1. NPE may occur in Http2Connection.processFrame() in case of unknown stream ID:
http://hg.openjdk.java.net/jdk9/dev/jdk/file/f4a0fe7bbd75/src/java.httpclient/share/classes/java/net/http/Http2Connection.java#l385
...
Stream stream = getStream(streamid);
if (stream == null) {
// should never receive a frame with unknown stream id
resetStream(streamid, ResetFrame.PROTOCOL_ERROR);
}
if (frame instanceof PushPromiseFrame) {
PushPromiseFrame pp = (PushPromiseFrame)frame;
handlePushPromise(stream, pp);
} else if (frame instanceof HeaderFrame) {
// decode headers (or continuation)
decodeHeaders((HeaderFrame) frame, stream.rspHeadersConsumer());
stream.incoming(frame);
} else
stream.incoming(frame);
...
It checks 'stream' for null, but it doens't quit if it's null. As a result, NPE may occur when stream.incoming(frame) is called. Looks like it should return if stream is null.
2. AIOOBE may occur in SettingsFrame.readIncomingImpl() in case of invalid parameter ID:
http://hg.openjdk.java.net/jdk9/dev/jdk/file/f4a0fe7bbd75/src/java.httpclient/share/classes/java/net/http/SettingsFrame.java#l116
...
void readIncomingImpl(ByteBufferConsumer bc) throws IOException {
if (length % 6 != 0) {
throw new IOException("Protocol error: invalid settings frame");
}
int n = length / 6;
for (int i=0; i<n; i++) {
int id = bc.getShort();
int val = bc.getInt();
if (id > 0 || id <= MAX_PARAM) {
// a known parameter. Ignore otherwise
parameters[id-1] = val;
}
}
}
...
"id > 0 || id <= MAX_PARAM" returns true if 'id' is more than MAX_PARAM. As a result, AIOOBE may occur. 'OR' should be replaced with 'AND' here.
http://hg.openjdk.java.net/jdk9/dev/jdk/file/f4a0fe7bbd75/src/java.httpclient/share/classes/java/net/http/Http2Connection.java#l385
...
Stream stream = getStream(streamid);
if (stream == null) {
// should never receive a frame with unknown stream id
resetStream(streamid, ResetFrame.PROTOCOL_ERROR);
}
if (frame instanceof PushPromiseFrame) {
PushPromiseFrame pp = (PushPromiseFrame)frame;
handlePushPromise(stream, pp);
} else if (frame instanceof HeaderFrame) {
// decode headers (or continuation)
decodeHeaders((HeaderFrame) frame, stream.rspHeadersConsumer());
stream.incoming(frame);
} else
stream.incoming(frame);
...
It checks 'stream' for null, but it doens't quit if it's null. As a result, NPE may occur when stream.incoming(frame) is called. Looks like it should return if stream is null.
2. AIOOBE may occur in SettingsFrame.readIncomingImpl() in case of invalid parameter ID:
http://hg.openjdk.java.net/jdk9/dev/jdk/file/f4a0fe7bbd75/src/java.httpclient/share/classes/java/net/http/SettingsFrame.java#l116
...
void readIncomingImpl(ByteBufferConsumer bc) throws IOException {
if (length % 6 != 0) {
throw new IOException("Protocol error: invalid settings frame");
}
int n = length / 6;
for (int i=0; i<n; i++) {
int id = bc.getShort();
int val = bc.getInt();
if (id > 0 || id <= MAX_PARAM) {
// a known parameter. Ignore otherwise
parameters[id-1] = val;
}
}
}
...
"id > 0 || id <= MAX_PARAM" returns true if 'id' is more than MAX_PARAM. As a result, AIOOBE may occur. 'OR' should be replaced with 'AND' here.
- relates to
-
JDK-8157105 HTTP/2 client hangs in blocking mode if an invalid frame has been received
-
- Closed
-