From bc4c77bf95be0e0ad186d3e0b950a1ddb21507a4 Mon Sep 17 00:00:00 2001
From: Jan Tattermusch <jtattermusch@google.com>
Date: Wed, 6 Feb 2019 19:51:09 +0100
Subject: [PATCH 1/2] ignore reserved bit in WINDOW_UPDATE frame

---
 .../ext/transport/chttp2/transport/frame_window_update.cc    | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/core/ext/transport/chttp2/transport/frame_window_update.cc b/src/core/ext/transport/chttp2/transport/frame_window_update.cc
index 4b586dc3e7f..b8738ea7ea0 100644
--- a/src/core/ext/transport/chttp2/transport/frame_window_update.cc
+++ b/src/core/ext/transport/chttp2/transport/frame_window_update.cc
@@ -88,8 +88,9 @@ grpc_error* grpc_chttp2_window_update_parser_parse(void* parser,
   }
 
   if (p->byte == 4) {
-    uint32_t received_update = p->amount;
-    if (received_update == 0 || (received_update & 0x80000000u)) {
+    // top bit is reserved and must be ignored.
+    uint32_t received_update = p->amount & 0x7fffffffu;
+    if (received_update == 0) {
       char* msg;
       gpr_asprintf(&msg, "invalid window update bytes: %d", p->amount);
       grpc_error* err = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);

From 486b1fe3206d922d80b201861b8816b30639a0c9 Mon Sep 17 00:00:00 2001
From: Jan Tattermusch <jtattermusch@google.com>
Date: Thu, 7 Feb 2019 10:21:09 +0100
Subject: [PATCH 2/2] Fix bad_client_simple_request test.

The data of 0xffffffff is actually not illegal, the top bit should be
ingored according to the spec.
---
 test/core/bad_client/tests/simple_request.cc | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/test/core/bad_client/tests/simple_request.cc b/test/core/bad_client/tests/simple_request.cc
index 34049aaaffc..614f5869976 100644
--- a/test/core/bad_client/tests/simple_request.cc
+++ b/test/core/bad_client/tests/simple_request.cc
@@ -147,11 +147,12 @@ int main(int argc, char** argv) {
   /* push a window update with bad flags */
   GRPC_RUN_BAD_CLIENT_TEST(failure_verifier, nullptr,
                            PFX_STR "\x00\x00\x00\x08\x10\x00\x00\x00\x01", 0);
-  /* push a window update with bad data */
+  /* push a window update with bad data (0 is not legal window size increment)
+   */
   GRPC_RUN_BAD_CLIENT_TEST(failure_verifier, nullptr,
                            PFX_STR
                            "\x00\x00\x04\x08\x00\x00\x00\x00\x01"
-                           "\xff\xff\xff\xff",
+                           "\x00\x00\x00\x00",
                            0);
   /* push a short goaway */
   GRPC_RUN_BAD_CLIENT_TEST(failure_verifier, nullptr,