Consider a case when we've just read chunk size (but nothing else):
case sw_chunk_size:
ctx->length = 2 /* LF LF */
+ (ctx->size ? ctx->size + 4 /* LF "0" LF LF */ : 0);
break;
ctx->length will be equal to 6 + ctx->size, but actually we need 5 + ctx->size
bytes: LF <data> LF 0 LF LF. It may lead to a deadlock (peer waits for a
response from us while we wait for that last byte).

* IIRC, RFC states that CRLF should be used after chunk size, not LF, so it's
not so critical, but I think it should be fixed anyway.

Signed-off-by: Dmitry Popov <dp@highloadlab.com>

diff -ur old/src/http/ngx_http_parse.c new/src/http/ngx_http_parse.c
--- old/src/http/ngx_http_parse.c 2013-06-04 17:21:53.000000000 +0400
+++ new/src/http/ngx_http_parse.c 2013-06-27 23:00:27.091638084 +0400
@@ -2180,8 +2180,10 @@
ctx->length = 3 /* "0" LF LF */;
break;
case sw_chunk_size:
- ctx->length = 2 /* LF LF */
- + (ctx->size ? ctx->size + 4 /* LF "0" LF LF */ : 0);
+ ctx->length = 1 /* LF */
+ + (ctx->size
+ ? ctx->size + 4 /* LF "0" LF LF */
+ : 1 /* LF */);
break;
case sw_chunk_extension:
case sw_chunk_extension_almost_done:

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel