comparison src/http/ngx_http_spdy.c @ 5904:abb466a57a22

SPDY: fixed check for too long header name or value. For further progress a new buffer must be at least two bytes larger than the remaining unparsed data. One more byte is needed for null-termination and another one for further progress. Otherwise inflate() fails with Z_BUF_ERROR.
author Valentin Bartenev <vbart@nginx.com>
date Fri, 07 Nov 2014 17:22:19 +0300
parents 571e66f7c12c
children 2c10db908b8c
comparison
equal deleted inserted replaced
5903:571e66f7c12c 5904:abb466a57a22
2658 } 2658 }
2659 2659
2660 rest = r->header_in->last - r->header_in->pos; 2660 rest = r->header_in->last - r->header_in->pos;
2661 2661
2662 /* 2662 /*
2663 * equality is prohibited since one more byte is needed 2663 * One more byte is needed for null-termination
2664 * for null-termination 2664 * and another one for further progress.
2665 */ 2665 */
2666 if (rest >= cscf->large_client_header_buffers.size) { 2666 if (rest > cscf->large_client_header_buffers.size - 2) {
2667 p = r->header_in->pos; 2667 p = r->header_in->pos;
2668 2668
2669 if (rest > NGX_MAX_ERROR_STR - 300) { 2669 if (rest > NGX_MAX_ERROR_STR - 300) {
2670 rest = NGX_MAX_ERROR_STR - 300; 2670 rest = NGX_MAX_ERROR_STR - 300;
2671 } 2671 }