x/net/http2: sendWindowUpdate may send invalid window size increment #31170
Description
Disclaimer: I didn't run into an issue here, but I'm working on an HTTP/2 implementation and saw something that could possibly not be according to the spec.
The code linked below contains a loop that sends multiple WINDOW_UPDATE frames if the window size increment is higher than the allowed by the HTTP/2 spec. It then sends a last WINDOW_UPDATE frame after the loop has exited.
However, because the check reads: for n >= maxUint31, the last frame sent could contain a window size increment of 0 if the initial n is a multiple of 2^31 - 1. That is not allowed by the HTTP/2 spec:
From: https://httpwg.org/specs/rfc7540.html#rfc.section.6.9
A receiver MUST treat the receipt of a WINDOW_UPDATE frame with an flow-control window increment of 0 as a stream error (Section 5.4.2) of type PROTOCOL_ERROR; errors on the connection flow-control window MUST be treated as a connection error (Section 5.4.1).
I think the fix here would be just to change the >= check to >. I suspect that the reason nobody ran into this before is that it's already extremely unlikely that all the conditions for this bug to manifest are actually met in the wild.
P.S.: The questions in the issue template didn't really apply to this issue. Apologies in advance if this is not very helpful.