tomcat/CVE-2019-0199-4.patch

--- tomcat/java/org/apache/coyote/http2/Http2Protocol.java	2019/02/01 10:28:14	1852700
+++ tomcat/java/org/apache/coyote/http2/Http2Protocol.java	2019/02/01 10:28:18	1852701
@@ -41,9 +41,9 @@
 
 public class Http2Protocol implements UpgradeProtocol {
 
-    static final long DEFAULT_READ_TIMEOUT = 10000;
-    static final long DEFAULT_WRITE_TIMEOUT = 10000;
-    static final long DEFAULT_KEEP_ALIVE_TIMEOUT = -1;
+    static final long DEFAULT_READ_TIMEOUT = 5000;
+    static final long DEFAULT_WRITE_TIMEOUT = 5000;
+    static final long DEFAULT_KEEP_ALIVE_TIMEOUT = 20000;
     static final long DEFAULT_STREAM_READ_TIMEOUT = 20000;
     static final long DEFAULT_STREAM_WRITE_TIMEOUT = 20000;
     // The HTTP/2 specification recommends a minimum default of 100
--- tomcat/java/org/apache/coyote/http2/Http2UpgradeHandler.java	2019/02/01 10:28:14	1852700
+++ tomcat/java/org/apache/coyote/http2/Http2UpgradeHandler.java	2019/02/01 10:28:18	1852701
@@ -329,9 +329,16 @@
                             }
                         }
                     }
-                    // No more frames to read so switch to the keep-alive
-                    // timeout.
-                    socketWrapper.setReadTimeout(protocol.getKeepAliveTimeout());
+
+                    if (activeRemoteStreamCount.get() == 0) {
+                        // No streams currently active. Use the keep-alive
+                        // timeout for the connection.
+                        socketWrapper.setReadTimeout(protocol.getKeepAliveTimeout());
+                    } else {
+                        // Streams currently active. Individual streams have
+                        // timeouts so keep the connection open.
+                        socketWrapper.setReadTimeout(-1);
+                    }
                 } catch (Http2Exception ce) {
                     // Really ConnectionException
                     if (log.isDebugEnabled()) {
package init 2020-02-28 20:54:21 -05:00			`--- tomcat/java/org/apache/coyote/http2/Http2Protocol.java 2019/02/01 10:28:14 1852700`
			`+++ tomcat/java/org/apache/coyote/http2/Http2Protocol.java 2019/02/01 10:28:18 1852701`
			`@@ -41,9 +41,9 @@`

			`public class Http2Protocol implements UpgradeProtocol {`

			`- static final long DEFAULT_READ_TIMEOUT = 10000;`
			`- static final long DEFAULT_WRITE_TIMEOUT = 10000;`
			`- static final long DEFAULT_KEEP_ALIVE_TIMEOUT = -1;`
			`+ static final long DEFAULT_READ_TIMEOUT = 5000;`
			`+ static final long DEFAULT_WRITE_TIMEOUT = 5000;`
			`+ static final long DEFAULT_KEEP_ALIVE_TIMEOUT = 20000;`
			`static final long DEFAULT_STREAM_READ_TIMEOUT = 20000;`
			`static final long DEFAULT_STREAM_WRITE_TIMEOUT = 20000;`
			`// The HTTP/2 specification recommends a minimum default of 100`
			`--- tomcat/java/org/apache/coyote/http2/Http2UpgradeHandler.java 2019/02/01 10:28:14 1852700`
			`+++ tomcat/java/org/apache/coyote/http2/Http2UpgradeHandler.java 2019/02/01 10:28:18 1852701`
			`@@ -329,9 +329,16 @@`
			`}`
			`}`
			`}`
			`- // No more frames to read so switch to the keep-alive`
			`- // timeout.`
			`- socketWrapper.setReadTimeout(protocol.getKeepAliveTimeout());`
			`+`
			`+ if (activeRemoteStreamCount.get() == 0) {`
			`+ // No streams currently active. Use the keep-alive`
			`+ // timeout for the connection.`
			`+ socketWrapper.setReadTimeout(protocol.getKeepAliveTimeout());`
			`+ } else {`
			`+ // Streams currently active. Individual streams have`
			`+ // timeouts so keep the connection open.`
			`+ socketWrapper.setReadTimeout(-1);`
			`+ }`
			`} catch (Http2Exception ce) {`
			`// Really ConnectionException`
			`if (log.isDebugEnabled()) {`