Merge commit from fork

normanmaurer · web-flow · commit 350da8750a44 · 2025-08-13T14:14:00.000+02:00
* Enforce the maximum number of RST frames that can be sent in window of time

Motivation:

A remote peer might be able to trigger an instance to generate and send RST frames by sending invalid frames on an existing stream. This can cause high resource usage and so might be abused by a remote peer.

Modifications:

Limit the number of RSTs that we allow to be generated and so send in a specific time window. If this limit is reached a GO_AWAY frame is send and the connection be closed.

Result:

Fix high resource usage that can be caused by a remote peer by trigger RST frames

* Adjust testing

* Address comments
diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/AbstractHttp2ConnectionHandlerBuilder.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/AbstractHttp2ConnectionHandlerBuilder.java
@@ -109,9 +109,10 @@ public abstract class AbstractHttp2ConnectionHandlerBuilder<T extends Http2Conne
     private boolean autoAckPingFrame = true;
     private int maxQueuedControlFrames = Http2CodecUtil.DEFAULT_MAX_QUEUED_CONTROL_FRAMES;
     private int maxConsecutiveEmptyFrames = 2;
-    private Integer maxRstFramesPerWindow;
-    private int secondsPerWindow = 30;
-
+    private Integer maxDecodedRstFramesPerWindow;
+    private int maxDecodedRstFramesSecondsPerWindow = 30;
+    private Integer maxEncodedRstFramesPerWindow;
+    private int maxEncodedRstFramesSecondsPerWindow = 30;
     /**
      * Sets the {@link Http2Settings} to use for the initial connection settings exchange.
      */
@@ -444,9 +445,24 @@ protected B decoderEnforceMaxConsecutiveEmptyDataFrames(int maxConsecutiveEmptyF
      */
     protected B decoderEnforceMaxRstFramesPerWindow(int maxRstFramesPerWindow, int secondsPerWindow) {
         enforceNonCodecConstraints("decoderEnforceMaxRstFramesPerWindow");
-        this.maxRstFramesPerWindow = checkPositiveOrZero(
+        this.maxDecodedRstFramesPerWindow = checkPositiveOrZero(
+                maxRstFramesPerWindow, "maxRstFramesPerWindow");
+        this.maxDecodedRstFramesSecondsPerWindow = checkPositiveOrZero(secondsPerWindow, "secondsPerWindow");
+        return self();
+    }
+
+    /**
+     * Sets the maximum number RST frames that are allowed per window before
+     * the connection is closed. This allows to protect against the remote peer that will trigger us to generate a flood
+     * of RST frames and so use up a lot of CPU.
+     *
+     * {@code 0} for any of the parameters means no protection should be applied.
+     */
+    protected B encoderEnforceMaxRstFramesPerWindow(int maxRstFramesPerWindow, int secondsPerWindow) {
+        enforceNonCodecConstraints("decoderEnforceMaxRstFramesPerWindow");
+        this.maxEncodedRstFramesPerWindow = checkPositiveOrZero(
                 maxRstFramesPerWindow, "maxRstFramesPerWindow");
-        this.secondsPerWindow = checkPositiveOrZero(secondsPerWindow, "secondsPerWindow");
+        this.maxEncodedRstFramesSecondsPerWindow = checkPositiveOrZero(secondsPerWindow, "secondsPerWindow");
         return self();
     }
 
@@ -571,6 +587,21 @@ private T buildFromConnection(Http2Connection connection) {
         if (maxQueuedControlFrames != 0) {
             encoder = new Http2ControlFrameLimitEncoder(encoder, maxQueuedControlFrames);
         }
+        final int maxEncodedRstFrames;
+        if (maxEncodedRstFramesPerWindow == null) {
+            // Only enable by default on the server.
+            if (isServer()) {
+                maxEncodedRstFrames = DEFAULT_MAX_RST_FRAMES_PER_CONNECTION_FOR_SERVER;
+            } else {
+                maxEncodedRstFrames = 0;
+            }
+        } else {
+            maxEncodedRstFrames = maxEncodedRstFramesPerWindow;
+        }
+        if (maxEncodedRstFrames > 0 && maxEncodedRstFramesSecondsPerWindow > 0) {
+            encoder = new Http2MaxRstFrameLimitEncoder(
+                    encoder, maxEncodedRstFrames, maxEncodedRstFramesSecondsPerWindow);
+        }
         if (encoderEnforceMaxConcurrentStreams) {
             if (connection.isServer()) {
                 encoder.close();
@@ -592,19 +623,19 @@ private T buildFromCodec(Http2ConnectionDecoder decoder, Http2ConnectionEncoder
         if (maxConsecutiveEmptyDataFrames > 0) {
             decoder = new Http2EmptyDataFrameConnectionDecoder(decoder, maxConsecutiveEmptyDataFrames);
         }
-        final int maxRstFrames;
-        if (maxRstFramesPerWindow == null) {
+        final int maxDecodedRstFrames;
+        if (maxDecodedRstFramesPerWindow == null) {
             // Only enable by default on the server.
             if (isServer()) {
-                maxRstFrames = DEFAULT_MAX_RST_FRAMES_PER_CONNECTION_FOR_SERVER;
+                maxDecodedRstFrames = DEFAULT_MAX_RST_FRAMES_PER_CONNECTION_FOR_SERVER;
             } else {
-                maxRstFrames = 0;
+                maxDecodedRstFrames = 0;
             }
         } else {
-            maxRstFrames = maxRstFramesPerWindow;
+            maxDecodedRstFrames = maxDecodedRstFramesPerWindow;
         }
-        if (maxRstFrames > 0 && secondsPerWindow > 0) {
-            decoder = new Http2MaxRstFrameDecoder(decoder, maxRstFrames, secondsPerWindow);
+        if (maxDecodedRstFrames > 0 && maxDecodedRstFramesSecondsPerWindow > 0) {
+            decoder = new Http2MaxRstFrameDecoder(decoder, maxDecodedRstFrames, maxDecodedRstFramesSecondsPerWindow);
         }
         final T handler;
         try {
diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2ConnectionHandlerBuilder.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2ConnectionHandlerBuilder.java
@@ -18,6 +18,8 @@
 
 import io.netty.handler.codec.http2.Http2HeadersEncoder.SensitivityDetector;
 
+import static io.netty.util.internal.ObjectUtil.checkPositiveOrZero;
+
 /**
  * Builder which builds {@link Http2ConnectionHandler} objects.
  */
@@ -122,6 +124,12 @@ public Http2ConnectionHandlerBuilder decoderEnforceMaxRstFramesPerWindow(
         return super.decoderEnforceMaxRstFramesPerWindow(maxRstFramesPerWindow, secondsPerWindow);
     }
 
+    @Override
+    public Http2ConnectionHandlerBuilder encoderEnforceMaxRstFramesPerWindow(
+            int maxRstFramesPerWindow, int secondsPerWindow) {
+        return super.encoderEnforceMaxRstFramesPerWindow(maxRstFramesPerWindow, secondsPerWindow);
+    }
+
     @Override
     public Http2ConnectionHandler build() {
         return super.build();
diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2FrameCodecBuilder.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2FrameCodecBuilder.java
@@ -197,6 +197,12 @@ public Http2FrameCodecBuilder decoderEnforceMaxRstFramesPerWindow(
         return super.decoderEnforceMaxRstFramesPerWindow(maxRstFramesPerWindow, secondsPerWindow);
     }
 
+    @Override
+    public Http2FrameCodecBuilder encoderEnforceMaxRstFramesPerWindow(
+            int maxRstFramesPerWindow, int secondsPerWindow) {
+        return super.encoderEnforceMaxRstFramesPerWindow(maxRstFramesPerWindow, secondsPerWindow);
+    }
+
     /**
      * Build a {@link Http2FrameCodec} object.
      */
diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MaxRstFrameLimitEncoder.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MaxRstFrameLimitEncoder.java
@@ -0,0 +1,85 @@
+/*
+ * Copyright 2025 The Netty Project
+ *
+ * The Netty Project licenses this file to you under the Apache License, version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License. You may obtain a
+ * copy of the License at:
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package io.netty.handler.codec.http2;
+
+import io.netty.channel.ChannelFuture;
+import io.netty.channel.ChannelHandlerContext;
+import io.netty.channel.ChannelPromise;
+import io.netty.util.internal.logging.InternalLogger;
+import io.netty.util.internal.logging.InternalLoggerFactory;
+
+import java.util.concurrent.TimeUnit;
+
+/**
+ * {@link DecoratingHttp2ConnectionEncoder} which guards against a remote peer that will trigger a massive amount
+ * of RST frames on an existing connection.
+ * This encoder will tear-down the connection once we reached the configured limit to reduce the risk of DDOS.
+ */
+final class Http2MaxRstFrameLimitEncoder extends DecoratingHttp2ConnectionEncoder {
+    private static final InternalLogger logger = InternalLoggerFactory.getInstance(Http2MaxRstFrameLimitEncoder.class);
+
+    private final long nanosPerWindow;
+    private final int maxRstFramesPerWindow;
+    private long lastRstFrameNano = System.nanoTime();
+    private int sendRstInWindow;
+    private Http2LifecycleManager lifecycleManager;
+
+    Http2MaxRstFrameLimitEncoder(Http2ConnectionEncoder delegate, int maxRstFramesPerWindow, int secondsPerWindow) {
+        super(delegate);
+        this.maxRstFramesPerWindow = maxRstFramesPerWindow;
+        this.nanosPerWindow = TimeUnit.SECONDS.toNanos(secondsPerWindow);
+    }
+
+    @Override
+    public void lifecycleManager(Http2LifecycleManager lifecycleManager) {
+        this.lifecycleManager = lifecycleManager;
+        super.lifecycleManager(lifecycleManager);
+    }
+
+    @Override
+    public ChannelFuture writeRstStream(ChannelHandlerContext ctx, int streamId, long errorCode,
+                                        ChannelPromise promise) {
+        ChannelFuture future = super.writeRstStream(ctx, streamId, errorCode, promise);
+        if (countRstFrameErrorCode(errorCode)) {
+            long currentNano = System.nanoTime();
+            if (currentNano - lastRstFrameNano >= nanosPerWindow) {
+                lastRstFrameNano = currentNano;
+                sendRstInWindow = 1;
+            } else {
+                sendRstInWindow++;
+                if (sendRstInWindow > maxRstFramesPerWindow) {
+                    Http2Exception exception = Http2Exception.connectionError(Http2Error.ENHANCE_YOUR_CALM,
+                            "Maximum number %d of RST frames frames reached within %d seconds", maxRstFramesPerWindow,
+                            TimeUnit.NANOSECONDS.toSeconds(nanosPerWindow));
+
+                    logger.debug("{} Maximum number {} of RST frames reached within {} seconds, " +
+                                    "closing connection with {} error", ctx.channel(), maxRstFramesPerWindow,
+                            TimeUnit.NANOSECONDS.toSeconds(nanosPerWindow), exception.error(),
+                            exception);
+                    // First notify the Http2LifecycleManager and then close the connection.
+                    lifecycleManager.onError(ctx, true, exception);
+                    ctx.close();
+                }
+            }
+        }
+
+        return future;
+    }
+
+    private boolean countRstFrameErrorCode(long errorCode) {
+        // Don't count CANCEL and NO_ERROR as these might be ok.
+        return errorCode != Http2Error.CANCEL.code() && errorCode != Http2Error.NO_ERROR.code();
+    }
+}
diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MultiplexCodecBuilder.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MultiplexCodecBuilder.java
@@ -215,6 +215,12 @@ public Http2MultiplexCodecBuilder decoderEnforceMaxRstFramesPerWindow(
         return super.decoderEnforceMaxRstFramesPerWindow(maxRstFramesPerWindow, secondsPerWindow);
     }
 
+    @Override
+    public Http2MultiplexCodecBuilder encoderEnforceMaxRstFramesPerWindow(
+            int maxRstFramesPerWindow, int secondsPerWindow) {
+        return super.encoderEnforceMaxRstFramesPerWindow(maxRstFramesPerWindow, secondsPerWindow);
+    }
+
     @Override
     public Http2MultiplexCodec build() {
         Http2FrameWriter frameWriter = this.frameWriter;
diff --git a/codec-http2/src/test/java/io/netty/handler/codec/http2/Http2MaxRstFrameLimitEncoderTest.java b/codec-http2/src/test/java/io/netty/handler/codec/http2/Http2MaxRstFrameLimitEncoderTest.java
