cuberite/libevent
1
0
Fork 0
mirror of https://github.com/cuberite/libevent.git synced 2025-09-14 06:49:35 -04:00
Code Issues Packages Projects Releases Wiki Activity

Fix a bug where we would read too much data in HTTP bodies or requests.

Browse Source 
We were using evbuffer_add_buffer, which moved the entire buffer
contents.  But if we had a valid content_length, we only wanted to
move up to the amount of data remaining in ntoread.  Our bug would
make us put our ntoread in the negative, which would in turn make us
read all data until the connection closed.

Found by Denis Bilenko.  Should fix bug 2963172.
This commit is contained in:
Nick Mathewson 2010-10-25 16:00:47 -04:00
parent 525da3e1eb
commit 58a1cc6bc8
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
http.c
View File

@ -880,9 +880,12 @@ evhttp_read_body(struct evhttp_connection *evcon, struct evhttp_request *req)
evbuffer_get_length(buf) >= (size_t)req->ntoread) {
/* We've postponed moving the data until now, but we're
* about to use it. */
req->ntoread -= evbuffer_get_length(buf);
req->body_size += evbuffer_get_length(buf);
evbuffer_add_buffer(req->input_buffer, buf);
size_t n = evbuffer_get_length(buf);
if (n > (size_t) req->ntoread)
n = (size_t) req->ntoread;
req->ntoread -= n;
req->body_size += n;
evbuffer_remove_buffer(buf, req->input_buffer, n);
}
if (req->body_size > req->evcon->max_body_size) {