Welcome! Log In Create A New Profile

[nginx] SPDY: fixed check for too long header name or value.

Forum List Message List New Topic Print View

Valentin Bartenev

November 17, 2014 01:22PM

details: http://hg.nginx.org/nginx/rev/abb466a57a22
branches:
changeset: 5904:abb466a57a22
user: Valentin Bartenev <vbart@nginx.com>
date: Fri Nov 07 17:22:19 2014 +0300
description:
SPDY: fixed check for too long header name or value.

For further progress a new buffer must be at least two bytes larger than
the remaining unparsed data. One more byte is needed for null-termination
and another one for further progress. Otherwise inflate() fails with
Z_BUF_ERROR.

diffstat:

src/http/ngx_http_spdy.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)

diffs (17 lines):

diff -r 571e66f7c12c -r abb466a57a22 src/http/ngx_http_spdy.c
--- a/src/http/ngx_http_spdy.c Fri Nov 07 17:19:12 2014 +0300
+++ b/src/http/ngx_http_spdy.c Fri Nov 07 17:22:19 2014 +0300
@@ -2660,10 +2660,10 @@ ngx_http_spdy_alloc_large_header_buffer(
rest = r->header_in->last - r->header_in->pos;

/*
- * equality is prohibited since one more byte is needed
- * for null-termination
+ * One more byte is needed for null-termination
+ * and another one for further progress.
*/
- if (rest >= cscf->large_client_header_buffers.size) {
+ if (rest > cscf->large_client_header_buffers.size - 2) {
p = r->header_in->pos;

if (rest > NGX_MAX_ERROR_STR - 300) {

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[nginx] SPDY: fixed check for too long header name or value.	Valentin Bartenev	628	November 17, 2014 01:22PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 262

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018