Return-Path: 
 <apache-bugdb-owner-apache-bugdb-archive=hyperreal.org@apache.org>
Delivered-To: apache-bugdb-archive@hyperreal.org
Received: (qmail 17275 invoked by uid 6000); 8 Jul 1999 20:40:13 -0000
Received: (qmail 16719 invoked by uid 2001); 8 Jul 1999 20:40:01 -0000
Received: (qmail 24013 invoked by uid 2012); 8 Jul 1999 20:29:55 -0000
Message-Id: <19990708202955.24012.qmail@hyperreal.org>
Date: 8 Jul 1999 20:29:55 -0000
From: David Jones <vman+@osu.edu>
Reply-To: vman+@osu.edu
To: apbugs@hyperreal.org
X-Send-Pr-Version: 3.2
Subject: protocol/4716: Server send invalid response if chunked transfer has
 chunk larger than 4095 bytes.
Sender: apache-bugdb-owner@apache.org
Precedence: bulk


>Number:         4716
>Category:       protocol
>Synopsis:       Server send invalid response if chunked transfer has chunk larger than 4095 bytes.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Thu Jul  8 13:40:01 PDT 1999
>Last-Modified:
>Originator:     vman+@osu.edu
>Organization:
apache
>Release:        1.3.6
>Environment:
OpenVMS 7.1-1h2, DEC C 6.0 C compiler (ALPACRTL08), TCP/IP serv. for VMS 4.2ECO2
>Description:
In porting Apache to OpenVMS, limitations in the stat() function require
some files to be transferred using chunked transfer encoding rather than
via a content-length header.  When transferring files ap_bwrite gets called
with buffers larger than 4095 (0x0fff), which buff.c tries to convert to
a data chunk.  The bug is that CHUNK_HEADER_SIZE is only 5, for a 4 digit
hex number this causes the chunk header to overflow into data section and
gets the bytes counts out of sync.  The 1.1 client (e.g. IE5) hangs when
it tries to download this file.
>How-To-Repeat:
Remove the set_content_length call from default_handerl() function in 
http_core.c to force it to use chunked transfer mode.
>Fix:
Changing the value of CHUNK_HEADER_SIZE from 5 to 6 apparently fixes the
problem.  The real error may be that ap_bwrite() isn't breaking up the
buffer to write into smaller pieces for the chunk encapsulation - I don't
know enough about how the buffering is implemented.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <apbugs@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or      ]
["Re: general/1098:").  If the subject doesn't match this       ]
[pattern, your message will be misfiled and ignored.  The       ]
["apbugs" address is not added to the Cc line of messages from  ]
[the database automatically because of the potential for mail   ]
[loops.  If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request from a  ]
[developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]