Strengthen error-detection code in HTTP_IN and core_input_filter so that

invalid readbytes or errors reading brigades are properly handled.

Reviewed by:	Brian Pane

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@95897 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c
index 38635501ab39126f0fa4d6a1cbb4ae001f7c049b..8f899a893ae4371fc1b72bf981ded04209083c62 100644 (file)
--- a/modules/http/http_protocol.c
+++ b/modules/http/http_protocol.c
@@ -898,14 +898,14 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,
             rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE,
                                 APR_BLOCK_READ, 0);
 
-            if (rv != APR_SUCCESS) {
-                return rv;
+            if (rv == APR_SUCCESS) {
+                rv = apr_brigade_flatten(bb, line, &len);
+                if (rv == APR_SUCCESS) {
+                    ctx->remaining = get_chunk_size(line);
+                }
             }
-            apr_brigade_flatten(bb, line, &len);
-
-            ctx->remaining = get_chunk_size(line);
             /* Detect chunksize error (such as overflow) */
-            if (ctx->remaining < 0) {
+            if (rv != APR_SUCCESS || ctx->remaining < 0) {
                 ctx->remaining = 0; /* Reset it in case we have to
                                      * come back here later */
                 apr_brigade_cleanup(bb);
@@ -957,23 +957,22 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,
                 /* We need to read the CRLF after the chunk.  */
                 rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE,
                                     APR_BLOCK_READ, 0);
-                if (rv != APR_SUCCESS) {
-                    return rv;
-                }
                 apr_brigade_cleanup(bb);
 
-                /* Read the real chunk line. */
-                rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE,
-                                    APR_BLOCK_READ, 0);
-
-                if (rv != APR_SUCCESS) {
-                    return rv;
+                if (rv == APR_SUCCESS) {
+                    /* Read the real chunk line. */
+                    rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE,
+                                        APR_BLOCK_READ, 0);
+                    if (rv == APR_SUCCESS) {
+                        rv = apr_brigade_flatten(bb, line, &len);
+                        if (rv == APR_SUCCESS) {
+                            ctx->remaining = get_chunk_size(line);
+                        }
+                    }
                 }
-                apr_brigade_flatten(bb, line, &len);
-                ctx->remaining = get_chunk_size(line);
 
                 /* Detect chunksize error (such as overflow) */
-                if (ctx->remaining < 0) {
+                if (rv != APR_SUCCESS || ctx->remaining < 0) {
                     ctx->remaining = 0; /* Reset it in case we have to
                                          * come back here later */
                     apr_brigade_cleanup(bb);

diff --git a/server/core.c b/server/core.c
index da2b648558ac6c564c13e0ad8dfda1276679327f..23f7641ab352c29ff9eecfc92a0b0df8f52cd2f3 100644 (file)
--- a/server/core.c
+++ b/server/core.c
@@ -3462,7 +3462,6 @@ static int core_input_filter(ap_filter_t *f, apr_bucket_brigade *b,
 
     /* read up to the amount they specified. */
     if (mode == AP_MODE_READBYTES || mode == AP_MODE_SPECULATIVE) {
-        apr_off_t total;
         apr_bucket *e;
         apr_bucket_brigade *newbb;
 
@@ -3500,7 +3499,10 @@ static int core_input_filter(ap_filter_t *f, apr_bucket_brigade *b,
             readbytes = len;
         }
 
-        apr_brigade_partition(ctx->b, readbytes, &e);
+        rv = apr_brigade_partition(ctx->b, readbytes, &e);
+        if (rv != APR_SUCCESS) {
+            return rv;
+        }
 
         /* Must do split before CONCAT */
         newbb = apr_brigade_split(ctx->b, e);
@@ -3522,9 +3524,6 @@ static int core_input_filter(ap_filter_t *f, apr_bucket_brigade *b,
         /* Take what was originally there and place it back on ctx->b */
         APR_BRIGADE_CONCAT(ctx->b, newbb);
 
-        /* XXX: Why is this here? We never use 'total'! */
-        apr_brigade_length(b, 1, &total);
-
         return APR_SUCCESS;
     }