Limit the number of Continuation frames per HTTP2 Headers#13969
Limit the number of Continuation frames per HTTP2 Headers#13969normanmaurer merged 8 commits into4.1from
Conversation
|
Since the default is getting set to 16, this looks like it would break existing users that allow MAX_HEADER_LIST_SIZE > 256 KiB. I'm also not wild about a config option like this which needs a reasonable amount of understanding of how other settings work together. Could we instead base this off of MAX_HEADER_LIST_SIZE? Or only count CONTINUATIONS that are less than half of 16 KiB (which seems better than half of MAX_FRAME_SIZE), and only allow 1ish of such CONTINUATIONS? Or more simply "reject a CONTINUATION with END_HEADERS=0 if it is less than 8 KiB." Even if we have configuration for these, virtually nobody would need to actually use the setting. |
|
The implementation looks good but I agree with Eric about his concern regarding a fix number of frames. I do like his solution of rejecting < 8KiB non-terminal continuation frames. The exact size of rejecting could be the tuning parameter where 0 is 'not checked'. |
chrisvest
left a comment
There was a problem hiding this comment.
One thing but otherwise looks good.
codec-http2/src/test/java/io/netty/handler/codec/http2/DefaultHttp2FrameReaderTest.java
Show resolved
Hide resolved
...-http2/src/main/java/io/netty/handler/codec/http2/AbstractHttp2ConnectionHandlerBuilder.java
Outdated
Show resolved
Hide resolved
codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2FrameReader.java
Outdated
Show resolved
Hide resolved
...-http2/src/main/java/io/netty/handler/codec/http2/AbstractHttp2ConnectionHandlerBuilder.java
Outdated
Show resolved
Hide resolved
...-http2/src/main/java/io/netty/handler/codec/http2/AbstractHttp2ConnectionHandlerBuilder.java
Outdated
Show resolved
Hide resolved
codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2FrameReader.java
Outdated
Show resolved
Hide resolved
...-http2/src/main/java/io/netty/handler/codec/http2/AbstractHttp2ConnectionHandlerBuilder.java
Outdated
Show resolved
Hide resolved
ejona86
left a comment
There was a problem hiding this comment.
I agree with the need for style/docs mentioning "small." But the approach LGTM
Co-authored-by: Bryce Anderson <bl_anderson@apple.com>
|
@bryce-anderson all addressed... PTAL |
bryce-anderson
left a comment
There was a problem hiding this comment.
lgtm other than defining what small means.
...-http2/src/main/java/io/netty/handler/codec/http2/AbstractHttp2ConnectionHandlerBuilder.java
Outdated
Show resolved
Hide resolved
...-http2/src/main/java/io/netty/handler/codec/http2/AbstractHttp2ConnectionHandlerBuilder.java
Outdated
Show resolved
Hide resolved
chrisvest
left a comment
There was a problem hiding this comment.
Generally looks good. Spotted one style issue. I'd also like a definition for "small" though I don't fully understand Bryce's proposed phrasing.
codec-http2/src/main/java/io/netty/handler/codec/http2/Http2CodecUtil.java
Outdated
Show resolved
Hide resolved
...-http2/src/main/java/io/netty/handler/codec/http2/AbstractHttp2ConnectionHandlerBuilder.java
Outdated
Show resolved
Hide resolved
Indeed, I tried to clean it up a bit more. Don't feel compelled to take my suggestions as is but users should know that small means < 8KiB. |
Co-authored-by: Bryce Anderson <bl_anderson@apple.com> Co-authored-by: Chris Vest <mr.chrisvest@gmail.com>
Motivation: We should limit the number of continuation frames that the remote peer is allowed to sent per headers. Modifications: - Limit the number of continuation frames by default to 16 and allow the user to change this. - Add unit test Result: Do some more validations to guard against resource usage --------- Co-authored-by: Bryce Anderson <bl_anderson@apple.com> Co-authored-by: Chris Vest <mr.chrisvest@gmail.com> (cherry picked from commit 9f47a7b)
Motivation: We should limit the number of continuation frames that the remote peer is allowed to sent per headers. Modifications: - Limit the number of continuation frames by default to 16 and allow the user to change this. - Add unit test Result: Do some more validations to guard against resource usage --------- Co-authored-by: Bryce Anderson <bl_anderson@apple.com> Co-authored-by: Chris Vest <mr.chrisvest@gmail.com> (cherry picked from commit 9f47a7b)
|
Auto-port PR for 5.0: #16535 |
|
Auto-port PR for 4.2: #16536 |
…ers (#16536) Auto-port of #13969 to 4.2 Cherry-picked commit: 9f47a7b --- Motivation: We should limit the number of continuation frames that the remote peer is allowed to sent per headers. Modifications: - Limit the number of continuation frames by default to 16 and allow the user to change this. - Add unit test Result: Do some more validations to guard against resource usage Co-authored-by: Norman Maurer <norman_maurer@apple.com> Co-authored-by: Bryce Anderson <bl_anderson@apple.com> Co-authored-by: Chris Vest <mr.chrisvest@gmail.com>
…ers (#16535) Auto-port of #13969 to 5.0 Cherry-picked commit: 9f47a7b --- Motivation: We should limit the number of continuation frames that the remote peer is allowed to sent per headers. Modifications: - Limit the number of continuation frames by default to 16 and allow the user to change this. - Add unit test Result: Do some more validations to guard against resource usage Co-authored-by: Norman Maurer <norman_maurer@apple.com> Co-authored-by: Bryce Anderson <bl_anderson@apple.com> Co-authored-by: Chris Vest <mr.chrisvest@gmail.com>
Motivation:
We should limit the number of continuation frames that the remote peer is allowed to sent per headers.
Modifications:
Result:
Do some more validations to guard against resource usage