<p>Richard Mudgett has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/10031">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">http.c: Give HTTP error response when received lines are too long.<br><br>Added a check when we receive a HTTP request line or header line that is<br>too long. We now return an error response to the sender because we are<br>not able to process the request.<br><br>Change-Id: I6df2705435fd7dde4d5d3bdf7acec859cfb7c12d<br>---<br>M main/http.c<br>1 file changed, 19 insertions(+), 2 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/31/10031/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/main/http.c b/main/http.c</span><br><span>index 30b2fe2..e9c6e83 100644</span><br><span>--- a/main/http.c</span><br><span>+++ b/main/http.c</span><br><span>@@ -1740,13 +1740,21 @@</span><br><span> </span><br><span> remaining_headers = MAX_HTTP_REQUEST_HEADERS;</span><br><span> for (;;) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ssize_t len;</span><br><span> char *name;</span><br><span> char *value;</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- if (ast_iostream_gets(ser->stream, header_line, sizeof(header_line)) <= 0) {</span><br><span style="color: hsl(120, 100%, 40%);">+ len = ast_iostream_gets(ser->stream, header_line, sizeof(header_line));</span><br><span style="color: hsl(120, 100%, 40%);">+ if (len <= 0) {</span><br><span> ast_http_error(ser, 400, "Bad Request", "Timeout");</span><br><span> return -1;</span><br><span> }</span><br><span style="color: hsl(120, 100%, 40%);">+ if (header_line[len - 1] != '\n') {</span><br><span style="color: hsl(120, 100%, 40%);">+ /* We didn't get a full line */</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_http_error(ser, 400, "Bad Request",</span><br><span style="color: hsl(120, 100%, 40%);">+ (len == sizeof(header_line) - 1) ? "Header line too long" : "Timeout");</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> </span><br><span> /* Trim trailing characters */</span><br><span> ast_trim_blanks(header_line);</span><br><span>@@ -1815,9 +1823,11 @@</span><br><span> struct http_worker_private_data *request;</span><br><span> enum ast_http_method http_method = AST_HTTP_UNKNOWN;</span><br><span> int res;</span><br><span style="color: hsl(120, 100%, 40%);">+ ssize_t len;</span><br><span> char request_line[MAX_HTTP_LINE_LENGTH];</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- if (ast_iostream_gets(ser->stream, request_line, sizeof(request_line)) <= 0) {</span><br><span style="color: hsl(120, 100%, 40%);">+ len = ast_iostream_gets(ser->stream, request_line, sizeof(request_line));</span><br><span style="color: hsl(120, 100%, 40%);">+ if (len <= 0) {</span><br><span> return -1;</span><br><span> }</span><br><span> </span><br><span>@@ -1825,6 +1835,13 @@</span><br><span> request = ser->private_data;</span><br><span> http_request_tracking_init(request);</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ if (request_line[len - 1] != '\n') {</span><br><span style="color: hsl(120, 100%, 40%);">+ /* We didn't get a full line */</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_http_error(ser, 400, "Bad Request",</span><br><span style="color: hsl(120, 100%, 40%);">+ (len == sizeof(header_line) - 1) ? "Request line too long" : "Timeout");</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /* Get method */</span><br><span> method = ast_skip_blanks(request_line);</span><br><span> uri = ast_skip_nonblanks(method);</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/10031">change 10031</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/10031"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 15 </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: I6df2705435fd7dde4d5d3bdf7acec859cfb7c12d </div>
<div style="display:none"> Gerrit-Change-Number: 10031 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Richard Mudgett <rmudgett@digium.com> </div>