From: Justin Erenkrantz Date: Thu, 27 Jun 2002 05:18:19 +0000 (+0000) Subject: Strengthen error-detection code in HTTP_IN and core_input_filter so that X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=13ec606e595e79706882f703f617c5620455daeb;p=apache Strengthen error-detection code in HTTP_IN and core_input_filter so that invalid readbytes or errors reading brigades are properly handled. Reviewed by: Brian Pane git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@95897 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c index 38635501ab..8f899a893a 100644 --- a/modules/http/http_protocol.c +++ b/modules/http/http_protocol.c @@ -898,14 +898,14 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE, APR_BLOCK_READ, 0); - if (rv != APR_SUCCESS) { - return rv; + if (rv == APR_SUCCESS) { + rv = apr_brigade_flatten(bb, line, &len); + if (rv == APR_SUCCESS) { + ctx->remaining = get_chunk_size(line); + } } - apr_brigade_flatten(bb, line, &len); - - ctx->remaining = get_chunk_size(line); /* Detect chunksize error (such as overflow) */ - if (ctx->remaining < 0) { + if (rv != APR_SUCCESS || ctx->remaining < 0) { ctx->remaining = 0; /* Reset it in case we have to * come back here later */ apr_brigade_cleanup(bb); @@ -957,23 +957,22 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, /* We need to read the CRLF after the chunk. */ rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE, APR_BLOCK_READ, 0); - if (rv != APR_SUCCESS) { - return rv; - } apr_brigade_cleanup(bb); - /* Read the real chunk line. */ - rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE, - APR_BLOCK_READ, 0); - - if (rv != APR_SUCCESS) { - return rv; + if (rv == APR_SUCCESS) { + /* Read the real chunk line. */ + rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE, + APR_BLOCK_READ, 0); + if (rv == APR_SUCCESS) { + rv = apr_brigade_flatten(bb, line, &len); + if (rv == APR_SUCCESS) { + ctx->remaining = get_chunk_size(line); + } + } } - apr_brigade_flatten(bb, line, &len); - ctx->remaining = get_chunk_size(line); /* Detect chunksize error (such as overflow) */ - if (ctx->remaining < 0) { + if (rv != APR_SUCCESS || ctx->remaining < 0) { ctx->remaining = 0; /* Reset it in case we have to * come back here later */ apr_brigade_cleanup(bb); diff --git a/server/core.c b/server/core.c index da2b648558..23f7641ab3 100644 --- a/server/core.c +++ b/server/core.c @@ -3462,7 +3462,6 @@ static int core_input_filter(ap_filter_t *f, apr_bucket_brigade *b, /* read up to the amount they specified. */ if (mode == AP_MODE_READBYTES || mode == AP_MODE_SPECULATIVE) { - apr_off_t total; apr_bucket *e; apr_bucket_brigade *newbb; @@ -3500,7 +3499,10 @@ static int core_input_filter(ap_filter_t *f, apr_bucket_brigade *b, readbytes = len; } - apr_brigade_partition(ctx->b, readbytes, &e); + rv = apr_brigade_partition(ctx->b, readbytes, &e); + if (rv != APR_SUCCESS) { + return rv; + } /* Must do split before CONCAT */ newbb = apr_brigade_split(ctx->b, e); @@ -3522,9 +3524,6 @@ static int core_input_filter(ap_filter_t *f, apr_bucket_brigade *b, /* Take what was originally there and place it back on ctx->b */ APR_BRIGADE_CONCAT(ctx->b, newbb); - /* XXX: Why is this here? We never use 'total'! */ - apr_brigade_length(b, 1, &total); - return APR_SUCCESS; }