Skip to content

HTTP/2: Enforce max concurrent streams for misbehaving clients#16876

Merged
normanmaurer merged 2 commits into
4.1from
h2_41
Jun 2, 2026
Merged

HTTP/2: Enforce max concurrent streams for misbehaving clients#16876
normanmaurer merged 2 commits into
4.1from
h2_41

Conversation

@normanmaurer

@normanmaurer normanmaurer commented Jun 1, 2026

Copy link
Copy Markdown
Member

Motivation:
Clients might choose to omit including the max concurrent streams setting in the SETTINGS frame they send to the server.
Or the client might open streams before sending the settings frame.
In which case the server should enforce its own limits regardless.

Modification:
In the AbstractHttp2ConnectionHandlerBuilder, make sure to configure the max active streams on the remote endpoint as early as possible.

Add tests to prove that the enforcement works.

Result:
The max active streams setting is always enforced.

@chrisvest @normanmaurer
HTTP/2: Enforce max concurrent streams for misbehaving clients
918fd62 
Motivation:
Clients might choose to omit including the max concurrent streams setting in the SETTINGS frame they send to the server.
Or the client might open streams before sending the settings frame.
In which case the server should enforce its own limits regardless.

Modification:
In the AbstractHttp2ConnectionHandlerBuilder, make sure to configure the max active streams on the remote endpoint as early as possible.

Add tests to prove that the enforcement works.

Result:
The max active streams setting is always enforced.
@normanmaurer normanmaurer added the needs-cherry-pick-5.0 This PR should be cherry-picked to 5.0 once merged. label Jun 1, 2026
@normanmaurer normanmaurer added this to the 4.1.135.Final milestone Jun 1, 2026
@normanmaurer normanmaurer merged commit f5da73e into 4.1 Jun 2, 2026
14 of 18 checks passed
@normanmaurer normanmaurer deleted the h2_41 branch June 2, 2026 10:11
@netty-project-bot

netty-project-bot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Could not create auto-port PR.
Got conflicts when cherry-picking onto 5.0.

@idelpivnitskiy idelpivnitskiy mentioned this pull request Jun 3, 2026
Merged
@chrisvest chrisvest mentioned this pull request Jun 4, 2026
Merged
@chrisvest

chrisvest commented Jun 4, 2026

Copy link
Copy Markdown
Member

Port to 5.0: #16914

@chrisvest chrisvest removed the needs-cherry-pick-5.0 This PR should be cherry-picked to 5.0 once merged. label Jun 4, 2026
chrisvest added a commit that referenced this pull request Jun 5, 2026
@chrisvest @normanmaurer
@violetagg @schiemon
Forward port multiple security fixes to 5.0 (#16914)
9a85962 
- #16881
- #16876
- #16866
- #16870
- #16837
- #16858
- #16882
- #16893

---------

Co-authored-by: Norman Maurer <norman_maurer@apple.com>
Co-authored-by: Violeta Georgieva <696661+violetagg@users.noreply.github.com>
Co-authored-by: Szymon Habrainski <56340221+schiemon@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

4.1.135.Final

Development

Successfully merging this pull request may close these issues.

3 participants

@normanmaurer @netty-project-bot @chrisvest