Mercurial > hg > nginx
comparison src/http/ngx_http_spdy.c @ 5904:abb466a57a22
SPDY: fixed check for too long header name or value.
For further progress a new buffer must be at least two bytes larger than
the remaining unparsed data. One more byte is needed for null-termination
and another one for further progress. Otherwise inflate() fails with
Z_BUF_ERROR.
| author | Valentin Bartenev <vbart@nginx.com> |
|---|---|
| date | Fri, 07 Nov 2014 17:22:19 +0300 |
| parents | 571e66f7c12c |
| children | 2c10db908b8c |
comparison
equal
deleted
inserted
replaced
| 5903:571e66f7c12c | 5904:abb466a57a22 |
|---|---|
| 2658 } | 2658 } |
| 2659 | 2659 |
| 2660 rest = r->header_in->last - r->header_in->pos; | 2660 rest = r->header_in->last - r->header_in->pos; |
| 2661 | 2661 |
| 2662 /* | 2662 /* |
| 2663 * equality is prohibited since one more byte is needed | 2663 * One more byte is needed for null-termination |
| 2664 * for null-termination | 2664 * and another one for further progress. |
| 2665 */ | 2665 */ |
| 2666 if (rest >= cscf->large_client_header_buffers.size) { | 2666 if (rest > cscf->large_client_header_buffers.size - 2) { |
| 2667 p = r->header_in->pos; | 2667 p = r->header_in->pos; |
| 2668 | 2668 |
| 2669 if (rest > NGX_MAX_ERROR_STR - 300) { | 2669 if (rest > NGX_MAX_ERROR_STR - 300) { |
| 2670 rest = NGX_MAX_ERROR_STR - 300; | 2670 rest = NGX_MAX_ERROR_STR - 300; |
| 2671 } | 2671 } |