http2: limit maximum handler goroutines to MaxConcurrentStreams

When the peer opens a new stream while we have MaxConcurrentStreams
handler goroutines running, defer starting a handler until one
of the existing handlers exits.

Fixes golang/go#63417
Fixes CVE-2023-39325

Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d
TryBot-Result: Security TryBots <>
Reviewed-by: Ian Cottrell <>
Reviewed-by: Tatiana Bradley <>
Run-TryBot: Damien Neil <>
Reviewed-by: Michael Pratt <>
Reviewed-by: Dmitri Shuralyov <>
LUCI-TryBot-Result: Go LUCI <>
Auto-Submit: Dmitri Shuralyov <>
Reviewed-by: Damien Neil <>
2 files changed
tree: 71abde9eaef98e22f4535a84e36545cac775ca5e
  1. bpf/
  2. context/
  3. dict/
  4. dns/
  5. html/
  6. http/
  7. http2/
  8. icmp/
  9. idna/
  10. internal/
  11. ipv4/
  12. ipv6/
  13. lif/
  14. nettest/
  15. netutil/
  16. proxy/
  17. publicsuffix/
  18. route/
  19. trace/
  20. webdav/
  21. websocket/
  22. xsrftoken/
  23. .gitattributes
  24. .gitignore
  25. codereview.cfg
  27. go.mod
  28. go.sum

Go Networking

Go Reference

This repository holds supplementary Go networking libraries.


The easiest way to install is to run go get -u You can also manually git clone the repository to $GOPATH/src/

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see The main issue tracker for the net repository is located at Prefix your issue with “x/net:” in the subject line, so it is easy to find.