Detect runaway chunks in ngx_http_parse_chunked().

As defined in HTTP/1.1, body chunks have the following ABNF: chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF where chunk-data is a sequence of chunk-size octets. With this change, chunk-data that doesn't end up with CRLF at chunk-size offset will be treated as invalid, such as in the example provided below: 4 SEE-THIS-AND- 4 THAT 0
author: Sergey Kandaurov <pluknet@nginx.com> 2019-09-03 17:26:56 +0300
committer: Sergey Kandaurov <pluknet@nginx.com> 2019-09-03 17:26:56 +0300
commit: 77c01f10a1ab7796f57ef354fb1f078e09afe2c4 (patch)
tree: 21a7e00b9548d030ed7bc476a62837229294b83b /src
parent: 9cb22efa3fe947f8474338b99d389a35da177bb9 (diff)
download: nginx-77c01f10a1ab7796f57ef354fb1f078e09afe2c4.tar.gz
nginx-77c01f10a1ab7796f57ef354fb1f078e09afe2c4.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
index d9a1dbedb..8e1b11852 100644
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -2268,6 +2268,9 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
                 break;
             case LF:
                 state = sw_chunk_start;
+                break;
+            default:
+                goto invalid;
             }
             break;
author	Sergey Kandaurov <pluknet@nginx.com>	2019-09-03 17:26:56 +0300
committer	Sergey Kandaurov <pluknet@nginx.com>	2019-09-03 17:26:56 +0300
commit	77c01f10a1ab7796f57ef354fb1f078e09afe2c4 (patch)
tree	21a7e00b9548d030ed7bc476a62837229294b83b /src
parent	9cb22efa3fe947f8474338b99d389a35da177bb9 (diff)
download	nginx-77c01f10a1ab7796f57ef354fb1f078e09afe2c4.tar.gz nginx-77c01f10a1ab7796f57ef354fb1f078e09afe2c4.zip