httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@attglobal.net>
Subject 1.3 (apparently) can build bogus chunk headers
Date Thu, 18 Mar 2004 10:04:01 GMT
or Jeff can't read the RFC ;)

buff.c:  The code will put trailing spaces on short chunk sizes.

     /* we know this will fit because of how we wrote it in start_chunk() */
     i = ap_snprintf((char *) &fb->outbase[fb->outchunk], CHUNK_HEADER_SIZE,
		"%x", fb->outcnt - fb->outchunk - CHUNK_HEADER_SIZE);

     /* we may have to tack some trailing spaces onto the number we just wrote
      * in case it was smaller than our estimated size.  We've also written
      * a \0 into the buffer with ap_snprintf so we might have to put a
      * \r back in.
      */
     strp = &fb->outbase[fb->outchunk + i];
     while (i < CHUNK_HEADER_SIZE - 2) {
	*strp++ = ' ';
	++i;
     }
     *strp++ = CR;
     *strp = LF;

No room in RFC 2616 for that blank, as far as I can tell:

chunk          = chunk-size [ chunk-extension ] CRLF
                  chunk-data CRLF
chunk-size     = 1*HEX
chunk-extension= *( ";" chunk-ext-name [ "=" chunk-ext-val ] )

An example:

See "23 \r\n" starting at offset 0xA3:

00000060: 6f6e 3a20 636c 6f73 650d 0a54 7261 6e73  on: close..Trans
00000070: 6665 722d 456e 636f 6469 6e67 3a20 6368  fer-Encoding: ch
00000080: 756e 6b65 640d 0a43 6f6e 7465 6e74 2d54  unked..Content-T
00000090: 7970 653a 2074 6578 742f 706c 6169 6e0d  ype: text/plain.
000000a0: 0a0d 0a32 3320 0d0a 3132 3334 3536 3738  ...23 ..12345678
000000b0: 3930 0a31 3233 3435 3637 3839 300a 3132  90.1234567890.12

Mime
View raw message