# HG changeset patch
# User Valentin Bartenev <vbart@nginx.com>
# Date 1376579698 -14400
# Node ID 2be1a9ce9d8e91eab48ce61286a926ee74605b57
# Parent  bdb3588681c91f48b89310bb88f39f1a1cda3b5f
SPDY: fixed corruption of headers with names longer than 255.

It is a bad idea to put zero byte in position where the length of
the next header name can be stored before it was parsed.

diff --git a/src/http/ngx_http_spdy.c b/src/http/ngx_http_spdy.c
--- a/src/http/ngx_http_spdy.c
+++ b/src/http/ngx_http_spdy.c
@@ -809,6 +809,8 @@ ngx_http_spdy_state_headers(ngx_http_spd
     sc->zstream_in.next_in = pos;
     sc->zstream_in.avail_in = size;
     sc->zstream_in.next_out = buf->last;
+
+    /* one byte is reserved for null-termination of the last header value */
     sc->zstream_in.avail_out = buf->end - buf->last - 1;
 
     z = inflate(&sc->zstream_in, Z_NO_FLUSH);
@@ -912,9 +914,14 @@ ngx_http_spdy_state_headers(ngx_http_spd
                     return ngx_http_spdy_state_headers_error(sc, pos, end);
                 }
 
+                /* null-terminate the last processed header name or value */
+                *buf->pos = '\0';
+
                 buf = r->header_in;
 
                 sc->zstream_in.next_out = buf->last;
+
+                /* one byte is reserved for null-termination */
                 sc->zstream_in.avail_out = buf->end - buf->last - 1;
 
                 z = inflate(&sc->zstream_in, Z_NO_FLUSH);
@@ -996,6 +1003,9 @@ ngx_http_spdy_state_headers(ngx_http_spd
                                         ngx_http_spdy_state_headers);
     }
 
+    /* null-terminate the last header value */
+    *buf->pos = '\0';
+
     ngx_http_spdy_run_request(r);
 
     return ngx_http_spdy_state_complete(sc, pos, end);
@@ -1936,6 +1946,9 @@ ngx_http_spdy_parse_header(ngx_http_requ
             return NGX_HTTP_PARSE_INVALID_HEADER;
         }
 
+        /* null-terminate the previous header value */
+        *p = '\0';
+
         p += NGX_SPDY_NV_NLEN_SIZE;
 
         r->header_name_end = p + len;
@@ -2005,6 +2018,9 @@ ngx_http_spdy_parse_header(ngx_http_requ
             return NGX_ERROR;
         }
 
+        /* null-terminate header name */
+        *p = '\0';
+
         p += NGX_SPDY_NV_VLEN_SIZE;
 
         r->header_end = p + len;
@@ -2163,11 +2179,9 @@ ngx_http_spdy_handle_request_header(ngx_
 
     h->key.len = r->lowcase_index;
     h->key.data = r->header_name_start;
-    h->key.data[h->key.len] = '\0';
 
     h->value.len = r->header_size;
     h->value.data = r->header_start;
-    h->value.data[h->value.len] = '\0';
 
     h->lowcase_key = h->key.data;