Fix H2 IWS=0 and HTTP/1 slow-read response-body buffering DoS.

bryancall · claude · bryancall · commit b76c4cf3ff80 · 2026-05-06T04:46:03.000-07:00
HTTP/2 INITIAL_WINDOW_SIZE=0 attack: a client advertising a zero send
window causes ATS to fetch origin responses that it cannot forward,
allowing unbounded response-body accumulation in IOBuffers.

For HTTP/2, add a per-stream _send_buffer_full flag. When
send_a_data_frame() returns NO_WINDOW, the flag is set and
update_write_request() skips future send attempts, preventing the
origin read VIO from being re-enabled. The flag is cleared in
restart_sending() when a WINDOW_UPDATE opens the peer window.
Measured buffer per stream: ~86 KB vs 100 MB origin body.

For HTTP/1, enable HttpTunnel flow control by default (high_water=32 MB,
low_water=8 MB). TCP backpressure already naturally limits per-stream
buffering to ~150 KB, and the application-level watermarks add a
defense-in-depth cap. Measured buffer per stream: ~148 KB vs 100 MB.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/include/proxy/http2/Http2Stream.h b/include/proxy/http2/Http2Stream.h
@@ -189,6 +189,7 @@ class Http2Stream : public ProxyTransaction
 
   bool parsing_header_done       = false;
   bool is_first_transaction_flag = false;
+  bool _send_buffer_full         = false;
 
   HTTPHdr                    _send_header;
   IOBufferReader            *_send_reader  = nullptr;
diff --git a/src/proxy/http2/Http2ConnectionState.cc b/src/proxy/http2/Http2ConnectionState.cc
@@ -2298,6 +2298,13 @@ Http2ConnectionState::send_a_data_frame(Http2Stream *stream, size_t &payload_len
       }
       Http2StreamDebug(this->session, stream->get_id(), "No window session_wnd=%zd stream_wnd=%zd peer_initial_window=%u",
                        get_peer_rwnd(), stream->get_peer_rwnd(), this->peer_settings.get(HTTP2_SETTINGS_INITIAL_WINDOW_SIZE));
+
+      // Mark the stream write-stalled so update_write_request skips future
+      // send attempts until restart_sending clears this on a WINDOW_UPDATE.
+      // This stops the origin read VIO from being re-enabled while the peer
+      // window is zero, bounding how much response body can accumulate.
+      stream->_send_buffer_full = true;
+
       this->session->flush();
       return Http2SendDataFrameResult::NO_WINDOW;
     }
diff --git a/src/proxy/http2/Http2Stream.cc b/src/proxy/http2/Http2Stream.cc
@@ -772,6 +772,11 @@ Http2Stream::restart_sending()
   if (this->is_closed()) {
     return;
   }
+
+  // The peer's flow-control window has opened; allow update_write_request to
+  // proceed again so origin reads can resume.
+  _send_buffer_full = false;
+
   if (!this->parsing_header_done) {
     this->update_write_request(true);
     return;
@@ -806,6 +811,13 @@ Http2Stream::update_write_request(bool call_update)
     return;
   }
 
+  // If we are backed up waiting for the peer's flow-control window to open,
+  // don't consume more data from the origin-side buffer. This prevents the
+  // origin read VIO from being re-enabled and keeps memory bounded.
+  if (parsing_header_done && _send_buffer_full) {
+    return;
+  }
+
   if (!this->_switch_thread_if_not_on_right_thread(VC_EVENT_WRITE_READY, nullptr)) {
     // Not on the right thread
     return;
diff --git a/src/records/RecordsConfig.cc b/src/records/RecordsConfig.cc
@@ -349,11 +349,11 @@ static constexpr RecordElement RecordsConfig[] =
   ,
   {RECT_CONFIG, "proxy.config.http.strict_chunk_parsing", RECD_INT, "1", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
   ,
-  {RECT_CONFIG, "proxy.config.http.flow_control.enabled", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
+  {RECT_CONFIG, "proxy.config.http.flow_control.enabled", RECD_INT, "1", RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
   ,
-  {RECT_CONFIG, "proxy.config.http.flow_control.high_water", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
+  {RECT_CONFIG, "proxy.config.http.flow_control.high_water", RECD_INT, "33554432", RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
   ,
-  {RECT_CONFIG, "proxy.config.http.flow_control.low_water", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
+  {RECT_CONFIG, "proxy.config.http.flow_control.low_water", RECD_INT, "8388608", RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
   ,
   {RECT_CONFIG, "proxy.config.http.post.check.content_length.enabled", RECD_INT, "1", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
   ,

Original file line number	Diff line number	Diff line change
`@@ -2298,6 +2298,13 @@ Http2ConnectionState::send_a_data_frame(Http2Stream *stream, size_t &payload_len`
`2298`	`2298`	`}`
`2299`	`2299`	`Http2StreamDebug(this->session, stream->get_id(), "No window session_wnd=%zd stream_wnd=%zd peer_initial_window=%u",`
`2300`	`2300`	`get_peer_rwnd(), stream->get_peer_rwnd(), this->peer_settings.get(HTTP2_SETTINGS_INITIAL_WINDOW_SIZE));`
	`2301`	`+`
	`2302`	`+ // Mark the stream write-stalled so update_write_request skips future`
	`2303`	`+ // send attempts until restart_sending clears this on a WINDOW_UPDATE.`
	`2304`	`+ // This stops the origin read VIO from being re-enabled while the peer`
	`2305`	`+ // window is zero, bounding how much response body can accumulate.`
	`2306`	`+ stream->_send_buffer_full = true;`
	`2307`	`+`
`2301`	`2308`	`this->session->flush();`
`2302`	`2309`	`return Http2SendDataFrameResult::NO_WINDOW;`
`2303`	`2310`	`}`
Original file line number	Diff line number	Diff line change
`@@ -349,11 +349,11 @@ static constexpr RecordElement RecordsConfig[] =`
`349`	`349`	`,`
`350`	`350`	`{RECT_CONFIG, "proxy.config.http.strict_chunk_parsing", RECD_INT, "1", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}`
`351`	`351`	`,`
`352`		`- {RECT_CONFIG, "proxy.config.http.flow_control.enabled", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL}`
	`352`	`+ {RECT_CONFIG, "proxy.config.http.flow_control.enabled", RECD_INT, "1", RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL}`
`353`	`353`	`,`
`354`		`- {RECT_CONFIG, "proxy.config.http.flow_control.high_water", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL}`
	`354`	`+ {RECT_CONFIG, "proxy.config.http.flow_control.high_water", RECD_INT, "33554432", RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL}`
`355`	`355`	`,`
`356`		`- {RECT_CONFIG, "proxy.config.http.flow_control.low_water", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL}`
	`356`	`+ {RECT_CONFIG, "proxy.config.http.flow_control.low_water", RECD_INT, "8388608", RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL}`
`357`	`357`	`,`
`358`	`358`	`{RECT_CONFIG, "proxy.config.http.post.check.content_length.enabled", RECD_INT, "1", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}`
`359`	`359`	`,`