Last Modified: Oct 17, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 14.0.0, 14.0.0.1, 14.0.0.2
Fixed In:
14.1.0, 14.0.0.3, 13.1.0.8
Opened: Sep 08, 2017 Severity: 4-Minor
HTTP/2 request can include Content-Length header. When the value of a Content-Length header does not match the sum of lengths of all DATA frames from the stream, RFC requires that the system reset the stream.
The BIG-IP system sends a request to a server and serves a provided response, which is not in conformance with the RFC.
-- A virtual server is configured with HTTP/2 profile. -- The value of Content-Length header does not match the sum of lengths of all DATA frames from the stream.
None.
Now, when a client sends a request over an HTTP/2 connection with a malformed HEADERS frame in which Content-Length does not match the payload size in DATA frames, the BIG-IP system correctly resets the stream with RST_STREAM frame.