Fix bug in HTTP/2 headers parsing

Author: markt-asf

java/org/apache/coyote/http2/Http2Parser.java

@@ -247,6 +247,12 @@ protected void readHeadersFrame(int streamId, int flags, int payloadSize, ByteBu
             } else {
                 buffer.get(optional);
             }
+            /*
+             * The optional padLength byte and priority bytes (if any) don't count towards the payload size when
+             * comparing payload size to padLength as required by RFC 9113, section 6.2.
+             */
+            payloadSize -= optionalLen;
+
             if (padding) {
                 padLength = ByteUtil.getOneByte(optional, 0);
                 if (padLength >= payloadSize) {
@@ -255,11 +261,10 @@ protected void readHeadersFrame(int streamId, int flags, int payloadSize, ByteBu
                             Http2Error.PROTOCOL_ERROR);
                 }
             }
-
-            // Ignore RFC 7450 priority data if present
-
-            payloadSize -= optionalLen;
+            // The padding does not count towards the size of payload that is read below.
             payloadSize -= padLength;
+
+            // Any RFC 7450 priority data was read into the byte[] optional above. It is ignored.
         }
 
         readHeaderPayload(streamId, payloadSize, buffer);

webapps/docs/changelog.xml

@@ -105,6 +105,15 @@
   issues do not "pop up" wrt. others).
 -->
 <section name="Tomcat 11.0.21 (markt)" rtext="in development">
+  <subsection name="Coyote">
+    <changelog>
+      <fix>
+        Fix an HTTP/2 header frame parsing bug that could result in a connection
+        being closed without a <code>GOAWAY</code> frame if an invalid
+        <code>HEADERS</code> frame was received. (markt)
+      </fix>
+    </changelog>
+  </subsection>
 </section>
 <section name="Tomcat 11.0.20 (markt)" rtext="release in progress">
   <subsection name="Coyote">