers.eq(false));
         Assertions.assertFalse(headersCaptor.getValue().isEmpty());
     }
+
+    @Test
+    void testZeroIncrement() throws Exception {
+        final H2Config h2Config = H2Config.custom()
+                .build();
+
+        final AbstractH2StreamMultiplexer streamMultiplexer = new H2StreamMultiplexerImpl(
+                protocolIOSession,
+                FRAME_FACTORY,
+                StreamIdGenerator.EVEN,
+                httpProcessor,
+                CharCodingConfig.DEFAULT,
+                h2Config,
+                h2StreamListener,
+                () -> streamHandler);
+
+        final ByteArrayBuffer headerBuf = new ByteArrayBuffer(200);
+        final HPackEncoder encoder = new HPackEncoder(h2Config.getHeaderTableSize(),
+                CharCodingSupport.createEncoder(CharCodingConfig.DEFAULT));
+
+        final List<Header> headers = Arrays.asList(
+                new BasicHeader(":method", "GET"),
+                new BasicHeader(":scheme", "http"),
+                new BasicHeader(":path", "/"),
+                new BasicHeader(":authority", "www.example.com"));
+        encoder.encodeHeaders(headerBuf, headers, h2Config.isCompressionEnabled());
+
+        final WritableByteChannelMock writableChannel = new WritableByteChannelMock(1024);
+        final FrameOutputBuffer outBuffer = new FrameOutputBuffer(16 * 1024);
+
+        final RawFrame headerFrame = FRAME_FACTORY.createHeaders(1, ByteBuffer.wrap(headerBuf.array(), 0, headerBuf.length()), true, true);
+        outBuffer.write(headerFrame, writableChannel);
+
+        streamMultiplexer.onInput(ByteBuffer.wrap(writableChannel.toByteArray()));
+
+        Mockito.verify(streamHandler).consumeHeader(headersCaptor.capture(), ArgumentMatchers.eq(true));
+        Assertions.assertFalse(headersCaptor.getValue().isEmpty());
+
+        writableChannel.reset();
+        final ByteBuffer payload = ByteBuffer.allocate(4);
+        payload.putInt(0);
+        payload.flip();
+        final RawFrame incrementFrame = new RawFrame(FrameType.WINDOW_UPDATE.getValue(), 0, 1, payload);
+        outBuffer.write(incrementFrame, writableChannel);
+
+        final H2ConnectionException exception = Assertions.assertThrows(H2ConnectionException.class, () ->
+                streamMultiplexer.onInput(ByteBuffer.wrap(writableChannel.toByteArray())));
+        Assertions.assertEquals(H2Error.PROTOCOL_ERROR, H2Error.getByCode(exception.getCode()));
+    }
+
+    @Test
+    void testIncrementOverflow() throws Exception {
+        final H2Config h2Config = H2Config.custom()
+                .build();
+
+        final AbstractH2StreamMultiplexer streamMultiplexer = new H2StreamMultiplexerImpl(
+                protocolIOSession,
+                FRAME_FACTORY,
+                StreamIdGenerator.EVEN,
+                httpProcessor,
+                CharCodingConfig.DEFAULT,
+                h2Config,
+                h2StreamListener,
+                () -> streamHandler);
+
+        final ByteArrayBuffer headerBuf = new ByteArrayBuffer(200);
+        final HPackEncoder encoder = new HPackEncoder(h2Config.getHeaderTableSize(),
+                CharCodingSupport.createEncoder(CharCodingConfig.DEFAULT));
+
+        final List<Header> headers = Arrays.asList(
+                new BasicHeader(":method", "GET"),
+                new BasicHeader(":scheme", "http"),
+                new BasicHeader(":path", "/"),
+                new BasicHeader(":authority", "www.example.com"));
+        encoder.encodeHeaders(headerBuf, headers, h2Config.isCompressionEnabled());
+
+        final WritableByteChannelMock writableChannel = new WritableByteChannelMock(1024);
+        final FrameOutputBuffer outBuffer = new FrameOutputBuffer(16 * 1024);
+
+        final RawFrame headerFrame = FRAME_FACTORY.createHeaders(1, ByteBuffer.wrap(headerBuf.array(), 0, headerBuf.length()), true, true);
+        outBuffer.write(headerFrame, writableChannel);
+
+        streamMultiplexer.onInput(ByteBuffer.wrap(writableChannel.toByteArray()));
+
+        Mockito.verify(streamHandler).consumeHeader(headersCaptor.capture(), ArgumentMatchers.eq(true));
+        Assertions.assertFalse(headersCaptor.getValue().isEmpty());
+
+        writableChannel.reset();
+        final RawFrame incrementFrame1 = FRAME_FACTORY.createWindowUpdate(1, 100);
+        outBuffer.write(incrementFrame1, writableChannel);
+
+        streamMultiplexer.onInput(ByteBuffer.wrap(writableChannel.toByteArray()));
+
+        writableChannel.reset();
+        final RawFrame incrementFrame2 = FRAME_FACTORY.createWindowUpdate(1, 0x7fffffff - 50);
+        outBuffer.write(incrementFrame2, writableChannel);
+        final H2ConnectionException exception = Assertions.assertThrows(H2ConnectionException.class, () ->
+                streamMultiplexer.onInput(ByteBuffer.wrap(writableChannel.toByteArray())));
+        Assertions.assertEquals(H2Error.FLOW_CONTROL_ERROR, H2Error.getByCode(exception.getCode()));
+    }
+
+    @Test
+    void testHeadersAfterEndOfStream() throws Exception {
+        final H2Config h2Config = H2Config.custom()
+                .build();
+
+        final AbstractH2StreamMultiplexer streamMultiplexer = new H2StreamMultiplexerImpl(
+                protocolIOSession,
+                FRAME_FACTORY,
+                StreamIdGenerator.EVEN,
+                httpProcessor,
+                CharCodingConfig.DEFAULT,
+                h2Config,
+                h2StreamListener,
+                () -> streamHandler);
+
+        final ByteArrayBuffer headerBuf = new ByteArrayBuffer(200);
+        final HPackEncoder encoder = new HPackEncoder(h2Config.getHeaderTableSize(),
+                CharCodingSupport.createEncoder(CharCodingConfig.DEFAULT));
+
+        final List<Header> headers = Arrays.asList(
+                new BasicHeader(":method", "GET"),
+                new BasicHeader(":scheme", "http"),
+                new BasicHeader(":path", "/"),
+                new BasicHeader(":authority", "www.example.com"));
+        encoder.encodeHeaders(headerBuf, headers, h2Config.isCompressionEnabled());
+
+        final WritableByteChannelMock writableChannel = new WritableByteChannelMock(1024);
+        final FrameOutputBuffer outBuffer = new FrameOutputBuffer(16 * 1024);
+
+        final RawFrame headerFrame1 = FRAME_FACTORY.createHeaders(1, ByteBuffer.wrap(headerBuf.array(), 0, headerBuf.length()), true, true);
+        outBuffer.write(headerFrame1, writableChannel);
+
+        streamMultiplexer.onInput(ByteBuffer.wrap(writableChannel.toByteArray()));
+
+        Mockito.verify(streamHandler).consumeHeader(headersCaptor.capture(), ArgumentMatchers.eq(true));
+        Assertions.assertFalse(headersCaptor.getValue().isEmpty());
+
+        writableChannel.reset();
+        final RawFrame headerFrame2 = FRAME_FACTORY.createHeaders(1, ByteBuffer.wrap(headerBuf.array(), 0, headerBuf.length()), true, true);
+        outBuffer.write(headerFrame2, writableChannel);
+
+        // Treat the first occurrence as a stream error
+        streamMultiplexer.onInput(ByteBuffer.wrap(writableChannel.toByteArray()));
+        Mockito.verify(streamHandler).failed(exceptionCaptor.capture());
+        Assertions.assertInstanceOf(H2StreamResetException.class, exceptionCaptor.getValue());
+
+        writableChannel.reset();
+        final RawFrame headerFrame3 = FRAME_FACTORY.createHeaders(1, ByteBuffer.wrap(headerBuf.array(), 0, headerBuf.length()), true, true);
+        outBuffer.write(headerFrame3, writableChannel);
+
+        // Treat subsequent occurrences as a connection-wide protocol error
+        final H2ConnectionException exception = Assertions.assertThrows(H2ConnectionException.class, () ->
+                streamMultiplexer.onInput(ByteBuffer.wrap(writableChannel.toByteArray())));
+        Assertions.assertEquals(H2Error.STREAM_CLOSED, H2Error.getByCode(exception.getCode()));
+    }
+
+    @Test
+    void testDataAfterEndOfStream() throws Exception {
+        final H2Config h2Config = H2Config.custom()
+                .build();
+
+        final AbstractH2StreamMultiplexer streamMultiplexer = new H2StreamMultiplexerImpl(
+                protocolIOSession,
+                FRAME_FACTORY,
+                StreamIdGenerator.EVEN,
+                httpProcessor,
+                CharCodingConfig.DEFAULT,
+                h2Config,
+                h2StreamListener,
+                () -> streamHandler);
+
+        final ByteArrayBuffer headerBuf = new ByteArrayBuffer(200);
+        final HPackEncoder encoder = new HPackEncoder(h2Config.getHeaderTableSize(),
+                CharCodingSupport.createEncoder(CharCodingConfig.DEFAULT));
+
+        final List<Header> headers = Arrays.asList(
+                new BasicHeader(":method", "GET"),
+                new BasicHeader(":scheme", "http"),
+                new BasicHeader(":path", "/"),
+                new BasicHeader(":authority", "www.example.com"));
+        encoder.encodeHeaders(headerBuf, headers, h2Config.isCompressionEnabled());
+
+        final WritableByteChannelMock writableChannel = new WritableByteChannelMock(1024);
+        final FrameOutputBuffer outBuffer = new FrameOutputBuffer(16 * 1024);
+
+        final RawFrame headerFrame1 = FRAME_FACTORY.createHeaders(1, ByteBuffer.wrap(headerBuf.array(), 0, headerBuf.length()), true, true);
+        outBuffer.write(headerFrame1, writableChannel);
+
+        streamMultiplexer.onInput(ByteBuffer.wrap(writableChannel.toByteArray()));
+
+        Mockito.verify(streamHandler).consumeHeader(headersCaptor.capture(), ArgumentMatchers.eq(true));
+        Assertions.assertFalse(headersCaptor.getValue().isEmpty());
+
+        writableChannel.reset();
+        final RawFrame dataFrame1 = FRAME_FACTORY.createData(1, ByteBuffer.wrap(new byte[] {1, 2, 3, 4, 5, 6, 7, 8, 9, 0}), true);
+        outBuffer.write(dataFrame1, writableChannel);
+
+        // Treat the first occurrence as a stream error
+        streamMultiplexer.onInput(ByteBuffer.wrap(writableChannel.toByteArray()));
+        Mockito.verify(streamHandler).failed(exceptionCaptor.capture());
+        Assertions.assertInstanceOf(H2StreamResetException.class, exceptionCaptor.getValue());
+
+        writableChannel.reset();
+        final RawFrame dataFrame2 = FRAME_FACTORY.createData(1, ByteBuffer.wrap(new byte[] {1, 2, 3, 4, 5, 6, 7, 8, 9, 0}), true);
+        outBuffer.write(dataFrame2, writableChannel);
+
+        // Treat subsequent occurrences as a connection-wide protocol error
+        final H2ConnectionException exception = Assertions.assertThrows(H2ConnectionException.class, () ->
+                streamMultiplexer.onInput(ByteBuffer.wrap(writableChannel.toByteArray())));
+        Assertions.assertEquals(H2Error.STREAM_CLOSED, H2Error.getByCode(exception.getCode()));
+    }
+
+    @Test
+    void testContinuationAfterEndOfStream() throws Exception {
+        final H2Config h2Config = H2Config.custom()
+                .build();
+
+        final AbstractH2StreamMultiplexer streamMultiplexer = new H2StreamMultiplexerImpl(
+                protocolIOSession,
+                FRAME_FACTORY,
+                StreamIdGenerator.EVEN,
+                httpProcessor,
+                CharCodingConfig.DEFAULT,
+                h2Config,
+                h2StreamListener,
+                () -> streamHandler);
+
+        final ByteArrayBuffer headerBuf = new ByteArrayBuffer(200);
+        final HPackEncoder encoder = new HPackEncoder(h2Config.getHeaderTableSize(),
+                CharCodingSupport.createEncoder(CharCodingConfig.DEFAULT));
+
+        final List<Header> headers = Arrays.asList(
+                new BasicHeader(":method", "GET"),
+                new BasicHeader(":scheme", "http"),
+                new BasicHeader(":path", "/"),
+                new BasicHeader(":authority", "www.example.com"));
+        encoder.encodeHeaders(headerBuf, headers, h2Config.isCompressionEnabled());
+
+        final WritableByteChannelMock writableChannel = new WritableByteChannelMock(1024);
+        final FrameOutputBuffer outBuffer = new FrameOutputBuffer(16 * 1024);
+
+        final RawFrame headerFrame1 = FRAME_FACTORY.createHeaders(1, ByteBuffer.wrap(headerBuf.array(), 0, headerBuf.length()), true, true);
+        outBuffer.write(headerFrame1, writableChannel);
+
+        streamMultiplexer.onInput(ByteBuffer.wrap(writableChannel.toByteArray()));
+
+        Mockito.verify(streamHandler).consumeHeader(headersCaptor.capture(), ArgumentMatchers.eq(true));
+        Assertions.assertFalse(headersCaptor.getValue().isEmpty());
+
+        writableChannel.reset();
+        final RawFrame continuationFrame = FRAME_FACTORY.createContinuation(1, ByteBuffer.wrap(headerBuf.array(), 0, headerBuf.length()), true);
+        outBuffer.write(continuationFrame, writableChannel);
+
+        final H2ConnectionException exception = Assertions.assertThrows(H2ConnectionException.class, () ->
+                streamMultiplexer.onInput(ByteBuffer.wrap(writableChannel.toByteArray())));
+        Assertions.assertEquals(H2Error.PROTOCOL_ERROR, H2Error.getByCode(exception.getCode()));
+    }
+
 }
 
diff --git a/httpcore5-testing/src/test/java/org/apache/hc/core5/testing/nio/HttpIntegrationTest.java b/httpcore5-testing/src/test/java/org/apache/hc/core5/testing/nio/HttpIntegrationTest.java
