Validate HTTP/2 MAX_FRAME_SIZE before applying client settings (helidon-io#11291)

* Validate HTTP/2 MAX_FRAME_SIZE before applying client settings
* Add HTTP/2 integration test for invalid MAX_FRAME_SIZE returning PROTOCOL GO_AWAY

Signed-off-by: Daniel Kec <daniel.kec@oracle.com>

Author: danielkec

webserver/http2/src/main/java/io/helidon/webserver/http2/Http2Connection.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, 2025 Oracle and/or its affiliates.
+ * Copyright (c) 2022, 2026 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -219,6 +219,7 @@ public void handle(Semaphore requestSemaphore) throws InterruptedException {
      * @param http2Settings client settings to use
      */
     public void clientSettings(Http2Settings http2Settings) {
+        validateMaxFrameSize(http2Settings);
         this.clientSettings = http2Settings;
         this.receiveFrameListener.frame(ctx, 0, clientSettings);
         if (this.clientSettings.hasValue(Http2Setting.HEADER_TABLE_SIZE)) {
@@ -255,16 +256,23 @@ public void clientSettings(Http2Settings http2Settings) {
 
         if (this.clientSettings.hasValue(Http2Setting.MAX_FRAME_SIZE)) {
             Long maxFrameSize = this.clientSettings.value(Http2Setting.MAX_FRAME_SIZE);
-            // specification defines, that the frame size must be between the initial size (16384) and 2^24-1
-            if (maxFrameSize < WindowSize.DEFAULT_MAX_FRAME_SIZE || maxFrameSize > WindowSize.MAX_MAX_FRAME_SIZE) {
-                throw new Http2Exception(Http2ErrorCode.PROTOCOL,
-                                         "Frame size must be between 2^14 and 2^24-1, but is: " + maxFrameSize);
-            }
-
             flowControl.resetMaxFrameSize(maxFrameSize.intValue());
         }
     }
 
+    private static void validateMaxFrameSize(Http2Settings http2Settings) {
+        if (!http2Settings.hasValue(Http2Setting.MAX_FRAME_SIZE)) {
+            return;
+        }
+
+        Long maxFrameSize = http2Settings.value(Http2Setting.MAX_FRAME_SIZE);
+        // specification defines, that the frame size must be between the initial size (16384) and 2^24-1
+        if (maxFrameSize < WindowSize.DEFAULT_MAX_FRAME_SIZE || maxFrameSize > WindowSize.MAX_MAX_FRAME_SIZE) {
+            throw new Http2Exception(Http2ErrorCode.PROTOCOL,
+                                     "Frame size must be between 2^14 and 2^24-1, but is: " + maxFrameSize);
+        }
+    }
+
     /**
      * Connection headers from an upgrade request from HTTP/1.1.
      *

webserver/http2/src/test/java/io/helidon/webserver/http2/UpgradeSettingsTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2024 Oracle and/or its affiliates.
+ * Copyright (c) 2024, 2026 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,16 +16,28 @@
 
 package io.helidon.webserver.http2;
 
+import java.nio.charset.StandardCharsets;
+import java.util.ArrayList;
 import java.util.Base64;
+import java.util.List;
+import java.util.concurrent.atomic.AtomicBoolean;
 
 import io.helidon.common.buffers.BufferData;
+import io.helidon.common.buffers.DataReader;
 import io.helidon.common.buffers.DataWriter;
+import io.helidon.http.http2.Http2Exception;
+import io.helidon.http.http2.Http2FrameData;
+import io.helidon.http.http2.Http2FrameHeader;
+import io.helidon.http.http2.Http2FrameType;
+import io.helidon.http.http2.Http2GoAway;
 import io.helidon.http.HeaderValues;
 import io.helidon.http.HttpPrologue;
 import io.helidon.http.Method;
 import io.helidon.http.WritableHeaders;
 import io.helidon.http.http2.Http2Flag;
+import io.helidon.http.http2.Http2ErrorCode;
 import io.helidon.http.http2.Http2Settings;
+import io.helidon.http.http2.Http2Util;
 import io.helidon.webserver.ConnectionContext;
 import io.helidon.webserver.ListenerContext;
 import io.helidon.webserver.Router;
@@ -39,7 +51,12 @@
 import static io.helidon.http.http2.Http2Setting.MAX_FRAME_SIZE;
 import static io.helidon.http.http2.Http2Setting.MAX_HEADER_LIST_SIZE;
 import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.greaterThanOrEqualTo;
 import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.notNullValue;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.doAnswer;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
@@ -62,6 +79,7 @@ public UpgradeSettingsTest() {
         when(ctx.router()).thenReturn(Router.empty());
         when(ctx.listenerContext()).thenReturn(mock(ListenerContext.class));
         when(ctx.dataWriter()).thenReturn(dataWriter);
+        when(ctx.dataReader()).thenReturn(mock(DataReader.class));
     }
 
     @Test
@@ -91,6 +109,65 @@ void urlEncodedSettings() {
         assertThat(s.presentValue(MAX_HEADER_LIST_SIZE).orElseThrow(), is(256L));
     }
 
+    @Test
+    void invalidMaxFrameSizeDoesNotReplaceLastValidSettings() {
+        Http2Connection connection = new Http2Connection(ctx, Http2Config.create(), List.of());
+
+        Http2Settings validSettings = Http2Settings.builder()
+                .add(MAX_FRAME_SIZE, 16384L)
+                .build();
+        connection.clientSettings(validSettings);
+
+        Http2Settings invalidSettings = Http2Settings.builder()
+                .add(MAX_FRAME_SIZE, 0L)
+                .build();
+
+        Http2Exception exception = assertThrows(Http2Exception.class,
+                                                () -> connection.clientSettings(invalidSettings));
+
+        assertThat(exception.code(), is(io.helidon.http.http2.Http2ErrorCode.PROTOCOL));
+        assertThat(connection.clientSettings().value(MAX_FRAME_SIZE), is(16384L));
+    }
+
+    @Test
+    void invalidMaxFrameSizeHandledWithProtocolGoAway() throws InterruptedException {
+        List<BufferData> writtenFrames = new ArrayList<>();
+        DataWriter dataWriter = mock(DataWriter.class);
+        doAnswer(invocation -> {
+            BufferData data = invocation.getArgument(0);
+            writtenFrames.add(data.copy());
+            return null;
+        }).when(dataWriter).writeNow(any(BufferData.class));
+
+        ConnectionContext connectionContext = mock(ConnectionContext.class);
+        when(connectionContext.router()).thenReturn(Router.empty());
+        when(connectionContext.listenerContext()).thenReturn(mock(ListenerContext.class));
+        when(connectionContext.dataWriter()).thenReturn(dataWriter);
+        when(connectionContext.dataReader()).thenReturn(invalidMaxFrameSizeReader());
+
+        Http2Connection connection = new Http2Connection(connectionContext,
+                                                         Http2Config.builder().sendErrorDetails(true).build(),
+                                                         List.of());
+        connection.expectPreface();
+        connection.handle(mock(io.helidon.common.concurrency.limits.Limit.class));
+
+        assertThat(writtenFrames.size(), greaterThanOrEqualTo(2));
+
+        BufferData goAwayData = writtenFrames.get(writtenFrames.size() - 1);
+        byte[] headerBytes = new byte[Http2FrameHeader.LENGTH];
+        goAwayData.read(headerBytes);
+        Http2FrameHeader frameHeader = Http2FrameHeader.create(BufferData.create(headerBytes));
+        assertThat(frameHeader.type(), is(Http2FrameType.GO_AWAY));
+
+        byte[] payloadBytes = new byte[frameHeader.length()];
+        goAwayData.read(payloadBytes);
+        Http2GoAway goAway = Http2GoAway.create(BufferData.create(payloadBytes));
+        assertThat(goAway, notNullValue());
+        assertThat(goAway.errorCode(), is(Http2ErrorCode.PROTOCOL));
+        assertThat(new String(payloadBytes, 8, payloadBytes.length - 8, StandardCharsets.UTF_8),
+                   is("Frame size must be between 2^14 and 2^24-1, but is: 0"));
+    }
+
     Http2Settings upgrade(String http2Settings) {
         WritableHeaders<?> headers = WritableHeaders.create().add(HeaderValues.create("HTTP2-Settings", http2Settings));
         Http2Upgrader http2Upgrader = Http2Upgrader.create(Http2Config.create());
@@ -105,4 +182,16 @@ byte[] settingsToBytes(Http2Settings settings) {
         settingsFrameData.read(b);
         return b;
     }
+
+    private static DataReader invalidMaxFrameSizeReader() {
+        Http2FrameData frameData = Http2Settings.builder()
+                .add(MAX_FRAME_SIZE, 0L)
+                .build()
+                .toFrameData(null, 0, Http2Flag.SettingsFlags.create(0));
+        BufferData input = BufferData.create(Http2Util.prefaceData(),
+                                             BufferData.create(frameData.header().write(), frameData.data()));
+        byte[] bytes = input.readBytes();
+        AtomicBoolean delivered = new AtomicBoolean();
+        return DataReader.create(() -> delivered.compareAndSet(false, true) ? bytes : null);
+    }
 }

webserver/tests/http2/src/test/java/io/helidon/webserver/tests/http2/InvalidSettingsTest.java

@@ -0,0 +1,156 @@
+/*
+ * Copyright (c) 2026 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.helidon.webserver.tests.http2;
+
+import java.net.URI;
+import java.nio.charset.StandardCharsets;
+import java.time.Duration;
+import java.util.List;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
+
+import io.helidon.common.buffers.BufferData;
+import io.helidon.common.buffers.DataReader;
+import io.helidon.common.tls.Tls;
+import io.helidon.http.Method;
+import io.helidon.http.http2.Http2ConnectionWriter;
+import io.helidon.http.http2.Http2ErrorCode;
+import io.helidon.http.http2.Http2Flag;
+import io.helidon.http.http2.Http2FrameData;
+import io.helidon.http.http2.Http2FrameHeader;
+import io.helidon.http.http2.Http2FrameType;
+import io.helidon.http.http2.Http2GoAway;
+import io.helidon.http.http2.Http2Setting;
+import io.helidon.http.http2.Http2Settings;
+import io.helidon.http.http2.Http2Util;
+import io.helidon.webclient.api.ClientUri;
+import io.helidon.webclient.api.ConnectionKey;
+import io.helidon.webclient.api.DefaultDnsResolver;
+import io.helidon.webclient.api.DnsAddressLookup;
+import io.helidon.webclient.api.Proxy;
+import io.helidon.webclient.api.TcpClientConnection;
+import io.helidon.webclient.api.WebClient;
+import io.helidon.webserver.WebServer;
+import io.helidon.webserver.WebServerConfig;
+import io.helidon.webserver.http.HttpRouting;
+import io.helidon.webserver.http2.Http2Config;
+import io.helidon.webserver.http2.Http2Route;
+import io.helidon.webserver.testing.junit5.ServerTest;
+import io.helidon.webserver.testing.junit5.SetUpRoute;
+import io.helidon.webserver.testing.junit5.SetUpServer;
+
+import org.junit.jupiter.api.Test;
+import static io.netty.handler.codec.http2.Http2CodecUtil.FRAME_HEADER_LENGTH;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.is;
+
+@ServerTest
+public class InvalidSettingsTest {
+    private static final Duration TIMEOUT = Duration.ofSeconds(10);
+    private static final String INVALID_MAX_FRAME_SIZE_MESSAGE =
+            "Frame size must be between 2^14 and 2^24-1, but is: 0";
+    private final WebServer server;
+
+    InvalidSettingsTest(WebServer server) {
+        this.server = server;
+    }
+
+    @SetUpRoute
+    static void router(HttpRouting.Builder router) {
+        router.route(Http2Route.route(Method.GET, "/", (req, res) -> res.send("pong")));
+    }
+
+    @SetUpServer
+    static void setup(WebServerConfig.Builder server) {
+        server.addProtocol(Http2Config.builder().sendErrorDetails(true).build());
+    }
+
+    @Test
+    void invalidMaxFrameSizeReturnsProtocolGoAway() throws InterruptedException, ExecutionException, TimeoutException {
+        TcpClientConnection conn = connect();
+        try {
+            conn.writer().writeNow(Http2Util.prefaceData());
+            Http2ConnectionWriter dataWriter = new Http2ConnectionWriter(conn.helidonSocket(), conn.writer(), List.of());
+
+            dataWriter.write(settingsFrame(16384L));
+            dataWriter.write(settingsFrame(0L));
+
+            GoAwayResult goAway = awaitGoAway(conn.reader()).get(TIMEOUT.getSeconds(), TimeUnit.SECONDS);
+            assertThat(goAway.errorCode(), is(Http2ErrorCode.PROTOCOL));
+            assertThat(goAway.details(), is(INVALID_MAX_FRAME_SIZE_MESSAGE));
+        } finally {
+            conn.closeResource();
+        }
+    }
+
+    private TcpClientConnection connect() {
+        ClientUri clientUri = ClientUri.create(URI.create("http://localhost:" + server.port()));
+        ConnectionKey connectionKey = ConnectionKey.create(clientUri.scheme(),
+                                                           clientUri.host(),
+                                                           clientUri.port(),
+                                                           Tls.builder().enabled(false).build(),
+                                                           DefaultDnsResolver.create(),
+                                                           DnsAddressLookup.defaultLookup(),
+                                                           Proxy.noProxy());
+
+        return TcpClientConnection.create(WebClient.builder()
+                                                   .baseUri(clientUri)
+                                                   .build(),
+                                          connectionKey,
+                                          List.of(),
+                                          connection -> false,
+                                          connection -> {
+                                          })
+                .connect();
+    }
+
+    private static Http2FrameData settingsFrame(long maxFrameSize) {
+        Http2Settings http2Settings = Http2Settings.builder()
+                .add(Http2Setting.INITIAL_WINDOW_SIZE, 65535L)
+                .add(Http2Setting.MAX_FRAME_SIZE, maxFrameSize)
+                .add(Http2Setting.ENABLE_PUSH, false)
+                .build();
+        return http2Settings.toFrameData(null, 0, Http2Flag.SettingsFlags.create(0));
+    }
+
+    private static CompletableFuture<GoAwayResult> awaitGoAway(DataReader reader) {
+        CompletableFuture<GoAwayResult> gotGoAway = new CompletableFuture<>();
+        Thread.ofVirtual().start(() -> {
+            for (; ; ) {
+                BufferData frameHeaderBuffer = reader.readBuffer(FRAME_HEADER_LENGTH);
+                Http2FrameHeader frameHeader = Http2FrameHeader.create(frameHeaderBuffer);
+                BufferData data = reader.readBuffer(frameHeader.length());
+                if (frameHeader.type() == Http2FrameType.GO_AWAY) {
+                    byte[] payloadBytes = data.readBytes();
+                    Http2GoAway http2GoAway = Http2GoAway.create(BufferData.create(payloadBytes));
+                    gotGoAway.complete(new GoAwayResult(http2GoAway.errorCode(),
+                                                        new String(payloadBytes,
+                                                                   Integer.BYTES * 2,
+                                                                   payloadBytes.length - (Integer.BYTES * 2),
+                                                                   StandardCharsets.UTF_8)));
+                    break;
+                }
+            }
+        });
+        return gotGoAway;
+    }
+
+    private record GoAwayResult(Http2ErrorCode errorCode, String details) {
+    }
+}