SPDY: fixed check for too long header name or value.

For further progress a new buffer must be at least two bytes larger than the remaining unparsed data. One more byte is needed for null-termination and another one for further progress. Otherwise inflate() fails with Z_BUF_ERROR.
2025-06-07 17:52:38 +08:00 · 2014-11-07 17:22:19 +03:00 · 2014-11-07 17:22:19 +03:00 · 20d41493d4
commit 20d41493d4
parent 42b6d57fb5
1 changed files with 3 additions and 3 deletions
--- a/src/http/ngx_http_spdy.c
+++ b/src/http/ngx_http_spdy.c
@ -2660,10 +2660,10 @@ ngx_http_spdy_alloc_large_header_buffer(ngx_http_request_t *r)
    rest = r->header_in->last - r->header_in->pos;

    /*
-     * equality is prohibited since one more byte is needed
-     * for null-termination
+     * One more byte is needed for null-termination
+     * and another one for further progress.
     */
-    if (rest >= cscf->large_client_header_buffers.size) {
+    if (rest > cscf->large_client_header_buffers.size - 2) {
        p = r->header_in->pos;

        if (rest > NGX_MAX_ERROR_STR - 300) {