ap_get_mime_headers: tighten up the null termination of header line which is

too long.  getline can return a smaller length that what it actually read in
that case.

The check for len > limit_fieldsize isn't needed, but we do need to insure
that getline actually allocated a buffer (and set len) in the case where
the first socket input buffer is already bigger than the limit.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@97863 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/server/protocol.c b/server/protocol.c
index d1fbba3c52e39464c2f27614954fd635171d8450..097526b4a54a20c14c71d5a2bb4080d857d7ae6c 100644 (file)
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -772,14 +772,11 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
         /* ap_rgetline returns APR_ENOSPC if it fills up the buffer before
          * finding the end-of-line.  This is only going to happen if it
          * exceeds the configured limit for a field size.
-         * The cast is safe, limit_req_fieldsize cannot be negative
          */
-        if (rv == APR_ENOSPC
-            || (rv == APR_SUCCESS 
-                && len > (apr_size_t)r->server->limit_req_fieldsize)) {
+        if (rv == APR_ENOSPC && field) {
             r->status = HTTP_BAD_REQUEST;
             /* insure ap_escape_html will terminate correctly */
-            field[r->server->limit_req_fieldsize] = '\0';
+            field[len - 1] = '\0';
             apr_table_setn(r->notes, "error-notes",
                            apr_pstrcat(r->pool,
                                        "Size of a request header field "