1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-25 17:48:48 -05:00

http: fix the max header length detection logic

Previously, it would only check for max length if the existing alloc
buffer was to small to fit it, which often would make the header still
get used.

Reported-by: Guido Berhoerster
Bug: https://curl.haxx.se/mail/lib-2018-02/0056.html

Closes #2315
This commit is contained in:
Daniel Stenberg 2018-02-16 09:49:33 +01:00
parent 5a44c9fa8b
commit 03370fa5a0
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2

View File

@ -2880,20 +2880,19 @@ static CURLcode header_append(struct Curl_easy *data,
struct SingleRequest *k, struct SingleRequest *k,
size_t length) size_t length)
{ {
if(k->hbuflen + length >= data->state.headersize) { size_t newsize = k->hbuflen + length;
if(newsize > CURL_MAX_HTTP_HEADER) {
/* The reason to have a max limit for this is to avoid the risk of a bad
server feeding libcurl with a never-ending header that will cause
reallocs infinitely */
failf(data, "Rejected %zd bytes header (max is %d)!", newsize,
CURL_MAX_HTTP_HEADER);
return CURLE_OUT_OF_MEMORY;
}
if(newsize >= data->state.headersize) {
/* We enlarge the header buffer as it is too small */ /* We enlarge the header buffer as it is too small */
char *newbuff; char *newbuff;
size_t hbufp_index; size_t hbufp_index;
size_t newsize;
if(k->hbuflen + length > CURL_MAX_HTTP_HEADER) {
/* The reason to have a max limit for this is to avoid the risk of a bad
server feeding libcurl with a never-ending header that will cause
reallocs infinitely */
failf(data, "Avoided giant realloc for header (max is %d)!",
CURL_MAX_HTTP_HEADER);
return CURLE_OUT_OF_MEMORY;
}
newsize = CURLMAX((k->hbuflen + length) * 3 / 2, data->state.headersize*2); newsize = CURLMAX((k->hbuflen + length) * 3 / 2, data->state.headersize*2);
hbufp_index = k->hbufp - data->state.headerbuff; hbufp_index = k->hbufp - data->state.headerbuff;