Merge pull request #13767 from jetty/fix/jetty-12.1.x/13615-mixed-headers

Fixes #13615 - Concurrency issue, headers from different requests are mixed in Jetty 12.0.27.

Author: sbordet

jetty-core/jetty-http2/jetty-http2-common/src/main/java/org/eclipse/jetty/http2/HTTP2Stream.java

@@ -394,56 +394,69 @@ private void onNewStream(Callback callback)
     private void onHeaders(HeadersFrame frame, Callback callback)
     {
         MetaData metaData = frame.getMetaData();
-        boolean isTrailer = !metaData.isRequest() && !metaData.isResponse();
-        if (isTrailer)
+        Throwable metaDataFailure = MetaData.Failed.getFailure(metaData);
+        if (metaDataFailure != null)
         {
-            // In case of trailers, notify first and then offer EOF to
-            // avoid race conditions due to concurrent calls to readData().
-            boolean closed = updateClose(true, CloseState.Event.RECEIVED);
-            notifyHeaders(frame, Callback.from(() ->
-            {
-                // Offer EOF in case the application calls readData() or demand().
-                if (offer(Data.eof(getId())))
-                    processData(true);
-                if (closed)
-                    getSession().removeStream(this);
-            }, callback));
+            // Request failures are notified by the session,
+            // since the Stream.Listener won't be available yet.
+            assert !metaData.isRequest();
+
+            // It's a bad response (or trailer), response content will be dropped.
+            onFailure(new FailureFrame(ErrorCode.PROTOCOL_ERROR.code, null, metaDataFailure), callback);
         }
         else
         {
-            long length = -1;
-            HttpFields fields = metaData.getHttpFields();
-            boolean connect = HttpMethod.CONNECT.is(request.getMethod());
-            if (fields != null && !connect)
-                length = fields.getLongField(HttpHeader.CONTENT_LENGTH);
-            dataLength = length;
-
-            // Offer EOF for either the request or the response in
-            // case the application calls readData() or demand().
-            boolean eof = frame.isEndStream() && offer(Data.eof(getId()));
-
-            // Requests are notified to a Session.Listener, here only notify responses.
-            if (metaData.isRequest())
+            boolean isTrailer = !metaData.isRequest() && !metaData.isResponse();
+            if (isTrailer)
             {
-                callback.succeeded();
-            }
-            else
-            {
-                MetaData.Response response = (MetaData.Response)metaData;
-                if (connect && response.getStatus() != HttpStatus.OK_200)
-                {
-                    // A failed tunnel attempt, must close the request side.
-                    updateClose(true, CloseState.Event.AFTER_SEND);
-                }
-                boolean closed = updateClose(frame.isEndStream(), CloseState.Event.RECEIVED);
+                // In case of trailers, notify first and then offer EOF to
+                // avoid race conditions due to concurrent calls to readData().
+                boolean closed = updateClose(true, CloseState.Event.RECEIVED);
                 notifyHeaders(frame, Callback.from(() ->
                 {
-                    if (eof)
+                    // Offer EOF in case the application calls readData() or demand().
+                    if (offer(Data.eof(getId())))
                         processData(true);
                     if (closed)
                         getSession().removeStream(this);
                 }, callback));
             }
+            else
+            {
+                long length = -1;
+                HttpFields fields = metaData.getHttpFields();
+                boolean connect = HttpMethod.CONNECT.is(request.getMethod());
+                if (fields != null && !connect)
+                    length = fields.getLongField(HttpHeader.CONTENT_LENGTH);
+                dataLength = length;
+
+                // Offer EOF for either the request or the response in
+                // case the application calls readData() or demand().
+                boolean eof = frame.isEndStream() && offer(Data.eof(getId()));
+
+                // Requests are notified to a Session.Listener, here only notify responses.
+                if (metaData.isRequest())
+                {
+                    callback.succeeded();
+                }
+                else
+                {
+                    MetaData.Response response = (MetaData.Response)metaData;
+                    if (connect && response.getStatus() != HttpStatus.OK_200)
+                    {
+                        // A failed tunnel attempt, must close the request side.
+                        updateClose(true, CloseState.Event.AFTER_SEND);
+                    }
+                    boolean closed = updateClose(frame.isEndStream(), CloseState.Event.RECEIVED);
+                    notifyHeaders(frame, Callback.from(() ->
+                    {
+                        if (eof)
+                            processData(true);
+                        if (closed)
+                            getSession().removeStream(this);
+                    }, callback));
+                }
+            }
         }
     }
 

jetty-core/jetty-http2/jetty-http2-hpack/src/main/java/org/eclipse/jetty/http2/hpack/HpackDecoder.java

@@ -17,10 +17,10 @@
 import java.util.function.LongSupplier;
 
 import org.eclipse.jetty.http.HttpField;
-import org.eclipse.jetty.http.HttpFields;
 import org.eclipse.jetty.http.HttpHeader;
 import org.eclipse.jetty.http.HttpTokens;
 import org.eclipse.jetty.http.MetaData;
+import org.eclipse.jetty.http.PreEncodedHttpField;
 import org.eclipse.jetty.http.compression.EncodingException;
 import org.eclipse.jetty.http.compression.HuffmanDecoder;
 import org.eclipse.jetty.http.compression.NBitIntegerDecoder;
@@ -39,6 +39,7 @@
 public class HpackDecoder
 {
     private static final Logger LOG = LoggerFactory.getLogger(HpackDecoder.class);
+    private static final HttpField LOWER_CASE_CONTENT_LENGTH_0 = new PreEncodedHttpField(HttpHeader.CONTENT_LENGTH, "content-length", "0");
 
     private final HpackContext _context;
     private final MetaDataBuilder _builder;
@@ -123,13 +124,14 @@ public MetaData decode(ByteBuffer buffer) throws HpackException.SessionException
                 if (entry == null)
                     throw new HpackException.SessionException("Unknown index %d", index);
 
+                HttpField field = entry.getHttpField();
                 if (entry.isStatic())
                 {
                     if (LOG.isDebugEnabled())
                         LOG.debug("decode IdxStatic {}", entry);
                     // emit field
                     emitted = true;
-                    _builder.emit(entry.getHttpField());
+                    _builder.emit(field);
 
                     // TODO copy and add to reference set if there is room
                     // _context.add(entry.getHttpField());
@@ -138,9 +140,18 @@ public MetaData decode(ByteBuffer buffer) throws HpackException.SessionException
                 {
                     if (LOG.isDebugEnabled())
                         LOG.debug("decode Idx {}", entry);
+
+                    String name = field.getName();
+                    if (!HttpTokens.isLegalH2H3FieldName(name))
+                        _builder.streamException("Illegal header name %s", name);
+
+                    String value = field.getValue();
+                    if (!HttpTokens.isLegalFieldValue(value))
+                        _builder.streamException("Illegal header value %s", value);
+
                     // emit
                     emitted = true;
-                    _builder.emit(entry.getHttpField());
+                    _builder.emit(field);
                 }
             }
             else
@@ -248,7 +259,7 @@ public MetaData decode(ByteBuffer buffer) throws HpackException.SessionException
 
                         case CONTENT_LENGTH:
                             if ("0".equals(value))
-                                field = HttpFields.CONTENT_LENGTH_0;
+                                field = LOWER_CASE_CONTENT_LENGTH_0;
                             else
                                 field = new HttpField.LongValueHttpField(header, name, value);
                             break;

jetty-core/jetty-http2/jetty-http2-hpack/src/main/java/org/eclipse/jetty/http2/hpack/internal/MetaDataBuilder.java

@@ -51,6 +51,23 @@ public MetaDataBuilder(int maxHeadersSize)
         _maxSize = maxHeadersSize;
     }
 
+    private void reset()
+    {
+        _fields.clear();
+        _size = 0;
+        _status = null;
+        _method = null;
+        _scheme = null;
+        _authority = null;
+        _path = null;
+        _protocol = null;
+        _contentLength = -1;
+        _streamException = null;
+        _request = false;
+        _response = false;
+        _beginNanoTime = Long.MIN_VALUE;
+    }
+
     /**
      * Get the maxSize.
      * @return the maxSize
@@ -235,18 +252,14 @@ protected boolean checkPseudoHeader(HttpHeader header, Object value)
 
     public MetaData build() throws HpackException.StreamException
     {
-        if (_streamException != null)
+        try
         {
-            _streamException.addSuppressed(new Throwable());
-            throw _streamException;
-        }
+            if (_streamException != null)
+                throw _streamException;
 
-        if (_request && _response)
-            throw new HpackException.StreamException(true, true, "Request and Response headers");
+            if (_request && _response)
+                throw new HpackException.StreamException(true, true, "Request and Response headers");
 
-        HttpFields.Mutable fields = _fields;
-        try
-        {
             if (_request)
             {
                 if (_method == null)
@@ -264,7 +277,7 @@ public MetaData build() throws HpackException.StreamException
 
                 if (isConnect)
                 {
-                    return new MetaData.ConnectRequest(nanoTime, _scheme, _authority, _path, fields, _protocol);
+                    return new MetaData.ConnectRequest(nanoTime, _scheme, _authority, _path, _fields, _protocol);
                 }
                 else
                 {
@@ -273,7 +286,7 @@ public MetaData build() throws HpackException.StreamException
                         _method,
                         newHttpURI(),
                         HttpVersion.HTTP_2,
-                        fields,
+                        _fields,
                         _contentLength,
                         null);
                 }
@@ -283,24 +296,14 @@ public MetaData build() throws HpackException.StreamException
             {
                 if (_status == null)
                     throw new HpackException.StreamException(false, true, "No Status");
-                return new MetaData.Response(_status, null, HttpVersion.HTTP_2, fields, _contentLength);
+                return new MetaData.Response(_status, null, HttpVersion.HTTP_2, _fields, _contentLength);
             }
 
-            return new MetaData(HttpVersion.HTTP_2, fields, _contentLength);
+            return new MetaData(HttpVersion.HTTP_2, _fields, _contentLength);
         }
         finally
         {
-            _fields.clear();
-            _request = false;
-            _response = false;
-            _status = null;
-            _method = null;
-            _scheme = null;
-            _authority = null;
-            _path = null;
-            _protocol = null;
-            _size = 0;
-            _contentLength = -1;
+            reset();
         }
     }