File tomcat-9.0.36-CVE-2025-53506.patch of Package tomcat.40071
Index: apache-tomcat-9.0.36-src/java/org/apache/coyote/http2/ConnectionSettingsBase.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/coyote/http2/ConnectionSettingsBase.java
+++ apache-tomcat-9.0.36-src/java/org/apache/coyote/http2/ConnectionSettingsBase.java
@@ -62,6 +62,10 @@ abstract class ConnectionSettingsBase<T
final void set(Setting setting, long value) throws T {
+ set(setting, value, false);
+ }
+
+ final void set(Setting setting, long value, boolean force) throws T {
if (log.isDebugEnabled()) {
log.debug(sm.getString("connectionSettings.debug",
connectionId, getEndpointName(), setting, Long.toString(value)));
@@ -93,11 +97,21 @@ abstract class ConnectionSettingsBase<T
return;
}
- set(setting, Long.valueOf(value));
+ set(setting, Long.valueOf(value), force);
}
- synchronized void set(Setting setting, Long value) {
+ /**
+ * Specify a new value for setting with the option to force the change to take effect immediately rather than
+ * waiting until an {@code ACK} is received.
+ *
+ * @param setting The setting to update
+ * @param value The new value for the setting
+ * @param force {@code false} if an {@code ACK} must be received before the setting takes effect or {@code true}
+ * if the setting to take effect immediately. Even if the setting takes effect immediately, it
+ * will still be included in the next {@code SETTINGS} frame and an {@code ACK} will be expected.
+ */
+ synchronized void set(Setting setting, Long value, boolean force) {
current.put(setting, value);
}
Index: apache-tomcat-9.0.36-src/java/org/apache/coyote/http2/ConnectionSettingsLocal.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/coyote/http2/ConnectionSettingsLocal.java
+++ apache-tomcat-9.0.36-src/java/org/apache/coyote/http2/ConnectionSettingsLocal.java
@@ -43,12 +43,15 @@ class ConnectionSettingsLocal extends Co
@Override
- final synchronized void set(Setting setting, Long value) {
+ final synchronized void set(Setting setting, Long value, boolean force) {
checkSend();
if (current.get(setting).longValue() == value.longValue()) {
pending.remove(setting);
} else {
pending.put(setting, value);
+ if (force) {
+ current.put(setting, value);
+ }
}
}
Index: apache-tomcat-9.0.36-src/java/org/apache/coyote/http2/Http2UpgradeHandler.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/coyote/http2/Http2UpgradeHandler.java
+++ apache-tomcat-9.0.36-src/java/org/apache/coyote/http2/Http2UpgradeHandler.java
@@ -158,8 +158,12 @@ class Http2UpgradeHandler extends Abstra
remoteSettings = new ConnectionSettingsRemote(connectionId);
localSettings = new ConnectionSettingsLocal(connectionId);
- localSettings.set(Setting.MAX_CONCURRENT_STREAMS, protocol.getMaxConcurrentStreams());
- localSettings.set(Setting.INITIAL_WINDOW_SIZE, protocol.getInitialWindowSize());
+ /*
+ * Force set these initial limits. A well-behaved client should ACK the settings and adhere to them before it
+ * reaches the limits anyway.
+ */
+ localSettings.set(Setting.MAX_CONCURRENT_STREAMS, protocol.getMaxConcurrentStreams(), true);
+ localSettings.set(Setting.INITIAL_WINDOW_SIZE, protocol.getInitialWindowSize(), true);
pingManager.initiateDisabled = protocol.getInitiatePingDisabled();
Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
@@ -224,6 +224,10 @@
multi-part request and <code>maxPartHeaderSize</code> limits the size of
the headers provided with each part. (markt)
</add>
+ <fix>
+ When setting the initial HTTP/2 connection limit, apply those limits
+ earlier. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
