Detect runaway chunks in ngx_http_parse_chunked().

As defined in HTTP/1.1, body chunks have the following ABNF: chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF where chunk-data is a sequence of chunk-size octets. With this change, chunk-data that doesn't end up with CRLF at chunk-size offset will be treated as invalid, such as in the example provided below: 4 SEE-THIS-AND- 4 THAT 0
2025-01-21 03:33:00 +08:00 · 2019-09-03 17:26:56 +03:00 · 2019-09-03 17:26:56 +03:00 · 77c01f10a1
commit 77c01f10a1
parent 9cb22efa3f
1 changed files with 3 additions and 0 deletions
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@ -2268,6 +2268,9 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
                break;
            case LF:
                state = sw_chunk_start;
+                break;
+            default:
+                goto invalid;
            }
            break;