49474 – http-2 fails in processing chunked requests with long chunk-size / -extension line

Bug 49474 - http-2 fails in processing chunked requests with long chunk-size / -extension line

Summary: http-2 fails in processing chunked requests with long chunk-size / -extension...

Status:	RESOLVED FIXED

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	Core (show other bugs)
Version:	2.2.15
Hardware:	PC Linux

Importance:	P2 normal (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:	FixedInTrunk

Depends on:
Blocks:

Reported:	2010-06-20 09:53 UTC by tee.bee
Modified:	2012-02-26 17:05 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description tee.bee 2010-06-20 09:53:20 UTC

Overview:
Due to RFC 2616 (3.6.1) a request may be chunked encoded. Moreover the chunk-size line can be extended by zero or more chunk extensions. Apache http-2 fails in processing such requests if the length of a chunk-size / -extension line exceeds 31 bytes (including CRLF).

Steps to Reproduce:
1) A chunked encoded POST request with chunk-size / -extension lines of length at most 31 bytes is handled correctly:
    $ telnet localhost 80
    Trying ::1...
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    POST /cgi-bin/printenv HTTP/1.1
    Host: $host
    Connection: close
    Transfer-Encoding: chunked
    
    5;ext-name=ext-val
    01234
    0
    
    HTTP/1.1 200 OK
[...]

2) However, a chunked encoded POST request a with chunk-size / -extension line of length 32 bytes or more is not processed:
    $ telnet localhost 80
    Trying ::1...
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    POST /cgi-bin/printenv HTTP/1.1
    Host: $host
    Connection: close
    Transfer-Encoding: chunked
    
    5;ext-name=very-long-ext-val32
    01234
    0
    
No response.

Actual Results:
The server does not answer the request.

Expected Results:
The server should be RFC 2616 (3.6.1) compliant and process the request.

Build Date & Platform:
$. /httpd -V
Server version: Apache/2.2.15 (Unix)
Server built:   Jun 20 2010 15:03:53
Server's Module Magic Number: 20051115:24
Server loaded:  APR 1.4.2, APR-Util 1.3.9
Compiled using: APR 1.4.2, APR-Util 1.3.9
Architecture:   32-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="[...]/apache2"
 -D SUEXEC_BIN="[...]/apache2/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

$uname -srvmpio
Linux 2.6.32-22-generic #36-Ubuntu SMP Thu Jun 3 22:02:19 UTC 2010 i686 unknown unknown GNU/Linux

Additional Information:
It is likely that the problem could be fixed by (re-)setting
    ctx->pos = ctx->chunk_ln;
at the end of
    get_remaining_chunk_line()
in
    httpd-2.2.15/modules/http/http_filters.c
.

Comment 1 Nick Kew 2010-07-20 08:24:01 UTC

Good catch!  Your suggested fix works for me.  r965824

Comment 2 Stefan Fritsch 2012-02-26 17:05:36 UTC

fixed in 2.4.1