Mercurial > hg > nginx
comparison src/http/ngx_http_spdy.c @ 5904:abb466a57a22
SPDY: fixed check for too long header name or value.
For further progress a new buffer must be at least two bytes larger than
the remaining unparsed data. One more byte is needed for null-termination
and another one for further progress. Otherwise inflate() fails with
Z_BUF_ERROR.
author | Valentin Bartenev <vbart@nginx.com> |
---|---|
date | Fri, 07 Nov 2014 17:22:19 +0300 |
parents | 571e66f7c12c |
children | 2c10db908b8c |
comparison
equal
deleted
inserted
replaced
5903:571e66f7c12c | 5904:abb466a57a22 |
---|---|
2658 } | 2658 } |
2659 | 2659 |
2660 rest = r->header_in->last - r->header_in->pos; | 2660 rest = r->header_in->last - r->header_in->pos; |
2661 | 2661 |
2662 /* | 2662 /* |
2663 * equality is prohibited since one more byte is needed | 2663 * One more byte is needed for null-termination |
2664 * for null-termination | 2664 * and another one for further progress. |
2665 */ | 2665 */ |
2666 if (rest >= cscf->large_client_header_buffers.size) { | 2666 if (rest > cscf->large_client_header_buffers.size - 2) { |
2667 p = r->header_in->pos; | 2667 p = r->header_in->pos; |
2668 | 2668 |
2669 if (rest > NGX_MAX_ERROR_STR - 300) { | 2669 if (rest > NGX_MAX_ERROR_STR - 300) { |
2670 rest = NGX_MAX_ERROR_STR - 300; | 2670 rest = NGX_MAX_ERROR_STR - 300; |
2671 } | 2671 } |