Mask reserved bit when parsing GoAway and WindowUpdate frames

bysiber · Kriechi · commit 36694a5575f1 · 2026-04-10T19:34:44.000+02:00
GoAwayFrame.serialize_body already masks last_stream_id with
&amp; 0x7FFFFFFF, but parse_body reads the raw 32-bit value without
stripping the reserved top bit. If a peer happens to set that bit,
last_stream_id would be read as a value &gt;= 2^31 instead of the
actual stream ID.

Similarly, WindowUpdateFrame.serialize_body masks window_increment
with &amp; 0x7FFFFFFF, but parse_body doesn't. If the reserved bit is
set, the unmasked value exceeds 2^31-1 and the frame is rejected
with InvalidDataError — even though RFC 9113 Section 6.9 says the
reserved bit "MUST be ignored when receiving."

The rest of the codebase already follows this pattern:
  - Frame.parse_frame_header masks stream_id &amp; 0x7FFFFFFF
  - Priority.parse_priority_data masks depends_on &amp; 0x7FFFFFFF

Add the same mask to GoAwayFrame.parse_body and
WindowUpdateFrame.parse_body for consistency.
diff --git a/src/hyperframe/frame.py b/src/hyperframe/frame.py
@@ -639,6 +639,7 @@ def parse_body(self, data: memoryview) -> None:
             msg = "Invalid GOAWAY body."
             raise InvalidFrameError(msg) from err
 
+        self.last_stream_id = self.last_stream_id & 0x7FFFFFFF
         self.body_len = len(data)
 
         if len(data) > 8:
@@ -690,6 +691,8 @@ def parse_body(self, data: memoryview) -> None:
             msg = "Invalid WINDOW_UPDATE body"
             raise InvalidFrameError(msg) from err
 
+        self.window_increment = self.window_increment & 0x7FFFFFFF
+
         if not 1 <= self.window_increment <= 2**31-1:
             msg = "WINDOW_UPDATE increment must be between 1 to 2^31-1"
             raise InvalidDataError(msg)
