mirror/transmission
1
0
Fork 0
mirror of https://github.com/transmission/transmission synced 2025-03-05 11:08:04 +00:00
Code Issues Releases Wiki Activity

Fix an infinite loop triggered by an invalid HTTP chunked response.

Browse source
This commit is contained in:
Josh Elsasser 2006-11-28 21:45:37 +00:00
parent 6a154b794d
commit 1f7be3430f
1 changed files with 13 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
libtransmission/http.c
View file

@ -679,7 +679,7 @@ static int
checklength( tr_http_t * http )
{
char * buf;
int num, ii, len;
int num, ii, len, lastnum;
switch( http->lengthtype )
{
@ -702,10 +702,19 @@ checklength( tr_http_t * http )
break;
case HTTP_LENGTH_CHUNKED:
buf = http->header.buf;
buf = http->header.buf;
lastnum = -1;
while( http->header.used > http->chunkoff + http->chunklen )
{
num = http->chunkoff + http->chunklen;
if( lastnum == num )
{
/* ugh, some trackers send Transfer-encoding: chunked
and then don't encode the body */
http->lengthtype = HTTP_LENGTH_EOF;
return checklength( http );
}
lastnum = num;
while( http->header.used > num && NL( buf[num] ) )
{
num++;
@ -721,6 +730,8 @@ checklength( tr_http_t * http )
len = strtol( buf + num, NULL, 16 );
if( 0 == len )
{
/* XXX should handle invalid length
differently than 0 length chunk */
http->header.used = http->chunkoff + http->chunklen;
return 1;
}