umgeher/cowboy
0
Fork 0
mirror of https://github.com/ninenines/cowboy.git synced 2025-07-14 20:30:23 +00:00
Code Issues Wiki Activity

Fix crash in cowboy_http2 when content-length is invalid

Browse source
This commit is contained in:
Loïc Hoguin 2018-02-28 16:18:29 +01:00
parent e23e12287a
commit 19054e40e0
No known key found for this signature in database
GPG key ID: 8A9DF795F6FED764
2 changed files with 33 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

25
src/cowboy_http2.erl
View file

@ -927,24 +927,27 @@ headers_to_map([{Name, Value}|Tail], Acc0) ->
end, end,
headers_to_map(Tail, Acc). headers_to_map(Tail, Acc).
stream_req_init(State=#state{ref=Ref, peer=Peer, sock=Sock, cert=Cert}, stream_req_init(State, StreamID, IsFin, Headers, PseudoHeaders) ->
StreamID, IsFin, Headers, #{method := Method, scheme := Scheme, case Headers of
authority := Authority, path := PathWithQs}) ->
BodyLength = case Headers of
_ when IsFin =:= fin -> _ when IsFin =:= fin ->
0; stream_req_init(State, StreamID, IsFin, Headers, PseudoHeaders, 0);
#{<<"content-length">> := <<"0">>} -> #{<<"content-length">> := <<"0">>} ->
0; stream_req_init(State, StreamID, IsFin, Headers, PseudoHeaders, 0);
#{<<"content-length">> := BinLength} -> #{<<"content-length">> := BinLength} ->
try try
cow_http_hd:parse_content_length(BinLength) stream_req_init(State, StreamID, IsFin, Headers, PseudoHeaders,
cow_http_hd:parse_content_length(BinLength))
catch _:_ -> catch _:_ ->
terminate(State, {stream_error, StreamID, protocol_error, stream_malformed(State, StreamID,
'The content-length header is invalid. (RFC7230 3.3.2)'}) 'The content-length header is invalid. (RFC7230 3.3.2)')
end; end;
_ -> _ ->
undefined stream_req_init(State, StreamID, IsFin, Headers, PseudoHeaders, undefined)
end, end.
stream_req_init(State=#state{ref=Ref, peer=Peer, sock=Sock, cert=Cert},
StreamID, IsFin, Headers, #{method := Method, scheme := Scheme,
authority := Authority, path := PathWithQs}, BodyLength) ->
try cow_http_hd:parse_host(Authority) of try cow_http_hd:parse_host(Authority) of
{Host, Port} -> {Host, Port} ->
try cow_http:parse_fullpath(PathWithQs) of try cow_http:parse_fullpath(PathWithQs) of

20
test/rfc7540_SUITE.erl
View file

@ -3196,7 +3196,25 @@ reject_many_pseudo_header_path(Config) ->
% that is defined to have no payload, as described in [RFC7230], % that is defined to have no payload, as described in [RFC7230],
% Section 3.3.2, can have a non-zero content-length header field, even % Section 3.3.2, can have a non-zero content-length header field, even
% though no content is included in DATA frames. % though no content is included in DATA frames.
%
reject_duplicate_content_length_header(Config) ->
doc("A request with duplicate content-length headers must be rejected "
"with a PROTOCOL_ERROR stream error. (RFC7230 3.3.2, RFC7540 8.1.2.6)"),
{ok, Socket} = do_handshake(Config),
%% Send a HEADERS frame with more than one content-length header.
{HeadersBlock, _} = cow_hpack:encode([
{<<":method">>, <<"GET">>},
{<<":scheme">>, <<"http">>},
{<<":authority">>, <<"localhost">>}, %% @todo Correct port number.
{<<":path">>, <<>>},
{<<"content-length">>, <<"12">>},
{<<"content-length">>, <<"12">>}
]),
ok = gen_tcp:send(Socket, cow_http2:headers(1, nofin, HeadersBlock)),
%% Receive a PROTOCOL_ERROR stream error.
{ok, << _:24, 3:8, _:8, 1:32, 1:32 >>} = gen_tcp:recv(Socket, 13, 6000),
ok.
% Intermediaries that process HTTP requests or responses (i.e., any % Intermediaries that process HTTP requests or responses (i.e., any
% intermediary not acting as a tunnel) MUST NOT forward a malformed % intermediary not acting as a tunnel) MUST NOT forward a malformed
% request or response. Malformed requests or responses that are % request or response. Malformed requests or responses that are