Merge pull request #17950 from jtattermusch/bad_window_update

Ignore reserved bit in WINDOW_UPDATE frame
6 years ago · 89110b0352
parent 9abdfa314d 486b1fe320
commit 89110b0352
2 changed files with 6 additions and 4 deletions
--- a/src/core/ext/transport/chttp2/transport/frame_window_update.cc
+++ b/src/core/ext/transport/chttp2/transport/frame_window_update.cc
@ -88,8 +88,9 @@ grpc_error* grpc_chttp2_window_update_parser_parse(void* parser,
  }

  if (p->byte == 4) {
-    uint32_t received_update = p->amount;
-    if (received_update == 0 || (received_update & 0x80000000u)) {
+    // top bit is reserved and must be ignored.
+    uint32_t received_update = p->amount & 0x7fffffffu;
+    if (received_update == 0) {
      char* msg;
      gpr_asprintf(&msg, "invalid window update bytes: %d", p->amount);
      grpc_error* err = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
--- a/test/core/bad_client/tests/simple_request.cc
+++ b/test/core/bad_client/tests/simple_request.cc
@ -147,11 +147,12 @@ int main(int argc, char** argv) {
  /* push a window update with bad flags */
  GRPC_RUN_BAD_CLIENT_TEST(failure_verifier, nullptr,
                           PFX_STR "\x00\x00\x00\x08\x10\x00\x00\x00\x01", 0);
-  /* push a window update with bad data */
+  /* push a window update with bad data (0 is not legal window size increment)
+   */
  GRPC_RUN_BAD_CLIENT_TEST(failure_verifier, nullptr,
                           PFX_STR
                           "\x00\x00\x04\x08\x00\x00\x00\x00\x01"
-                           "\xff\xff\xff\xff",
+                           "\x00\x00\x00\x00",
                           0);
  /* push a short goaway */
  GRPC_RUN_BAD_CLIENT_TEST(failure_verifier, nullptr,