[nginx] SPDY: fixed check for too long header name or value.

Mon Nov 17 18:20:41 UTC 2014

details:   http://hg.nginx.org/nginx/rev/abb466a57a22
branches:  
changeset: 5904:abb466a57a22
user:      Valentin Bartenev <vbart at nginx.com>
date:      Fri Nov 07 17:22:19 2014 +0300
description:
SPDY: fixed check for too long header name or value.

For further progress a new buffer must be at least two bytes larger than
the remaining unparsed data.  One more byte is needed for null-termination
and another one for further progress.  Otherwise inflate() fails with
Z_BUF_ERROR.

diffstat:

 src/http/ngx_http_spdy.c |  6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diffs (17 lines):

diff -r 571e66f7c12c -r abb466a57a22 src/http/ngx_http_spdy.c

--- a/src/http/ngx_http_spdy.c	Fri Nov 07 17:19:12 2014 +0300
+++ b/src/http/ngx_http_spdy.c	Fri Nov 07 17:22:19 2014 +0300
@@ -2660,10 +2660,10 @@ ngx_http_spdy_alloc_large_header_buffer(
     rest = r->header_in->last - r->header_in->pos;
 
     /*
-     * equality is prohibited since one more byte is needed
-     * for null-termination
+     * One more byte is needed for null-termination
+     * and another one for further progress.
      */
-    if (rest >= cscf->large_client_header_buffers.size) {
+    if (rest > cscf->large_client_header_buffers.size - 2) {
         p = r->header_in->pos;
 
         if (rest > NGX_MAX_ERROR_STR - 300) {

