mirror of
https://github.com/transmission/transmission
synced 2025-03-05 11:08:04 +00:00
Fix an infinite loop triggered by an invalid HTTP chunked response.
This commit is contained in:
parent
6a154b794d
commit
1f7be3430f
1 changed files with 13 additions and 2 deletions
|
@ -679,7 +679,7 @@ static int
|
|||
checklength( tr_http_t * http )
|
||||
{
|
||||
char * buf;
|
||||
int num, ii, len;
|
||||
int num, ii, len, lastnum;
|
||||
|
||||
switch( http->lengthtype )
|
||||
{
|
||||
|
@ -702,10 +702,19 @@ checklength( tr_http_t * http )
|
|||
break;
|
||||
|
||||
case HTTP_LENGTH_CHUNKED:
|
||||
buf = http->header.buf;
|
||||
buf = http->header.buf;
|
||||
lastnum = -1;
|
||||
while( http->header.used > http->chunkoff + http->chunklen )
|
||||
{
|
||||
num = http->chunkoff + http->chunklen;
|
||||
if( lastnum == num )
|
||||
{
|
||||
/* ugh, some trackers send Transfer-encoding: chunked
|
||||
and then don't encode the body */
|
||||
http->lengthtype = HTTP_LENGTH_EOF;
|
||||
return checklength( http );
|
||||
}
|
||||
lastnum = num;
|
||||
while( http->header.used > num && NL( buf[num] ) )
|
||||
{
|
||||
num++;
|
||||
|
@ -721,6 +730,8 @@ checklength( tr_http_t * http )
|
|||
len = strtol( buf + num, NULL, 16 );
|
||||
if( 0 == len )
|
||||
{
|
||||
/* XXX should handle invalid length
|
||||
differently than 0 length chunk */
|
||||
http->header.used = http->chunkoff + http->chunklen;
|
||||
return 1;
|
||||
}
|
||||
|
|
Loading…
Add table
Reference in a new issue