net/http: handle server errors after sending GOAWAY

[neild]

A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service.

Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu for reporting this.

This was a PRIVATE issue for CVE-2022-27664 tracked in http://b/219507101.

Backport issues: #53977 #54376

(I forgot to create the non-backport issue when making the backports, doing so now.)

[gopherbot]

Change https://go.dev/cl/428655 mentions this issue: [release-branch.go1.19] net/http: update bundled golang.org/x/net/http2

[gopherbot]

Change https://go.dev/cl/428635 mentions this issue: [release-branch.go1.18] net/http: update bundled golang.org/x/net/http2

[gopherbot]

Change https://go.dev/cl/428736 mentions this issue: [internal-branch.go1.18-vendor] http2: handle server errors after sending GOAWAY

[gopherbot]

Change https://go.dev/cl/428737 mentions this issue: [internal-branch.go1.19-vendor] http2: handle server errors after sending GOAWAY

[gopherbot]

Change https://go.dev/cl/428717 mentions this issue: all: update vendored golang.org/x/net