Bug 60970

Summary: Endless loop in Http2UpgradeHandler#writeHeaders
Product: Tomcat 8 Reporter: Christian Wellek├Âtter <c.wellekoetter>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Severity: normal CC: c.wellekoetter
Priority: P2    
Version: 8.5.13   
Target Milestone: ----   
Hardware: Macintosh   
OS: All   
Attachments: A proposal for a fix for the problem.

Description Christian Wellek├Âtter 2017-04-11 12:52:24 UTC
Created attachment 34905 [details]
A proposal for a fix for the problem.

The method Http2UpgradeHandler#writeHeaders runs into an endless loop, if the mime headers to send are too long.

Given following situation: In our web app we add additional states as cookies into our request. This is causing a header amount greater than 1024 bytes. In that case the named method needs to run line 540 (state = getHpackEncoder().encode(coyoteResponse.getMimeHeaders(), target);) at least twice.

On the first run, the used ByteBuffer will be filled with some data. After that the data are written to the socket output.
Now the ByteBuffer claims to have zero bytes left to write, because its position is set to its limit.
This causes the next call on line 540 to actually do nothing and writing the same data again. And so the loop continues forever until an exception is thrown.

To fix this problem, the ByteBuffer needs to be reset properly before writing new data to it.
Comment 1 Mark Thomas 2017-04-12 14:28:30 UTC
Thanks for the report. That is where things are going wrong but there are additional cases the proposed patch doesn't cover so it has been fixed with an alternative patch.

Fixed in:
- trunk for 9.0.0.M20 onwards
- 8.5.x for 8.5.14 onwards