Experimental fix for fragmented request lines (needs unit test)

uNetworkingAB · uNetworkingAB · commit 6b966b24ee2d · 2024-09-01T18:59:52.000+02:00
diff --git a/src/HttpParser.h b/src/HttpParser.h
@@ -311,11 +311,20 @@ struct HttpParser {
                     if (memcmp(" HTTP/1.1\r\n", data, 11) == 0) {
                         return data + 11;
                     }
-                    return nullptr;
+                    /* If we stand at the post padded CR, we have fragmented input so try again later */
+                    if (data[0] == '\r') {
+                        return nullptr;
+                    }
+                    /* This is an error */
+                    return (char *) 0x1;
                 }
             }
         }
-        return nullptr;
+        /* If we stand at the post padded CR, we have fragmented input so try again later */
+        if (data[0] == '\r') {
+            return nullptr;
+        }
+        return (char *) 0x1;
     }
 
     /* RFC 9110: 5.5 Field Values (TLDR; anything above 31 is allowed; htab (9) is also allowed)
@@ -364,10 +373,10 @@ struct HttpParser {
          * which is then removed, and our counters to flip due to overflow and we end up with a crash */
 
         /* The request line is different from the field names / field values */
-        if (!(postPaddedBuffer = consumeRequestLine(postPaddedBuffer, headers[0]))) {
+        if ((char *) 2 > (postPaddedBuffer = consumeRequestLine(postPaddedBuffer, headers[0]))) {
             /* Error - invalid request line */
             /* Assuming it is 505 HTTP Version Not Supported */
-            err = HTTP_ERROR_505_HTTP_VERSION_NOT_SUPPORTED;
+            err = postPaddedBuffer ? HTTP_ERROR_505_HTTP_VERSION_NOT_SUPPORTED : 0;
             return 0;
         }
         headers++;

Original file line number	Diff line number	Diff line change
`@@ -311,11 +311,20 @@ struct HttpParser {`
`311`	`311`	`if (memcmp(" HTTP/1.1\r\n", data, 11) == 0) {`
`312`	`312`	`return data + 11;`
`313`	`313`	`}`
`314`		`- return nullptr;`
	`314`	`+ /* If we stand at the post padded CR, we have fragmented input so try again later */`
	`315`	`+ if (data[0] == '\r') {`
	`316`	`+ return nullptr;`
	`317`	`+ }`
	`318`	`+ /* This is an error */`
	`319`	`+ return (char *) 0x1;`
`315`	`320`	`}`
`316`	`321`	`}`
`317`	`322`	`}`
`318`		`- return nullptr;`
	`323`	`+ /* If we stand at the post padded CR, we have fragmented input so try again later */`
	`324`	`+ if (data[0] == '\r') {`
	`325`	`+ return nullptr;`
	`326`	`+ }`
	`327`	`+ return (char *) 0x1;`
`319`	`328`	`}`
`320`	`329`
`321`	`330`	`/* RFC 9110: 5.5 Field Values (TLDR; anything above 31 is allowed; htab (9) is also allowed)`
`@@ -364,10 +373,10 @@ struct HttpParser {`
`364`	`373`	`* which is then removed, and our counters to flip due to overflow and we end up with a crash */`
`365`	`374`
`366`	`375`	`/* The request line is different from the field names / field values */`
`367`		`- if (!(postPaddedBuffer = consumeRequestLine(postPaddedBuffer, headers[0]))) {`
	`376`	`+ if ((char *) 2 > (postPaddedBuffer = consumeRequestLine(postPaddedBuffer, headers[0]))) {`
`368`	`377`	`/* Error - invalid request line */`
`369`	`378`	`/* Assuming it is 505 HTTP Version Not Supported */`
`370`		`- err = HTTP_ERROR_505_HTTP_VERSION_NOT_SUPPORTED;`
	`379`	`+ err = postPaddedBuffer ? HTTP_ERROR_505_HTTP_VERSION_NOT_SUPPORTED : 0;`
`371`	`380`	`return 0;`
`372`	`381`	`}`
`373`	`382`	`headers++;`