Bug 54578 - Bad docs or unchecked code for "LimitRequestFields"?
Summary: Bad docs or unchecked code for "LimitRequestFields"?
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.4.3
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-18 22:36 UTC by Tianyin Xu
Modified: 2014-02-13 09:35 UTC (History)
2 users (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tianyin Xu 2013-02-18 22:36:57 UTC
Hi, 

From the online docs (http://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfields), the "LimitRequestFields" directive is specified to be "an integer from 0 (meaning unlimited) to 32767."

However, in the source code, there's no place tells that where 32767 comes from.
Also, if I configure it to be 100000, the server starts without any warning. 

I wonder whether it's a bug of documentation, or setting the number to be larger than 32767 would cause further problems? In the latter case, we'd better check the value in the parsing function.

Thanks,
Tianyin
Comment 1 Tianyin Xu 2013-02-18 22:46:06 UTC
The same thing for "LimitRequestBody", the docs say

"the number of bytes from 0 (meaning unlimited) to 2147483647 (2GB)"
http://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody

I set the number to be 2147483648 and my httpd server starts without any problem. And I also didn't find any place in the source code that shows the upper limit.

T
Comment 2 Yann Ylavic 2014-02-13 09:35:05 UTC
The checked limits really depends on the system (eg. 32/64/other-bit) and its integer types.

LimitRequestFields is an int (16-bit some time ago), whereas LimitRequestBody is an off_t (32-bit likewise), hence the limits specified in the (outdated-)doc.

For LimitRequestFields the code could probably enforce a reasonable hard limit below the one of today's 32-or-more-bit archs (and 32767 seems quite appropriate).

For LimitRequestBody however the documented limit may not be enough, although the code really use an off_t (which is often 64-or-more-bit now, even on LARGEFILE 32-bit archs), so maybe the doc could mention a "[file]system limit" (instead of an hard one).