[Asterisk-code-review] http.c: Give HTTP error response when received lines are too... (asterisk[13])

Richard Mudgett asteriskteam at digium.com
Tue Sep 4 10:57:27 CDT 2018 

Richard Mudgett has posted comments on this change. ( https://gerrit.asterisk.org/10030 )

Change subject: http.c: Give HTTP error response when received lines are too long.
......................................................................


Patch Set 1:

(1 comment)

https://gerrit.asterisk.org/#/c/10030/1/main/http.c
File main/http.c:

https://gerrit.asterisk.org/#/c/10030/1/main/http.c@1787
PS1, Line 1787: "Timeout"
> 'Timeout' seems odd. […]
fgets() connected to a file system isn't going to return until either it has read in a line or it fills the passed in buffer.  In Asterisk's case it is connected to a transport socket.  

If fgets() returns a short buffer that wasn't a line then the transport either closed or a timeout happened waiting for the rest of a line to come in.  In either of those off nominal cases it is going to return whatever it has in the buffer.  It would do that just in case the caller has any use for the already accumulated data.

In the current situation:

If the early return was for a disconnected transport then the HTTP timeout error return would get discarded because there is nothing to send the message over.

If the early return was for a timeout then the HTTP timeout error return would get sent and the transport would get closed.  We cannot have a potential attacker consuming our resources right?



-- 
To view, visit https://gerrit.asterisk.org/10030
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: 13
Gerrit-MessageType: comment
Gerrit-Change-Id: I6df2705435fd7dde4d5d3bdf7acec859cfb7c12d
Gerrit-Change-Number: 10030
Gerrit-PatchSet: 1
Gerrit-Owner: Richard Mudgett <rmudgett at digium.com>
Gerrit-Reviewer: Jenkins2
Gerrit-Reviewer: Matthew Fredrickson <creslin at digium.com>
Gerrit-Reviewer: Richard Mudgett <rmudgett at digium.com>
Gerrit-Reviewer: Sean Bright <sean.bright at gmail.com>
Gerrit-Comment-Date: Tue, 04 Sep 2018 15:57:27 +0000
Gerrit-HasComments: Yes
Gerrit-HasLabels: No
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20180904/2b49a78c/attachment-0001.html>

More information about the asterisk-code-review mailing list