http2: validate initialWindowSize per HTTP/2 spec

mcollina · web-flow · commit 57a71cd50dc7 · 2026-01-19T07:35:13.000Z
The HTTP/2 spec (RFC 7540) defines SETTINGS_INITIAL_WINDOW_SIZE maximum as 2^31-1. Values above this must be treated as a FLOW_CONTROL_ERROR. Previously, Node.js allowed values up to 2^32-1 which caused nghttp2_submit_settings() to return NGHTTP2_ERR_INVALID_ARGUMENT, triggering an uncatchable assertion failure and crashing the process. This change adds proper validation to reject values >= 2^31 with a catchable RangeError before they reach nghttp2. PR-URL: #61402 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Chemi Atlow <chemi@atlow.co.il> Reviewed-By: Tim Perry <pimterry@gmail.com>
diff --git a/lib/internal/http2/core.js b/lib/internal/http2/core.js
@@ -230,6 +230,7 @@ function debugSessionObj(session, message, ...args) {
 
 const kMaxFrameSize = (2 ** 24) - 1;
 const kMaxInt = (2 ** 32) - 1;
+const kMaxInitialWindowSize = (2 ** 31) - 1;  // HTTP/2 spec maximum
 const kMaxStreams = (2 ** 32) - 1;
 const kMaxALTSVC = (2 ** 14) - 2;
 
@@ -989,7 +990,7 @@ function pingCallback(cb) {
 
 // Validates the values in a settings object. Specifically:
 // 1. headerTableSize must be a number in the range 0 <= n <= kMaxInt
-// 2. initialWindowSize must be a number in the range 0 <= n <= kMaxInt
+// 2. initialWindowSize must be a number in the range 0 <= n <= 2^31-1
 // 3. maxFrameSize must be a number in the range 16384 <= n <= kMaxFrameSize
 // 4. maxConcurrentStreams must be a number in the range 0 <= n <= kMaxStreams
 // 5. maxHeaderListSize must be a number in the range 0 <= n <= kMaxInt
@@ -1014,7 +1015,7 @@ const validateSettings = hideStackFrames((settings) => {
                                       0, kMaxInt);
   assertWithinRange.withoutStackTrace('initialWindowSize',
                                       settings.initialWindowSize,
-                                      0, kMaxInt);
+                                      0, kMaxInitialWindowSize);
   assertWithinRange.withoutStackTrace('maxFrameSize',
                                       settings.maxFrameSize,
                                       16384, kMaxFrameSize);
diff --git a/test/parallel/test-http2-getpackedsettings.js b/test/parallel/test-http2-getpackedsettings.js
@@ -20,7 +20,7 @@ assert.deepStrictEqual(val, check);
   ['headerTableSize', 0],
   ['headerTableSize', 2 ** 32 - 1],
   ['initialWindowSize', 0],
-  ['initialWindowSize', 2 ** 32 - 1],
+  ['initialWindowSize', 2 ** 31 - 1],  // Max per HTTP/2 spec
   ['maxFrameSize', 16384],
   ['maxFrameSize', 2 ** 24 - 1],
   ['maxConcurrentStreams', 0],
@@ -42,6 +42,8 @@ http2.getPackedSettings({ enablePush: false });
   ['headerTableSize', -1],
   ['headerTableSize', 2 ** 32],
   ['initialWindowSize', -1],
+  ['initialWindowSize', 2 ** 31],  // Max per HTTP/2 spec is 2^31-1
+  ['initialWindowSize', 2 ** 32 - 1],  // Regression test for nghttp2 crash
   ['initialWindowSize', 2 ** 32],
   ['maxFrameSize', 16383],
   ['maxFrameSize', 2 ** 24],
diff --git a/test/parallel/test-http2-session-settings.js b/test/parallel/test-http2-session-settings.js
@@ -133,6 +133,8 @@ server.listen(
         ['headerTableSize', -1],
         ['headerTableSize', 2 ** 32],
         ['initialWindowSize', -1],
+        ['initialWindowSize', 2 ** 31],  // Max per HTTP/2 spec is 2^31-1
+        ['initialWindowSize', 2 ** 32 - 1],  // Regression test for nghttp2 crash
         ['initialWindowSize', 2 ** 32],
         ['maxFrameSize', 16383],
         ['maxFrameSize', 2 ** 24],
