From cf9ea6f999c9e2403cffa84aae18c82afc17e561 Mon Sep 17 00:00:00 2001
From: Greg Ames <gregames@apache.org>
Date: Wed, 11 Dec 2002 21:03:58 +0000
Subject: [PATCH] ap_get_mime_headers: tighten up the null termination of
 header line which is too long.  getline can return a smaller length that what
 it actually read in that case.

The check for len > limit_fieldsize isn't needed, but we do need to insure
that getline actually allocated a buffer (and set len) in the case where
the first socket input buffer is already bigger than the limit.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@97863 13f79535-47bb-0310-9956-ffa450edef68
---
 server/protocol.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/server/protocol.c b/server/protocol.c
index d1fbba3c52..097526b4a5 100644
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -772,14 +772,11 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
         /* ap_rgetline returns APR_ENOSPC if it fills up the buffer before
          * finding the end-of-line.  This is only going to happen if it
          * exceeds the configured limit for a field size.
-         * The cast is safe, limit_req_fieldsize cannot be negative
          */
-        if (rv == APR_ENOSPC
-            || (rv == APR_SUCCESS 
-                && len > (apr_size_t)r->server->limit_req_fieldsize)) {
+        if (rv == APR_ENOSPC && field) {
             r->status = HTTP_BAD_REQUEST;
             /* insure ap_escape_html will terminate correctly */
-            field[r->server->limit_req_fieldsize] = '\0';
+            field[len - 1] = '\0';
             apr_table_setn(r->notes, "error-notes",
                            apr_pstrcat(r->pool,
                                        "Size of a request header field "
-- 
2.40.0