diff options
author | Valentin Bartenev <vbart@nginx.com> | 2014-11-07 17:22:19 +0300 |
---|---|---|
committer | Valentin Bartenev <vbart@nginx.com> | 2014-11-07 17:22:19 +0300 |
commit | 20d41493d428f123cc867590d693ef7e14a4ea11 (patch) | |
tree | 9da5b54a4b2c9816247d5632513a3409d5fe2a85 | |
parent | 42b6d57fb5dd55dc80dd17e03e0e584baa0aa64e (diff) | |
download | nginx-20d41493d428f123cc867590d693ef7e14a4ea11.tar.gz |
SPDY: fixed check for too long header name or value.
For further progress a new buffer must be at least two bytes larger than
the remaining unparsed data. One more byte is needed for null-termination
and another one for further progress. Otherwise inflate() fails with
Z_BUF_ERROR.
-rw-r--r-- | src/http/ngx_http_spdy.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/http/ngx_http_spdy.c b/src/http/ngx_http_spdy.c index ae95efd35..9cac691e0 100644 --- a/src/http/ngx_http_spdy.c +++ b/src/http/ngx_http_spdy.c @@ -2660,10 +2660,10 @@ ngx_http_spdy_alloc_large_header_buffer(ngx_http_request_t *r) rest = r->header_in->last - r->header_in->pos; /* - * equality is prohibited since one more byte is needed - * for null-termination + * One more byte is needed for null-termination + * and another one for further progress. */ - if (rest >= cscf->large_client_header_buffers.size) { + if (rest > cscf->large_client_header_buffers.size - 2) { p = r->header_in->pos; if (rest > NGX_MAX_ERROR_STR - 300) { |