Bug 62198 - ap_rgetline_core can return without consuming a full line
Summary: ap_rgetline_core can return without consuming a full line
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.5-HEAD
Hardware: PC Mac OS X 10.1
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: FixedInTrunk
Depends on:
Blocks:
 
Reported: 2018-03-20 16:34 UTC by Hank Ibell
Modified: 2018-08-04 10:31 UTC (History)
0 users



Attachments
Handle AP_GETLINE_NOSPC_EOL flag in ap_rgetline_core() (2.79 KB, patch)
2018-04-12 17:25 UTC, Yann Ylavic
Details | Diff
Handle AP_GETLINE_NOSPC_EOL flag in ap_rgetline_core() (6.26 KB, patch)
2018-04-19 14:32 UTC, Yann Ylavic
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Hank Ibell 2018-03-20 16:34:31 UTC
When ap_rgetline_core hits its own length limit, it does not continue to loop over the core input filter to make sure a full line is consumed, potentially leaving the trailing portion of a long line to resemble a new line.
Comment 1 Eric Covener 2018-03-22 05:50:31 UTC
seems like one band-aid would be to allow the core input filter to pass a larger static max length to apr_brigade_split_line, e.g. 2x so callers who real limits are lost as they call ap_get_brigade() are much safer for the typical scenarios where the limit is only boosted by a few KB. (8 to 12/16 or KB)

This would mean apr_brigade_split_line would not leave the full line unread for < 16k even ap_rgetline_core was only willing to take the default 8k or something like 12 k.

But really ap_rgetline_core() should be ditching all of this excess when
trying to read a line.
Comment 2 Yann Ylavic 2018-04-12 17:25:57 UTC
Created attachment 35863 [details]
Handle AP_GETLINE_NOSPC_EOL flag in ap_rgetline_core()

How about this change in ap_rgetline_core() which optionally (up to the caller) allows to consume the end of line on APR_ENOSPC.

mod_proxy may use it to address Bug 62196.

Also note that in the APR_ENOSPC case, ap_rgetline_core() would now unconditionnaly fill in the buffer up to its limits, which is not that bad IMHO (before, we might have returned an half filled or empty buffer depending on the non-fitting bucket size).
Comment 3 Yann Ylavic 2018-04-19 14:32:02 UTC
Created attachment 35885 [details]
Handle AP_GETLINE_NOSPC_EOL flag in ap_rgetline_core()

After some testing, this v2 is to address the (corner) where the line is to be truncated at LF (while CR fits in), see comment in the patch.

With this patch and attachment 35864 [details] (bug 62196), mod_proxy_http behaves correctly for headers above ResponseFieldSize.
Comment 4 Yann Ylavic 2018-04-19 16:07:54 UTC
Committed to trunk in r1829557.
Comment 5 Eric Covener 2018-04-19 18:37:22 UTC
Comment on attachment 35885 [details]
Handle AP_GETLINE_NOSPC_EOL flag in ap_rgetline_core()

this did the trick for my heisenbug on Windows while testing Hank's original proxy patch. Thanks!
Comment 6 Christophe JAILLET 2018-08-04 10:31:08 UTC
This has been backported in 2.4.x in r1834093

This is part of 2.4.34