From 0a64115680d0a5197919029733ece0992fa12af0 Mon Sep 17 00:00:00 2001
From: Cesar Hernandez
Date: Wed, 18 Oct 2023 12:17:07 -0600
Subject: [PATCH 1/3] Backport 76bb4bfb
---
.../apache/coyote/http2/Http2AsyncParser.java | 51 ++++++++++---------
.../apache/coyote/http2/Http2Protocol.java | 19 ++++++-
.../coyote/http2/Http2UpgradeHandler.java | 18 ++++++-
webapps/docs/changelog.xml | 3 ++
webapps/docs/config/http2.xml | 9 +++-
5 files changed, 73 insertions(+), 27 deletions(-)
diff --git a/java/org/apache/coyote/http2/Http2AsyncParser.java b/java/org/apache/coyote/http2/Http2AsyncParser.java
index d01497051da7..6e6065fcf664 100644
--- a/java/org/apache/coyote/http2/Http2AsyncParser.java
+++ b/java/org/apache/coyote/http2/Http2AsyncParser.java
@@ -278,36 +278,39 @@ public void completed(Long result, Void attachment) {
readUnknownFrame(streamId, frameTypeId, flags, payloadSize, payload);
}
}
- // See if there is a new 9 byte header and continue parsing if possible
- if (payload.remaining() >= 9) {
- int position = payload.position();
- payloadSize = ByteUtil.getThreeBytes(payload, position);
- frameTypeId = ByteUtil.getOneByte(payload, position + 3);
- frameType = FrameType.valueOf(frameTypeId);
- flags = ByteUtil.getOneByte(payload, position + 4);
- streamId = ByteUtil.get31Bits(payload, position + 5);
- streamException = false;
- if (payload.remaining() - 9 >= payloadSize) {
- continueParsing = true;
- // Now go over frame header
- payload.position(payload.position() + 9);
- try {
- validateFrame(null, frameType, streamId, flags, payloadSize);
- } catch (StreamException e) {
- error = e;
- streamException = true;
- } catch (Http2Exception e) {
- error = e;
- continueParsing = false;
+ if (!upgradeHandler.isOverheadLimitExceeded()) {
+ // See if there is a new 9 byte header and continue parsing if possible
+ if (payload.remaining() >= 9) {
+ int position = payload.position();
+ payloadSize = ByteUtil.getThreeBytes(payload, position);
+ frameTypeId = ByteUtil.getOneByte(payload, position + 3);
+ frameType = FrameType.valueOf(frameTypeId);
+ flags = ByteUtil.getOneByte(payload, position + 4);
+ streamId = ByteUtil.get31Bits(payload, position + 5);
+ streamException = false;
+ if (payload.remaining() - 9 >= payloadSize) {
+ continueParsing = true;
+ // Now go over frame header
+ payload.position(payload.position() + 9);
+ try {
+ validateFrame(null, frameType, streamId, flags, payloadSize);
+ } catch (StreamException e) {
+ error = e;
+ streamException = true;
+ } catch (Http2Exception e) {
+ error = e;
+ continueParsing = false;
+ }
}
}
}
} while (continueParsing);
} catch (RuntimeException | IOException | Http2Exception e) {
error = e;
- }
- if (payload.hasRemaining()) {
- socketWrapper.unRead(payload);
+ } finally {
+ if (payload.hasRemaining()) {
+ socketWrapper.unRead(payload);
+ }
}
}
if (state == CompletionState.DONE) {
diff --git a/java/org/apache/coyote/http2/Http2Protocol.java b/java/org/apache/coyote/http2/Http2Protocol.java
index 46b49d926ccb..7a27088b5ead 100644
--- a/java/org/apache/coyote/http2/Http2Protocol.java
+++ b/java/org/apache/coyote/http2/Http2Protocol.java
@@ -54,8 +54,10 @@ public class Http2Protocol implements UpgradeProtocol {
// Maximum amount of streams which can be concurrently executed over
// a single connection
static final int DEFAULT_MAX_CONCURRENT_STREAM_EXECUTION = 20;
-
+ // Default factor used when adjusting overhead count for overhead frames
static final int DEFAULT_OVERHEAD_COUNT_FACTOR = 10;
+ // Default factor used when adjusting overhead count for reset frames
+ static final int DEFAULT_OVERHEAD_RESET_FACTOR = 50;
// Not currently configurable. This makes the practical limit for
// overheadCountFactor to be ~20. The exact limit will vary with traffic
// patterns.
@@ -86,6 +88,7 @@ public class Http2Protocol implements UpgradeProtocol {
private int maxHeaderCount = Constants.DEFAULT_MAX_HEADER_COUNT;
private int maxTrailerCount = Constants.DEFAULT_MAX_TRAILER_COUNT;
private int overheadCountFactor = DEFAULT_OVERHEAD_COUNT_FACTOR;
+ private int overheadResetFactor = DEFAULT_OVERHEAD_RESET_FACTOR;
private int overheadContinuationThreshold = DEFAULT_OVERHEAD_CONTINUATION_THRESHOLD;
private int overheadDataThreshold = DEFAULT_OVERHEAD_DATA_THRESHOLD;
private int overheadWindowUpdateThreshold = DEFAULT_OVERHEAD_WINDOW_UPDATE_THRESHOLD;
@@ -292,6 +295,20 @@ public void setOverheadCountFactor(int overheadCountFactor) {
}
+ public int getOverheadResetFactor() {
+ return overheadResetFactor;
+ }
+
+
+ public void setOverheadResetFactor(int overheadResetFactor) {
+ if (overheadResetFactor < 0) {
+ this.overheadResetFactor = 0;
+ } else {
+ this.overheadResetFactor = overheadResetFactor;
+ }
+ }
+
+
public int getOverheadContinuationThreshold() {
return overheadContinuationThreshold;
}
diff --git a/java/org/apache/coyote/http2/Http2UpgradeHandler.java b/java/org/apache/coyote/http2/Http2UpgradeHandler.java
index 0b2f554fccea..b8b440a740e6 100644
--- a/java/org/apache/coyote/http2/Http2UpgradeHandler.java
+++ b/java/org/apache/coyote/http2/Http2UpgradeHandler.java
@@ -380,7 +380,7 @@ public SocketState upgradeDispatch(SocketEvent status) {
stream.close(se);
}
} finally {
- if (overheadCount.get() > 0) {
+ if (isOverheadLimitExceeded()) {
throw new ConnectionException(
sm.getString("upgradeHandler.tooMuchOverhead", connectionId),
Http2Error.ENHANCE_YOUR_CALM);
@@ -1494,6 +1494,11 @@ private void updateOverheadCount(FrameType frameType, int increment) {
}
+ boolean isOverheadLimitExceeded() {
+ return overheadCount.get() > 0;
+ }
+
+
// ----------------------------------------------- Http2Parser.Input methods
@Override
@@ -1767,6 +1772,7 @@ public void reset(int streamId, long errorCode) throws Http2Exception {
log.debug(sm.getString("upgradeHandler.reset.receive", getConnectionId(), Integer.toString(streamId),
Long.toString(errorCode)));
}
+ increaseOverheadCount(FrameType.RST, getProtocol().getOverheadResetFactor());
AbstractNonZeroStream abstractNonZeroStream = getAbstractNonZeroStream(streamId, true);
abstractNonZeroStream.checkState(FrameType.RST);
if (abstractNonZeroStream instanceof Stream) {
@@ -1890,6 +1896,16 @@ public void incrementWindowSize(int streamId, int increment) throws Http2Excepti
}
}
+ @Override
+ public void priorityUpdate(int prioritizedStreamID, Priority p) throws Http2Exception {
+ increaseOverheadCount(FrameType.PRIORITY_UPDATE);
+ AbstractNonZeroStream abstractNonZeroStream = getAbstractNonZeroStream(prioritizedStreamID, true);
+ if (abstractNonZeroStream instanceof Stream) {
+ Stream stream = (Stream) abstractNonZeroStream;
+ stream.setUrgency(p.getUrgency());
+ stream.setIncremental(p.getIncremental());
+ }
+ }
@Override
public void onSwallowedUnknownFrame(int streamId, int frameTypeId, int flags, int size)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 2be4fd7904e9..76bb52e78721 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -157,6 +157,9 @@
Align validation of HTTP trailer fields with standard fields. (markt)
+
+ Improvements to HTTP/2 overhead protection. (markt)
+
diff --git a/webapps/docs/config/http2.xml b/webapps/docs/config/http2.xml
index 629b135cc223..f78aa035389a 100644
--- a/webapps/docs/config/http2.xml
+++ b/webapps/docs/config/http2.xml
@@ -139,7 +139,7 @@
count starts at -10 * overheadCountFactor
. The count is
decreased by 20 for each data frame sent or received and each headers frame
received. The count is increased by the overheadCountFactor
- for each setting received, priority frame received and ping received. If
+ for each setting, priority, priority update and ping frame received. If
the overhead count exceeds zero, the connection is closed. A value of less
than 1
disables this protection. In normal usage a value of
approximately 20
or higher will close the connection before
@@ -147,6 +147,13 @@
10
will be used.
+
+ The amount by which the overhead count (see
+ overheadCountFactor) will be increased for each reset
+ frame received. If not specified, a default value of 50
will
+ be used. A value of less than zero will be treated as zero.
+
+
The threshold below which the average payload size of the current and
previous non-final DATA
frames will trigger an increase in
From 6d643cc20918b298c4936ca453b93d284dc1fe9c Mon Sep 17 00:00:00 2001
From: Cesar Hernandez
Date: Wed, 18 Oct 2023 12:29:04 -0600
Subject: [PATCH 2/3] Backport fd8a2d09 and 01559a23
---
.../java/org/apache/tomcat/jdbc/pool/ConnectionPool.java | 8 ++++++--
webapps/docs/changelog.xml | 9 +++++++++
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/ConnectionPool.java b/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/ConnectionPool.java
index bc77a3d085bd..0b8865418c44 100644
--- a/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/ConnectionPool.java
+++ b/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/ConnectionPool.java
@@ -43,6 +43,8 @@
import java.util.concurrent.atomic.AtomicInteger;
import java.util.concurrent.atomic.AtomicLong;
+import javax.sql.XAConnection;
+
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
@@ -364,8 +366,10 @@ public Constructor> getProxyConstructor(boolean xa) throws NoSuchMethodExcepti
//cache the constructor
if (proxyClassConstructor == null ) {
Class> proxyClass = xa ?
- Proxy.getProxyClass(ConnectionPool.class.getClassLoader(), new Class[] {java.sql.Connection.class,javax.sql.PooledConnection.class, javax.sql.XAConnection.class}) :
- Proxy.getProxyClass(ConnectionPool.class.getClassLoader(), new Class[] {java.sql.Connection.class,javax.sql.PooledConnection.class});
+ Proxy.getProxyClass(ConnectionPool.class.getClassLoader(),
+ new Class[] {Connection.class, javax.sql.PooledConnection.class, XAConnection.class}) :
+ Proxy.getProxyClass(ConnectionPool.class.getClassLoader(),
+ new Class[] {Connection.class, javax.sql.PooledConnection.class});
proxyClassConstructor = proxyClass.getConstructor(new Class[] { InvocationHandler.class });
}
return proxyClassConstructor;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 76bb52e78721..6754b87f3389 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -105,6 +105,15 @@
issues do not "pop up" wrt. others).
-->
+
+
+
+ 67664: Correct a regression in the clean-up of unencessary
+ use of fully qualified class names in 10.1.14 that broke the jdbc-pool.
+ (markt)
+
+
+
From 9d0fdd444835dc1d18dd1bb54b8a7ded5d3d4f9c Mon Sep 17 00:00:00 2001
From: Cesar Hernandez
Date: Wed, 18 Oct 2023 14:22:32 -0600
Subject: [PATCH 3/3] Remove extra change leaked in commit 0a641156
---
java/org/apache/coyote/http2/Http2UpgradeHandler.java | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/java/org/apache/coyote/http2/Http2UpgradeHandler.java b/java/org/apache/coyote/http2/Http2UpgradeHandler.java
index b8b440a740e6..3285a4674368 100644
--- a/java/org/apache/coyote/http2/Http2UpgradeHandler.java
+++ b/java/org/apache/coyote/http2/Http2UpgradeHandler.java
@@ -1896,16 +1896,6 @@ public void incrementWindowSize(int streamId, int increment) throws Http2Excepti
}
}
- @Override
- public void priorityUpdate(int prioritizedStreamID, Priority p) throws Http2Exception {
- increaseOverheadCount(FrameType.PRIORITY_UPDATE);
- AbstractNonZeroStream abstractNonZeroStream = getAbstractNonZeroStream(prioritizedStreamID, true);
- if (abstractNonZeroStream instanceof Stream) {
- Stream stream = (Stream) abstractNonZeroStream;
- stream.setUrgency(p.getUrgency());
- stream.setIncremental(p.getIncremental());
- }
- }
@Override
public void onSwallowedUnknownFrame(int streamId, int frameTypeId, int flags, int size)