From: Greg Ames <gregames@apache.org>
Date: Wed, 11 Dec 2002 21:03:58 +0000 (+0000)
Subject: ap_get_mime_headers: tighten up the null termination of header line which is
X-Git-Tag: pre_ajp_proxy~2457
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4c7042aa3efd80e73218bd181f72912b23ab6bd0;p=apache

ap_get_mime_headers: tighten up the null termination of header line which is
too long.  getline can return a smaller length that what it actually read in
that case.

The check for len > limit_fieldsize isn't needed, but we do need to insure
that getline actually allocated a buffer (and set len) in the case where
the first socket input buffer is already bigger than the limit.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@97863 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/server/protocol.c b/server/protocol.c
index d1fbba3c52..097526b4a5 100644
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -772,14 +772,11 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
         /* ap_rgetline returns APR_ENOSPC if it fills up the buffer before
          * finding the end-of-line.  This is only going to happen if it
          * exceeds the configured limit for a field size.
-         * The cast is safe, limit_req_fieldsize cannot be negative
          */
-        if (rv == APR_ENOSPC
-            || (rv == APR_SUCCESS 
-                && len > (apr_size_t)r->server->limit_req_fieldsize)) {
+        if (rv == APR_ENOSPC && field) {
             r->status = HTTP_BAD_REQUEST;
             /* insure ap_escape_html will terminate correctly */
-            field[r->server->limit_req_fieldsize] = '\0';
+            field[len - 1] = '\0';
             apr_table_setn(r->notes, "error-notes",
                            apr_pstrcat(r->pool,
                                        "Size of a request header field "