Unverified Commit 03370fa5 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

http: fix the max header length detection logic 

Previously, it would only check for max length if the existing alloc
buffer was to small to fit it, which often would make the header still
get used.

Reported-by: Guido Berhoerster
Bug: https://curl.haxx.se/mail/lib-2018-02/0056.html

Closes #2315
parent 5a44c9fa

lib/http.c

+10 −11
Original line number Diff line number Diff line
@@ -2880,20 +2880,19 @@ static CURLcode header_append(struct Curl_easy *data, 
                              struct SingleRequest *k,

                              size_t length)

{

  if(k->hbuflen + length >= data->state.headersize) {

    /* We enlarge the header buffer as it is too small */

    char *newbuff;

    size_t hbufp_index;

    size_t newsize;



    if(k->hbuflen + length > CURL_MAX_HTTP_HEADER) {

  size_t newsize = k->hbuflen + length;

  if(newsize > CURL_MAX_HTTP_HEADER) {

    /* The reason to have a max limit for this is to avoid the risk of a bad

       server feeding libcurl with a never-ending header that will cause

       reallocs infinitely */

      failf(data, "Avoided giant realloc for header (max is %d)!",

    failf(data, "Rejected %zd bytes header (max is %d)!", newsize,

          CURL_MAX_HTTP_HEADER);

    return CURLE_OUT_OF_MEMORY;

  }

  if(newsize >= data->state.headersize) {

    /* We enlarge the header buffer as it is too small */

    char *newbuff;

    size_t hbufp_index;



    newsize = CURLMAX((k->hbuflen + length) * 3 / 2, data->state.headersize*2);

    hbufp_index = k->hbufp - data->state.headerbuff;