HTTP/2: ignore reserved MSB in 31-bit fields#633
Merged
arturobernalg merged 1 commit intoapache:masterfrom Feb 22, 2026
Merged
Conversation
ok2c
requested changes
Feb 22, 2026
httpcore5-h2/src/main/java/org/apache/hc/core5/http2/impl/nio/AbstractH2StreamMultiplexer.java
Show resolved
Hide resolved
Mask the reserved MSB when parsing the HTTP/2 stream identifier and 31-bit values carried by WINDOW_UPDATE, PUSH_PROMISE and GOAWAY. This avoids treating otherwise valid values as negative ints and matches RFC 9113.
arturobernalg
force-pushed
the
h2-rfc9113-reserved-bit
branch
from
508db47 to
134f6bf
Compare
ok2c
approved these changes
Feb 22, 2026
Member
ok2c
left a comment
ok2c
left a comment
There was a problem hiding this comment.
@arturobernalg Please do not forget to update the PR description!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Mask the reserved MSB on all received 31-bit identifiers / values (frame Stream Identifier, WINDOW_UPDATE increment, PUSH_PROMISE promised stream id, GOAWAY last-stream-id) to comply with RFC 9113 and avoid mis-parsing them as signed integers.
RFC 9113 4.1
(Frame Format): "The semantics of this bit are undefined, and the bit MUST remain unset (0x00) when sending and MUST be ignored when receiving."
RFC 9113 4.1
(Frame Format): "A stream identifier ... expressed as an unsigned 31-bit integer."
RFC 9113 6.6
(PUSH_PROMISE): "An unsigned 31-bit integer that identifies the stream that is reserved by the PUSH_PROMISE."
RFC 9113 6.8
(GOAWAY), Figure 10: "Reserved (1), Last-Stream-ID (31)"
RFC 9113 6.9
(WINDOW_UPDATE): "The frame payload of a WINDOW_UPDATE frame is one reserved bit plus an unsigned 31-bit integer."
RFC 9113 6.9
(WINDOW_UPDATE): "The legal range for the increment to the flow-control window is 1 to 2^{31}-1."