Auto-port 4.2: Limit the number of Continuation frames per HTTP2 Headers (#16536)

netty-project-bot · normanmaurer · bryce-anderson · web-flow · commit aae944a19eb0 · 2026-03-24T15:53:21.000+01:00
Auto-port of #13969 to 4.2 Cherry-picked commit: 9f47a7b --- Motivation: We should limit the number of continuation frames that the remote peer is allowed to sent per headers. Modifications: - Limit the number of continuation frames by default to 16 and allow the user to change this. - Add unit test Result: Do some more validations to guard against resource usage Co-authored-by: Norman Maurer <norman_maurer@apple.com> Co-authored-by: Bryce Anderson <bl_anderson@apple.com> Co-authored-by: Chris Vest <mr.chrisvest@gmail.com>
diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/AbstractHttp2ConnectionHandlerBuilder.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/AbstractHttp2ConnectionHandlerBuilder.java
@@ -13,7 +13,6 @@
  * License for the specific language governing permissions and limitations
  * under the License.
  */
-
 package io.netty.handler.codec.http2;
 
 import io.netty.channel.Channel;
@@ -113,6 +112,8 @@ public abstract class AbstractHttp2ConnectionHandlerBuilder<T extends Http2Conne
     private int maxDecodedRstFramesSecondsPerWindow = 30;
     private Integer maxEncodedRstFramesPerWindow;
     private int maxEncodedRstFramesSecondsPerWindow = 30;
+    private int maxSmallContinuationFrames = Http2CodecUtil.DEFAULT_MAX_SMALL_CONTINUATION_FRAME;
+
     /**
      * Sets the {@link Http2Settings} to use for the initial connection settings exchange.
      */
@@ -466,6 +467,30 @@ protected B encoderEnforceMaxRstFramesPerWindow(int maxRstFramesPerWindow, int s
         return self();
     }
 
+    /**
+     * Returns the maximum number of small CONTINUATION frames per HEADERS block that are allowed
+     * before the connection is closed. Small is defined as 8 KiB, half the minimum allowed HTTP2 frame size.
+     * This setting is to protect against the remote peer flooding us with such frames.
+     *
+     * {@code 0} means no protection is in place.
+     */
+    protected int decoderEnforceMaxSmallContinuationFrames() {
+        return maxSmallContinuationFrames;
+    }
+
+    /**
+     * Returns the maximum number of small CONTINUATION frames per HEADERS block that are allowed
+     * before the connection is closed. Small is defined as 8 KiB, half the minimum allowed HTTP2 frame size.
+     * This setting is to protect against the remote peer flooding us with such frames.
+     * {@code 0} means no protection should be applied.
+     */
+    protected B decoderEnforceMaxSmallContinuationFrames(int maxSmallContinuationFrames) {
+        enforceNonCodecConstraints("maxSmallContinuationFrames");
+        this.maxSmallContinuationFrames = checkPositiveOrZero(
+                maxSmallContinuationFrames, "maxSmallContinuationFrames");
+        return self();
+    }
+
     /**
      * Determine if settings frame should automatically be acknowledged and applied.
      * @return this.
@@ -571,7 +596,7 @@ private T buildFromConnection(Http2Connection connection) {
         Long maxHeaderListSize = initialSettings.maxHeaderListSize();
         Http2FrameReader reader = new DefaultHttp2FrameReader(new DefaultHttp2HeadersDecoder(isValidateHeaders(),
                 maxHeaderListSize == null ? DEFAULT_HEADER_LIST_SIZE : maxHeaderListSize,
-                /* initialHuffmanDecodeCapacity= */ -1));
+                /* initialHuffmanDecodeCapacity= */ -1), maxSmallContinuationFrames);
         Http2FrameWriter writer = encoderIgnoreMaxHeaderListSize == null ?
                 new DefaultHttp2FrameWriter(headerSensitivityDetector()) :
                 new DefaultHttp2FrameWriter(headerSensitivityDetector(), encoderIgnoreMaxHeaderListSize);
diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2FrameReader.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2FrameReader.java
@@ -18,19 +18,22 @@
 import io.netty.buffer.ByteBufAllocator;
 import io.netty.channel.ChannelHandlerContext;
 import io.netty.handler.codec.http2.Http2FrameReader.Configuration;
+import io.netty.util.internal.ObjectUtil;
 import io.netty.util.internal.PlatformDependent;
 
 import static io.netty.handler.codec.http2.Http2CodecUtil.CONNECTION_STREAM_ID;
 import static io.netty.handler.codec.http2.Http2CodecUtil.DEFAULT_MAX_FRAME_SIZE;
 import static io.netty.handler.codec.http2.Http2CodecUtil.FRAME_HEADER_LENGTH;
 import static io.netty.handler.codec.http2.Http2CodecUtil.INT_FIELD_LENGTH;
+import static io.netty.handler.codec.http2.Http2CodecUtil.MAX_FRAME_SIZE_LOWER_BOUND;
 import static io.netty.handler.codec.http2.Http2CodecUtil.PING_FRAME_PAYLOAD_LENGTH;
 import static io.netty.handler.codec.http2.Http2CodecUtil.PRIORITY_ENTRY_LENGTH;
 import static io.netty.handler.codec.http2.Http2CodecUtil.SETTINGS_INITIAL_WINDOW_SIZE;
 import static io.netty.handler.codec.http2.Http2CodecUtil.SETTING_ENTRY_LENGTH;
 import static io.netty.handler.codec.http2.Http2CodecUtil.headerListSizeExceeded;
 import static io.netty.handler.codec.http2.Http2CodecUtil.isMaxFrameSizeValid;
 import static io.netty.handler.codec.http2.Http2CodecUtil.readUnsignedInt;
+import static io.netty.handler.codec.http2.Http2Error.ENHANCE_YOUR_CALM;
 import static io.netty.handler.codec.http2.Http2Error.FLOW_CONTROL_ERROR;
 import static io.netty.handler.codec.http2.Http2Error.FRAME_SIZE_ERROR;
 import static io.netty.handler.codec.http2.Http2Error.PROTOCOL_ERROR;
@@ -51,6 +54,7 @@
  * A {@link Http2FrameReader} that supports all frame types defined by the HTTP/2 specification.
  */
 public class DefaultHttp2FrameReader implements Http2FrameReader, Http2FrameSizePolicy, Configuration {
+    private static final int FRAGMENT_THRESHOLD = MAX_FRAME_SIZE_LOWER_BOUND / 2;
     private final Http2HeadersDecoder headersDecoder;
 
     /**
@@ -67,7 +71,8 @@ public class DefaultHttp2FrameReader implements Http2FrameReader, Http2FrameSize
     private Http2Flags flags;
     private int payloadLength;
     private HeadersContinuation headersContinuation;
-    private int maxFrameSize;
+    private int maxFrameSize = DEFAULT_MAX_FRAME_SIZE;
+    private final int maxSmallContinuationFrames;
 
     /**
      * Create a new instance.
@@ -88,8 +93,13 @@ public DefaultHttp2FrameReader(boolean validateHeaders) {
     }
 
     public DefaultHttp2FrameReader(Http2HeadersDecoder headersDecoder) {
-        this.headersDecoder = headersDecoder;
-        maxFrameSize = DEFAULT_MAX_FRAME_SIZE;
+        this(headersDecoder, Http2CodecUtil.DEFAULT_MAX_SMALL_CONTINUATION_FRAME);
+    }
+
+    public DefaultHttp2FrameReader(Http2HeadersDecoder headersDecoder, int maxSmallContinuationFrames) {
+        this.headersDecoder = ObjectUtil.checkNotNull(headersDecoder, "headersDecoder");
+        this.maxSmallContinuationFrames = ObjectUtil.checkPositiveOrZero(
+                maxSmallContinuationFrames, "maxSmallContinuationFrames");
     }
 
     @Override
@@ -390,6 +400,12 @@ private void verifyContinuationFrame() throws Http2Exception {
             throw connectionError(PROTOCOL_ERROR, "Continuation stream ID does not match pending headers. "
                     + "Expected %d, but received %d.", headersContinuation.getStreamId(), streamId);
         }
+
+        if (headersContinuation.numSmallFragments() >=  maxSmallContinuationFrames) {
+            throw connectionError(ENHANCE_YOUR_CALM,
+                    "Number of small consecutive continuations frames %d exceeds maximum: %d",
+                    headersContinuation.numSmallFragments(), maxSmallContinuationFrames);
+        }
     }
 
     private void verifyUnknownFrame() throws Http2Exception {
@@ -645,6 +661,15 @@ private abstract class HeadersContinuation {
          */
         abstract int getStreamId();
 
+        /**
+         * Return the number of fragments that were used so far.
+         *
+         * @return the number of fragments
+         */
+        final int numSmallFragments() {
+            return builder.numSmallFragments();
+        }
+
         /**
          * Processes the next fragment for the current header block.
          *
@@ -673,6 +698,7 @@ final void close() {
      */
     protected class HeadersBlockBuilder {
         private ByteBuf headerBlock;
+        private int numSmallFragments;
 
         /**
          * The local header size maximum has been exceeded while accumulating bytes.
@@ -683,6 +709,15 @@ private void headerSizeExceeded() throws Http2Exception {
             headerListSizeExceeded(headersDecoder.configuration().maxHeaderListSizeGoAway());
         }
 
+        /**
+         * Return the number of fragments that was used so far.
+         *
+         * @return number of fragments.
+         */
+        int numSmallFragments() {
+            return numSmallFragments;
+        }
+
         /**
          * Adds a fragment to the block.
          *
@@ -694,6 +729,11 @@ private void headerSizeExceeded() throws Http2Exception {
          */
         final void addFragment(ByteBuf fragment, int len, ByteBufAllocator alloc,
                 boolean endOfHeaders) throws Http2Exception {
+            if (maxSmallContinuationFrames > 0 && !endOfHeaders && len < FRAGMENT_THRESHOLD) {
+                // Only count of the fragment is not the end of header and if its < 8kb.
+                numSmallFragments++;
+            }
+
             if (headerBlock == null) {
                 if (len > headersDecoder.configuration().maxHeaderListSizeGoAway()) {
                     headerSizeExceeded();
diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2CodecUtil.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2CodecUtil.java
@@ -117,7 +117,7 @@ public final class Http2CodecUtil {
     public static final int SMALLEST_MAX_CONCURRENT_STREAMS = 100;
     static final int DEFAULT_MAX_RESERVED_STREAMS = SMALLEST_MAX_CONCURRENT_STREAMS;
     static final int DEFAULT_MIN_ALLOCATION_CHUNK = 1024;
-
+    static final int DEFAULT_MAX_SMALL_CONTINUATION_FRAME = 16;
     /**
      * Calculate the threshold in bytes which should trigger a {@code GO_AWAY} if a set of headers exceeds this amount.
      * @param maxHeaderListSize
diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2FrameCodecBuilder.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2FrameCodecBuilder.java
@@ -203,6 +203,17 @@ public Http2FrameCodecBuilder encoderEnforceMaxRstFramesPerWindow(
         return super.encoderEnforceMaxRstFramesPerWindow(maxRstFramesPerWindow, secondsPerWindow);
     }
 
+    @Override
+    public int decoderEnforceMaxSmallContinuationFrames() {
+        return super.decoderEnforceMaxSmallContinuationFrames();
+    }
+
+    @Override
+    public Http2FrameCodecBuilder decoderEnforceMaxSmallContinuationFrames(
+            int maxConsecutiveContinuationsFrames) {
+        return super.decoderEnforceMaxSmallContinuationFrames(maxConsecutiveContinuationsFrames);
+    }
+
     /**
      * Build a {@link Http2FrameCodec} object.
      */
@@ -216,7 +227,8 @@ public Http2FrameCodec build() {
             Long maxHeaderListSize = initialSettings().maxHeaderListSize();
             Http2FrameReader frameReader = new DefaultHttp2FrameReader(maxHeaderListSize == null ?
                     new DefaultHttp2HeadersDecoder(isValidateHeaders()) :
-                    new DefaultHttp2HeadersDecoder(isValidateHeaders(), maxHeaderListSize));
+                    new DefaultHttp2HeadersDecoder(isValidateHeaders(), maxHeaderListSize),
+                    decoderEnforceMaxSmallContinuationFrames());
 
             if (frameLogger() != null) {
                 frameWriter = new Http2OutboundFrameLogger(frameWriter, frameLogger());
diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MultiplexCodecBuilder.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MultiplexCodecBuilder.java
@@ -221,6 +221,17 @@ public Http2MultiplexCodecBuilder encoderEnforceMaxRstFramesPerWindow(
         return super.encoderEnforceMaxRstFramesPerWindow(maxRstFramesPerWindow, secondsPerWindow);
     }
 
+    @Override
+    public int decoderEnforceMaxSmallContinuationFrames() {
+        return super.decoderEnforceMaxSmallContinuationFrames();
+    }
+
+    @Override
+    public Http2MultiplexCodecBuilder decoderEnforceMaxSmallContinuationFrames(
+            int maxConsecutiveContinuationsFrames) {
+        return super.decoderEnforceMaxSmallContinuationFrames(maxConsecutiveContinuationsFrames);
+    }
+
     @Override
     public Http2MultiplexCodec build() {
         Http2FrameWriter frameWriter = this.frameWriter;
@@ -231,7 +242,8 @@ public Http2MultiplexCodec build() {
             Long maxHeaderListSize = initialSettings().maxHeaderListSize();
             Http2FrameReader frameReader = new DefaultHttp2FrameReader(maxHeaderListSize == null ?
                     new DefaultHttp2HeadersDecoder(isValidateHeaders()) :
-                    new DefaultHttp2HeadersDecoder(isValidateHeaders(), maxHeaderListSize));
+                    new DefaultHttp2HeadersDecoder(isValidateHeaders(), maxHeaderListSize),
+                    decoderEnforceMaxSmallContinuationFrames());
 
             if (frameLogger() != null) {
                 frameWriter = new Http2OutboundFrameLogger(frameWriter, frameLogger());
diff --git a/codec-http2/src/test/java/io/netty/handler/codec/http2/DefaultHttp2FrameReaderTest.java b/codec-http2/src/test/java/io/netty/handler/codec/http2/DefaultHttp2FrameReaderTest.java
@@ -109,6 +109,59 @@ public void readHeaderFrameAndContinuationFrame() throws Http2Exception {
         }
     }
 
+    @Test
+    public void readHeaderFrameAndContinuationFrameExceedMax() throws Http2Exception {
+        frameReader = new DefaultHttp2FrameReader(new DefaultHttp2HeadersDecoder(true), 2);
+        final int streamId = 1;
+
+        final ByteBuf input = Unpooled.buffer();
+        try {
+            Http2Headers headers = new DefaultHttp2Headers()
+                    .authority("foo")
+                    .method("get")
+                    .path("/")
+                    .scheme("https");
+            writeHeaderFrame(input, streamId, headers,
+                    new Http2Flags().endOfHeaders(false).endOfStream(true));
+            writeContinuationFrame(input, streamId, new DefaultHttp2Headers().add("foo", "bar"),
+                    new Http2Flags().endOfHeaders(false));
+            writeContinuationFrame(input, streamId, new DefaultHttp2Headers().add("foo2", "bar2"),
+                    new Http2Flags().endOfHeaders(false));
+
+            Http2Exception ex = assertThrows(Http2Exception.class, new Executable() {
+                @Override
+                public void execute() throws Throwable {
+                    frameReader.readFrame(ctx, input, listener);
+                }
+            });
+            assertEquals(Http2Error.ENHANCE_YOUR_CALM, ex.error());
+        } finally {
+            input.release();
+        }
+    }
+
+    @Test
+    public void readHeaderFrameAndContinuationFrameDontExceedMax() throws Http2Exception {
+        frameReader = new DefaultHttp2FrameReader(new DefaultHttp2HeadersDecoder(true), 2);
+        final int streamId = 1;
+
+        final ByteBuf input = Unpooled.buffer();
+        try {
+            Http2Headers headers = new DefaultHttp2Headers()
+                    .authority("foo")
+                    .method("get")
+                    .path("/")
+                    .scheme("https");
+            writeHeaderFrame(input, streamId, headers,
+                    new Http2Flags().endOfHeaders(false).endOfStream(true));
+            writeContinuationFrame(input, streamId, new DefaultHttp2Headers().add("foo", "bar"),
+                    new Http2Flags().endOfHeaders(false));
+            frameReader.readFrame(ctx, input, listener);
+        } finally {
+            input.release();
+        }
+    }
+
     @Test
     public void readUnknownFrame() throws Http2Exception {
         ByteBuf input = Unpooled.buffer();
