# HG changeset patch
# User Sergey Kandaurov <pluknet@nginx.com>
# Date 1567520816 -10800
# Node ID 52b5ee64fe11ec267a0767cbb9874c8cae652299
# Parent  9f1f9d6e056a4f85907957ef263f78a426ae4f9c
Detect runaway chunks in ngx_http_parse_chunked().

As defined in HTTP/1.1, body chunks have the following ABNF:

   chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF

where chunk-data is a sequence of chunk-size octets.

With this change, chunk-data that doesn't end up with CRLF at chunk-size
offset will be treated as invalid, such as in the example provided below:

4
SEE-THIS-AND-
4
THAT
0

diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -2268,6 +2268,9 @@ ngx_http_parse_chunked(ngx_http_request_
                 break;
             case LF:
                 state = sw_chunk_start;
+                break;
+            default:
+                goto invalid;
             }
             break;