From: Valentin Bartenev <vbart@nginx.com>
Date: Fri, 7 Nov 2014 14:22:19 +0000 (+0300)
Subject: SPDY: fixed check for too long header name or value.
X-Git-Url: http://www.kaiwu.me/postgresql/commit/?a=commitdiff_plain;h=20d41493d428f123cc867590d693ef7e14a4ea11;p=nginx.git

SPDY: fixed check for too long header name or value.

For further progress a new buffer must be at least two bytes larger than
the remaining unparsed data.  One more byte is needed for null-termination
and another one for further progress.  Otherwise inflate() fails with
Z_BUF_ERROR.
---

diff --git a/src/http/ngx_http_spdy.c b/src/http/ngx_http_spdy.c
index ae95efd35..9cac691e0 100644
--- a/src/http/ngx_http_spdy.c
+++ b/src/http/ngx_http_spdy.c
@@ -2660,10 +2660,10 @@ ngx_http_spdy_alloc_large_header_buffer(ngx_http_request_t *r)
     rest = r->header_in->last - r->header_in->pos;
 
     /*
-     * equality is prohibited since one more byte is needed
-     * for null-termination
+     * One more byte is needed for null-termination
+     * and another one for further progress.
      */
-    if (rest >= cscf->large_client_header_buffers.size) {
+    if (rest > cscf->large_client_header_buffers.size - 2) {
         p = r->header_in->pos;
 
         if (rest > NGX_MAX_ERROR_STR - 300) {