httpd queue bug in server_http.c

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

httpd queue bug in server_http.c

Tracey Emery
I'm filing this bug here, so that it might get noticed before the next release
cycle and cause no more noise on tech@. Plus, the last diff I sent to tech@ was
the wrong one anyway. Whoops.

In server_http.c, the wrong server config struct is checked in the queue for
maxrequestbody. The code is only comparing to the first entry in the queue.

Attached is the diff I'm using on current. Original notice:
https://marc.info/?l=openbsd-tech&m=153255699713565&w=2

Hopefully, someone can decide the best way to progress.

Thanks and have a good day.

Tracey

httpd.snaps.diff (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: httpd queue bug in server_http.c

Florian Obser-2
moved back to tech@ with this diff:

diff --git server_http.c server_http.c
index e05cec56dfc..52698a66b2e 100644
--- server_http.c
+++ server_http.c
@@ -198,7 +198,6 @@ void
 server_read_http(struct bufferevent *bev, void *arg)
 {
  struct client *clt = arg;
- struct server_config *srv_conf = clt->clt_srv_conf;
  struct http_descriptor *desc = clt->clt_descreq;
  struct evbuffer *src = EVBUFFER_INPUT(bev);
  char *line = NULL, *key, *value;
@@ -357,11 +356,6 @@ server_read_http(struct bufferevent *bev, void *arg)
  server_abort_http(clt, 500, errstr);
  goto abort;
  }
- if ((size_t)clt->clt_toread >
-    srv_conf->maxrequestbody) {
- server_abort_http(clt, 413, NULL);
- goto abort;
- }
  }
 
  if (strcasecmp("Transfer-Encoding", key) == 0 &&
@@ -1334,6 +1328,12 @@ server_response(struct httpd *httpd, struct client *clt)
  srv_conf = server_getlocation(clt, desc->http_path);
  }
 
+ if (clt->clt_toread > 0 && (size_t)clt->clt_toread >
+    srv_conf->maxrequestbody) {
+ server_abort_http(clt, 413, NULL);
+ return (-1);
+ }
+
  if (srv_conf->flags & SRVFLAG_BLOCK) {
  server_abort_http(clt, srv_conf->return_code,
     srv_conf->return_uri);


--
I'm not entirely sure you are real.