Bug 60970 - Endless loop in Http2UpgradeHandler#writeHeaders
Summary: Endless loop in Http2UpgradeHandler#writeHeaders
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 8.5.13
Hardware: Macintosh All
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-11 12:52 UTC by Christian Wellekötter
Modified: 2017-04-12 14:28 UTC (History)
1 user (show)



Attachments
A proposal for a fix for the problem. (856 bytes, patch)
2017-04-11 12:52 UTC, Christian Wellekötter
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Wellekötter 2017-04-11 12:52:24 UTC
Created attachment 34905 [details]
A proposal for a fix for the problem.

The method Http2UpgradeHandler#writeHeaders runs into an endless loop, if the mime headers to send are too long.

Given following situation: In our web app we add additional states as cookies into our request. This is causing a header amount greater than 1024 bytes. In that case the named method needs to run line 540 (state = getHpackEncoder().encode(coyoteResponse.getMimeHeaders(), target);) at least twice.

On the first run, the used ByteBuffer will be filled with some data. After that the data are written to the socket output.
Now the ByteBuffer claims to have zero bytes left to write, because its position is set to its limit.
This causes the next call on line 540 to actually do nothing and writing the same data again. And so the loop continues forever until an exception is thrown.

To fix this problem, the ByteBuffer needs to be reset properly before writing new data to it.
Comment 1 Mark Thomas 2017-04-12 14:28:30 UTC
Thanks for the report. That is where things are going wrong but there are additional cases the proposed patch doesn't cover so it has been fixed with an alternative patch.

Fixed in:
- trunk for 9.0.0.M20 onwards
- 8.5.x for 8.5.14 onwards