- From: Martin Thomson <mt@lowentropy.net>
- Date: Tue, 09 Feb 2021 20:56:03 +1100
- To: ietf-http-wg@w3.org
Hi, Thanks for sharing this. I think that I understand the problem you describe, but I'm not sure that I can see how this differs from CVE-2019-9511 “Data Dribble”[1]. Can you explain how this is different? Is the number 128 somehow special? The CVE talks about 1-byte increases; is this just that the problem exists for a range of smaller values? [1] https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md On Tue, Feb 9, 2021, at 19:44, Meiling Chen wrote: > Hello all, > We find a problem when using http2.0 protocol, actually happening in > our network, in the course of the interaction when > window_size_increment in the window update frame less > than 128 bytes and the increased window size also less than 128 bytes, > then network connection will come to an error. We describe it in > detail in the draft > draft-chen-httpbis-window-size-use-case-00(https://datatracker.ietf.org/doc/draft-chen-httpbis-window-size-use-case/). > Meanwhile, we proposed a solution to the problem, by define the > minimum value setting mechanism of HTTP2.0 Window and Window_update, > and a Window_update frame sending > mechanism. We describe interactive process in detail in the draft > draft-chen-httpbis-window-size-00 > (https://datatracker.ietf.org/doc/draft-chen-httpbis-window-size/) . > > Comments are welcome. > > Best Wishes > > (Chen Meiling) > > -------------------------------------------------------------------------------------- > > Research Institute of China Mobile Communications Co. Ltd > > Institute of Safety Technology > > Email address: chenmeiling@chinamobile.com > > Phone: 13810149515 > > Telephone: 15801696688-34283 > > Address: No. 32, Xuanwumen West Street, Xicheng District, Beijing > (Mobile Innovation Building) >
Received on Tuesday, 9 February 2021 09:56:38 UTC