Last Modified: Oct 17, 2023
Known Affected Versions:
13.1.0, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 14.0.0, 188.8.131.52, 184.108.40.206
14.1.0, 220.127.116.11, 18.104.22.168
Opened: Sep 08, 2017 Severity: 4-Minor
HTTP/2 request can include Content-Length header. When the value of a Content-Length header does not match the sum of lengths of all DATA frames from the stream, RFC requires that the system reset the stream.
The BIG-IP system sends a request to a server and serves a provided response, which is not in conformance with the RFC.
-- A virtual server is configured with HTTP/2 profile. -- The value of Content-Length header does not match the sum of lengths of all DATA frames from the stream.
Now, when a client sends a request over an HTTP/2 connection with a malformed HEADERS frame in which Content-Length does not match the payload size in DATA frames, the BIG-IP system correctly resets the stream with RST_STREAM frame.