Skip to content

(http2): Lower WINDOWS_UPDATE received on (half)closed stream to stream abortion #63873

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 30, 2025
Merged

(http2): Lower WINDOWS_UPDATE received on (half)closed stream to stream abortion #63873

merged 2 commits into from
Sep 30, 2025
+10 −5

Conversation

DeagleGross
Copy link
Member

As per discussion in #63726 other servers interpret the HTTP2 spec differently, and Kestrel is the most secure with the behavior: if WINDOWS_UPDATE frame is received on the half-closed or closed stream, it aborts the whole connection.

Current PR is lowering the error from connection-level to stream-level.

Fixes #63726
Unquarantines #53744

@Copilot Copilot AI review requested due to automatic review settings September 29, 2025 19:03
Copilot
Copilot AI reviewed Sep 29, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This change modifies Kestrel's HTTP/2 behavior to handle WINDOW_UPDATE frames received on closed or half-closed streams more permissively by downgrading from a connection-level error to a stream-level error.

  • Changes error handling for WINDOW_UPDATE frames on closed streams from connection abort to stream error
  • Updates test expectations to match new stream-level error behavior
  • Removes quarantine from test that was previously failing due to strict connection abort

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
Http2Connection.cs Changes WINDOW_UPDATE on closed stream from connection abort to stream error with detailed documentation
Http2ConnectionTests.cs Updates test to expect stream error instead of connection error and removes quarantine

@github-actions github-actions bot added the area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions label Sep 29, 2025
halter73
halter73 approved these changes Sep 29, 2025
View reviewed changes
@DeagleGross DeagleGross self-assigned this Sep 29, 2025
@build-analysis build-analysis bot mentioned this pull request Sep 29, 2025
Open
@DeagleGross DeagleGross merged commit 0585ae7 into main Sep 30, 2025
30 checks passed
@DeagleGross DeagleGross deleted the dmkorolev/h2-windowupdate branch September 30, 2025 10:11
@dotnet-policy-service dotnet-policy-service bot added this to the 11.0-preview1 milestone Sep 30, 2025
@DeagleGross
Copy link
Member Author

/backport to release/10.0

@github-actions GitHub Actions
Copy link
Contributor

Started backporting to release/10.0: https://github.com/dotnet/aspnetcore/actions/runs/18131546148

@github-actions github-actions bot mentioned this pull request Sep 30, 2025
Merged
11 tasks
@DeagleGross
Copy link
Member Author

/backport to release/8.0

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 2, 2025

Started backporting to release/8.0: https://github.com/dotnet/aspnetcore/actions/runs/18193206628

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 2, 2025

@DeagleGross backporting to "release/8.0" failed, the patch most likely resulted in conflicts:

$ git am --3way --empty=keep --ignore-whitespace --keep-non-patch changes.patch

Applying: change WINDOWS_UPDATE received on (half)closed stream to stream-level error instead of connection-level error
Using index info to reconstruct a base tree...
M	src/Servers/Kestrel/Core/src/Internal/Http2/Http2Connection.cs
M	src/Servers/Kestrel/test/InMemory.FunctionalTests/Http2/Http2ConnectionTests.cs
Falling back to patching base and 3-way merge...
Auto-merging src/Servers/Kestrel/Core/src/Internal/Http2/Http2Connection.cs
CONFLICT (content): Merge conflict in src/Servers/Kestrel/Core/src/Internal/Http2/Http2Connection.cs
Auto-merging src/Servers/Kestrel/test/InMemory.FunctionalTests/Http2/Http2ConnectionTests.cs
CONFLICT (content): Merge conflict in src/Servers/Kestrel/test/InMemory.FunctionalTests/Http2/Http2ConnectionTests.cs
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 change WINDOWS_UPDATE received on (half)closed stream to stream-level error instead of connection-level error
Error: The process '/usr/bin/git' failed with exit code 128

Please backport manually!

@DeagleGross DeagleGross mentioned this pull request Oct 2, 2025
Merged
11 tasks
@DeagleGross
Copy link
Member Author

/backport to release/9.0

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 6, 2025

Started backporting to release/9.0: https://github.com/dotnet/aspnetcore/actions/runs/18279450394

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 6, 2025

@DeagleGross backporting to "release/9.0" failed, the patch most likely resulted in conflicts:

$ git am --3way --empty=keep --ignore-whitespace --keep-non-patch changes.patch

Applying: change WINDOWS_UPDATE received on (half)closed stream to stream-level error instead of connection-level error
Using index info to reconstruct a base tree...
M	src/Servers/Kestrel/Core/src/Internal/Http2/Http2Connection.cs
M	src/Servers/Kestrel/test/InMemory.FunctionalTests/Http2/Http2ConnectionTests.cs
Falling back to patching base and 3-way merge...
Auto-merging src/Servers/Kestrel/Core/src/Internal/Http2/Http2Connection.cs
Auto-merging src/Servers/Kestrel/test/InMemory.FunctionalTests/Http2/Http2ConnectionTests.cs
CONFLICT (content): Merge conflict in src/Servers/Kestrel/test/InMemory.FunctionalTests/Http2/Http2ConnectionTests.cs
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 change WINDOWS_UPDATE received on (half)closed stream to stream-level error instead of connection-level error
Error: The process '/usr/bin/git' failed with exit code 128

Please backport manually!

@DeagleGross DeagleGross mentioned this pull request Oct 6, 2025
Merged
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@halter73 halter73 halter73 approved these changes

@BrennanConroy BrennanConroy Awaiting requested review from BrennanConroy BrennanConroy is a code owner

@JamesNK JamesNK Awaiting requested review from JamesNK JamesNK is a code owner

Assignees

@DeagleGross DeagleGross

Labels
area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions
Projects
None yet
Milestone
11.0-preview1
Development

Successfully merging this pull request may close these issues.

Kestrel emits GOAWAY frame in response to WINDOW_UPDATE on closed stream
2 participants
@DeagleGross @halter73