diff options
| author | Yann Ylavic <ylavic@apache.org> | 2015-06-29 19:52:00 +0200 |
|---|---|---|
| committer | Yann Ylavic <ylavic@apache.org> | 2015-06-29 19:52:00 +0200 |
| commit | dc7df095edf962ddbfbf1c2a6d3f7d85da68b5ca (patch) | |
| tree | ad5561c8ecd37ab88f449a6a30efbdb694a680f1 /modules/http | |
| parent | Rebuild. (diff) | |
| download | apache2-dc7df095edf962ddbfbf1c2a6d3f7d85da68b5ca.tar.xz apache2-dc7df095edf962ddbfbf1c2a6d3f7d85da68b5ca.zip | |
http: follow up to r1484852.
Don't check LimitRequestBody when there is no (more) body.
This fixes an uninitialized use of 'totalread' in ap_http_filter() when either
the remaining or requested number of body bytes is zero, leading to an invalid
computation of bytes received.
Reported by: Michael Kaufmann <mail michael-kaufmann.ch>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1688274 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'modules/http')
| -rw-r--r-- | modules/http/http_filters.c | 34 |
1 files changed, 18 insertions, 16 deletions
diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c index a4e0150423..80c8bcb6b3 100644 --- a/modules/http/http_filters.c +++ b/modules/http/http_filters.c @@ -279,7 +279,6 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, apr_bucket *e; http_ctx_t *ctx = f->ctx; apr_status_t rv; - apr_off_t totalread; int again; conf = (core_server_config *) @@ -503,6 +502,7 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, readbytes = ctx->remaining; } if (readbytes > 0) { + apr_off_t totalread; rv = ap_get_brigade(f->next, b, mode, block, readbytes); @@ -545,6 +545,23 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, } } + /* We have a limit in effect. */ + if (ctx->limit) { + /* FIXME: Note that we might get slightly confused on + * chunked inputs as we'd need to compensate for the chunk + * lengths which may not really count. This seems to be up + * for interpretation. + */ + ctx->limit_used += totalread; + if (ctx->limit < ctx->limit_used) { + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, f->r, + APLOGNO(01591) "Read content length of " + "%" APR_OFF_T_FMT " is larger than the " + "configured limit of %" APR_OFF_T_FMT, + ctx->limit_used, ctx->limit); + return APR_ENOSPC; + } + } } /* If we have no more bytes remaining on a C-L request, @@ -556,21 +573,6 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, ctx->eos_sent = 1; } - /* We have a limit in effect. */ - if (ctx->limit) { - /* FIXME: Note that we might get slightly confused on chunked inputs - * as we'd need to compensate for the chunk lengths which may not - * really count. This seems to be up for interpretation. */ - ctx->limit_used += totalread; - if (ctx->limit < ctx->limit_used) { - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, f->r, APLOGNO(01591) - "Read content-length of %" APR_OFF_T_FMT - " is larger than the configured limit" - " of %" APR_OFF_T_FMT, ctx->limit_used, ctx->limit); - return APR_ENOSPC; - } - } - break; } case BODY_CHUNK_TRAILER: { |