diff options
| author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2015-12-16 09:17:07 +0000 |
|---|---|---|
| committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2015-12-16 09:17:07 +0000 |
| commit | a568844c6783d304c8e46b6ed545f4505264b9e5 (patch) | |
| tree | 36ea2cf0bc84393cf3cfe58ee80c6c737bf3100c /lib/libfetch | |
| parent | 942e4b4b794a5cb5622d45896d373619ba8722b7 (diff) | |
| download | src-a568844c6783d304c8e46b6ed545f4505264b9e5.tar.gz src-a568844c6783d304c8e46b6ed545f4505264b9e5.zip | |
Reset bufpos to 0 immediately after refilling the buffer. Otherwise, we
risk leaving the connection in an indeterminate state if the server fails
to send a chunk delimiter. Depending on the application and on the sizes
of the preceding chunks, the result can be anything from missing data to a
segfault. With this patch, it will be reported as a protocol error.
PR: 204771
MFC after: 1 week
Notes
Notes:
svn path=/head/; revision=292330
Diffstat (limited to 'lib/libfetch')
| -rw-r--r-- | lib/libfetch/http.c | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/lib/libfetch/http.c b/lib/libfetch/http.c index 51cac70b370f..486733333e4e 100644 --- a/lib/libfetch/http.c +++ b/lib/libfetch/http.c @@ -246,8 +246,9 @@ http_fillbuf(struct httpio *io, size_t len) io->error = errno; return (-1); } + io->bufpos = 0; io->buflen = nbytes; - io->chunksize -= io->buflen; + io->chunksize -= nbytes; if (io->chunksize == 0) { if (fetch_read(io->conn, &ch, 1) != 1 || ch != '\r' || @@ -255,8 +256,6 @@ http_fillbuf(struct httpio *io, size_t len) return (-1); } - io->bufpos = 0; - return (io->buflen); } |