mirror of
https://github.com/moparisthebest/curl
synced 2024-12-24 17:18:48 -05:00
http: fix the max header length detection logic
Previously, it would only check for max length if the existing alloc buffer was to small to fit it, which often would make the header still get used. Reported-by: Guido Berhoerster Bug: https://curl.haxx.se/mail/lib-2018-02/0056.html Closes #2315
This commit is contained in:
parent
5a44c9fa8b
commit
03370fa5a0
15
lib/http.c
15
lib/http.c
@ -2880,20 +2880,19 @@ static CURLcode header_append(struct Curl_easy *data,
|
||||
struct SingleRequest *k,
|
||||
size_t length)
|
||||
{
|
||||
if(k->hbuflen + length >= data->state.headersize) {
|
||||
/* We enlarge the header buffer as it is too small */
|
||||
char *newbuff;
|
||||
size_t hbufp_index;
|
||||
size_t newsize;
|
||||
|
||||
if(k->hbuflen + length > CURL_MAX_HTTP_HEADER) {
|
||||
size_t newsize = k->hbuflen + length;
|
||||
if(newsize > CURL_MAX_HTTP_HEADER) {
|
||||
/* The reason to have a max limit for this is to avoid the risk of a bad
|
||||
server feeding libcurl with a never-ending header that will cause
|
||||
reallocs infinitely */
|
||||
failf(data, "Avoided giant realloc for header (max is %d)!",
|
||||
failf(data, "Rejected %zd bytes header (max is %d)!", newsize,
|
||||
CURL_MAX_HTTP_HEADER);
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
}
|
||||
if(newsize >= data->state.headersize) {
|
||||
/* We enlarge the header buffer as it is too small */
|
||||
char *newbuff;
|
||||
size_t hbufp_index;
|
||||
|
||||
newsize = CURLMAX((k->hbuflen + length) * 3 / 2, data->state.headersize*2);
|
||||
hbufp_index = k->hbufp - data->state.headerbuff;
|
||||
|
Loading…
Reference in New Issue
Block a user