Jetty response with an invalid HTTP2 packet if the client set the hpack table size as 0 #10805
Comments
|
There have been several fixes to the HPACK code in Jetty 12.0.2, can you retest on Jetty 12.0.2? |
|
After further test with org.eclipse.jetty.http2.server_12.0.2.jar, org.eclipse.jetty.http2.hpack_12.0.2.jar and org.eclipse.jetty.http2.common_12.0.2.jar, still not work... |
|
Hi @joakime , I finally found out the change is introduced by #9749 , |
terryyrliang
changed the title
|
Hi @joakime , from the HTTP2 specification, the HTTP2 server should support SETTINGS_HEADER_TABLE_SIZE is 0. However, per our test, Jetty 12 does not support right now.
|
|
@terryyrliang sorry but there is not enough information. Can you please detail exactly what is your configuration? Better yet, can you provide a reproducible test case? |
|
What client are you using? |
|
@terryyrliang see tests in #11056, they pass cleanly, so we need to know what exactly you are doing. |
|
@terryyrliang I'm closing this. |
github-project-automation
bot
moved this from 🏗 In progress
to ✅ Done
in Jetty 12.0.5 - FROZEN
|
Hi, sorry to jump in. I am also experiencing this issue, even though we are using 9.4.51 and 9.4.53. 9.4.53 Jetty: |
|
@JohnNewComer Jetty 9.4.x is at End of Community Support (#7958) as well as Jetty 10/11 (#10485). |
|
@JohnNewComer there is also a sponsored newer Jetty 9 release than you have tested - https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.54.v20240208 |
|
@JohnNewComer if you can test the latest jetty-9, we will probably look at this a bit even though we are at EoCS, as it is plausible this is a problem introduced with changes we made in
|
|
Thanks for quick response. |
|
@JohnNewComer See #11422, I've added our unit tests for zero sized dynamic tables to Jetty-9.4.x, which pass. Can you look at those tests and see if they are any different to your use case? Ideally we can adapt them to make a reproduction of your issue. |
|
Captures look OK... although I don't really like the RSTs after the tests have finished, but you can see they happen after the response.
|
|
I tried this test case in some scenarios, the results make me unsure if it‘s a backward compatibility issue for jetty. While for jetty 9.4.51, it could decode Headers with Header Table Size 0 In wireshark 4.2.3: For jetty 9.4.51, it also decodes well: Looks like there are some behavior changes in "Header Block Fragment" between 9.4.51 and 9.4.54, which couldn't be perfectly compatible to old wireshark 2.6.2(or other client). |
|
@JohnNewComer because some of the CVEs these fixes for were across all implementations of HTTP/2, there were a lot of changes to HTTP/2 around this time on many platforms. Not all of these changes were CVE related, but were often "cleanups" or design changes that were forced by addressing the CVEs. So it is plausible that there are issues in clients/tools predating these changes. So can you confirm if you do or don't have a real world problem with these releases? Do you have real clients having errors or is it just an old version of wireshark in your analysis that is the issue? Also, what is the source of the 0 sized table? If it is your configuration, you could always try setting it to 1 or some other small number, which would have pretty much the same effect, but would avoid the zero case. |
|
Thanks for explanation. |
|
@JohnNewComer We've gone over this again and we think we are doing something wrong in Jetty-9.4.54. We are incorrectly assuming the default table size is 0 (rather than 4096), so when you set zero we are not echoing the size back correctly. We believe we have this correct in jetty-10/11/12, but that something was broken in the back port to jetty-9. We will fix this, but not sure of the time line as Jetty-9.4 is end-of-community life.... but as this might prevent upgrading to get CVE fixes, we can probably give this some priority (@lachlan-roberts can you help on this?) @JohnNewComer to assist us fixing this precisely, it would be good if you could send us the full hex of each Header Block Fragment that you are seeing for 9.4.51 and 9.4.54; and for both the SETTINGS frame sent client->server and server->client. |
|
I think we should also walk through the logic in 12 as well just to triple check it. |
|
Thanks for checking. Below are the results for jetty 9.4.51 and 9.4.54. Jetty 9.4.51:SETTINGS frame: Jetty 9.4.54:SETTINGS frame: |
|
@lachlan-roberts So in the above, the SETTINGS frames received and echoed by the server are identical for 9.4.51 and 9.4.54. The only difference is in the actual headings from sent for the response. In 9.4.51, the headings frame starts with 0x20, which is the encoding of the maxDynamic table size that is guarded by: if (tableCapacity != _context.getMaxDynamicTableSize())
encodeMaxDynamicTableSize(buffer, tableCapacity);So there is some difference in the initial table size, or the handling of the settings??? |
Set the correct default size for the table. Always send the max table size on the first encode
|
@JohnNewComer I believe @lachlan-roberts has come up with a fix, and I've extended that with some defence in depth. See PR #11445 |
|
Sorry for late reply, just got back to work. I have tested the fix just now, it works. Thanks for all the help. |
|
@JohnNewComer thanks for that confirmation. We will merge that fix forward through 10, 11 & 12 (slighty different in each). The joys of multiple versions/branches! |
|
Cool, many thanks! |
* Fix #10805 zero dynamic table (#11445) * Added test for #10805 Zero Dynamic Table * fixed file header * Added test for #10805 Zero Dynamic Table * Fix for #10805 Zero Dynamic Table Set the correct default size for the table. Always send the max table size on the first encode * updated file header Signed-off-by: gregw <gregw@webtide.com> --------- Signed-off-by: gregw <gregw@webtide.com>
github-project-automation
bot
moved this to ✅ Done
in 🧊 Jetty 9.4.55 (Post EOCD) - FROZEN
|
Hi @gregw , @sbordet and @lachlan-roberts , I use the the jetty 12.0.6 version to test, we still got error. And I finally find out an easy to reproduce the issue. Please have a look, because some rules, we cannot provide the log and tcpdump, I hope you can understand... <dependency>
<groupId>io.vertx</groupId>
<artifactId>vertx-web-client</artifactId>
<version>4.5.7</version>
</dependency>
<dependency>
<groupId>io.vertx</groupId>
<artifactId>vertx-core</artifactId>
<version>4.5.7</version>
</dependency> |
Jetty version(s)
Jetty 12.0.1
Jetty Environment
ee10
Java version/vendor
(use: java -version)17.0.8.1
OS type/version
suse-150400.3.30.1-x8664, Linux kernel is 5.14.21-150400.24.63-default
Description
Our client application is sending the http2 request with hpack table size 0, and Jetty cannot response an valid http2 packet.
How to reproduce?
In our http2 client, set the hpack table size as 0 when sending HTTP2 setting to the Jetty server. And then we get an invalid http2 response.
The text was updated successfully, but these errors were encountered: