From e3a10fe3749eea3d7d5f284c3a1e57479131176f Mon Sep 17 00:00:00 2001
From: Nicholas S. Husin <nsh@golang.org>
Date: Tue, 31 Mar 2026 15:02:11 -0400
Subject: [PATCH] net/http/internal/http2: prevent hanging Transport due to bad SETTINGS frame

When processing SETTINGS frame, Transport currently only checks if the
frame is valid for SETTINGS_ENABLE_CONNECT_PROTOCOL. As a result, a
SETTINGS_MAX_FRAME_SIZE with the invalid value of 0 is erroneously
accepted. This will then result in Transport being stuck in an infinite
loop writing CONTINUATION frames.

This CL fixes the issue by ensuring that SETTINGS frame are always
validated, regardless of the SETTINGS parameter.

Thanks to Marwan Atia (marwansamir688@gmail.com) for reporting this
issue.

Fixes #78476
Fixes CVE-2026-33814

Change-Id: I8b6219431e87454d34bca738fbcb59b66a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/761581
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Nicholas Husin <husin@google.com>
---

diff --git a/vendor/golang.org/x/net/http2/transport.go b/vendor/golang.org/x/net/http2/transport.go
index 36423b2..2b04bed 100644
--- a/vendor/golang.org/x/net/http2/transport.go
+++ b/vendor/golang.org/x/net/http2/transport.go
@@ -2320,6 +2320,9 @@
	}
 
 	err := f.ForeachSetting(func(s Setting) error {
+		if err := s.Valid(); err != nil {
+			return err
+		}
 		switch s.ID {
 		case SettingMaxFrameSize:
 			cc.maxFrameSize = s.Val