(trafficserver) branch 9.2.x updated: Make chunk size parsing more strict (#12187) (#12828)

Mon, 26 Jan 2026 18:17:25 -0800 

This is an automated email from the ASF dual-hosted git repository.

eze pushed a commit to branch 9.2.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/9.2.x by this push:
     new ac0aa3f7ec Make chunk size parsing more strict (#12187) (#12828)
ac0aa3f7ec is described below

commit ac0aa3f7ecf33c318dfd99013370749cd61e44c1
Author: Brian Neradt <[email protected]>
AuthorDate: Mon Jan 26 20:17:13 2026 -0600

    Make chunk size parsing more strict (#12187) (#12828)
    
    Co-authored-by: Katsutoshi Ikenoya <[email protected]>
    Co-authored-by: Masakazu Kitajo <[email protected]>
---
 proxy/http/HttpTunnel.cc                           |  7 ++--
 .../replays/malformed_chunked_header.replay.yaml   | 46 ++++++++++++++++++++++
 2 files changed, 50 insertions(+), 3 deletions(-)

diff --git a/proxy/http/HttpTunnel.cc b/proxy/http/HttpTunnel.cc
index e9c0c6eafe..a9c9f1caa2 100644
--- a/proxy/http/HttpTunnel.cc
+++ b/proxy/http/HttpTunnel.cc
@@ -171,9 +171,10 @@ ChunkedHandler::read_size()
           }
         } else {
           // We are done parsing size
-          if ((num_digits == 0 || running_sum < 0) ||       /* Bogus chunk 
size */
-              (!ParseRules::is_wslfcr(*tmp) && *tmp != ';') /* Unexpected 
character */
-          ) {
+          const auto is_bogus_chunk_size   = (num_digits == 0 || running_sum < 
0);
+          const auto is_rfc_compliant_char = (ParseRules::is_ws(*tmp) || 
ParseRules::is_cr(*tmp) || *tmp == ';');
+          const auto is_acceptable_lf      = (ParseRules::is_lf(*tmp) && 
!strict_chunk_parsing);
+          if (is_bogus_chunk_size || (!is_rfc_compliant_char && 
!is_acceptable_lf)) {
             state = CHUNK_READ_ERROR;
             done  = true;
             break;
diff --git 
a/tests/gold_tests/chunked_encoding/replays/malformed_chunked_header.replay.yaml
 
b/tests/gold_tests/chunked_encoding/replays/malformed_chunked_header.replay.yaml
index 7c0ccb9a47..d2c773a22c 100644
--- 
a/tests/gold_tests/chunked_encoding/replays/malformed_chunked_header.replay.yaml
+++ 
b/tests/gold_tests/chunked_encoding/replays/malformed_chunked_header.replay.yaml
@@ -237,3 +237,49 @@ sessions:
         encoding: uri
         # Chunk header must end with a sequence of CRLF.
         data: 3;x%0Adef%0D%0A0%0D%0A%0D%0A
+
+- transactions:
+  - client-request:
+      method: "GET"
+      version: "1.1"
+      url: /response/malformed/chunk/size2
+      headers:
+        fields:
+        - [ Host, example.com ]
+        - [ uuid, 106 ]
+
+    # The connection will be dropped and this response will not go out.
+    server-response:
+      status: 200
+      reason: OK
+      headers:
+        fields:
+        - [ Transfer-Encoding, chunked ]
+      content:
+        transfer: plain
+        encoding: uri
+        # Chunk header must end with a sequence of CRLF.
+        data: 3%0Ddef%0D%0A0%0D%0A%0D%0A
+
+- transactions:
+  - client-request:
+      method: "GET"
+      version: "1.1"
+      url: /response/malformed/chunk/size2
+      headers:
+        fields:
+        - [ Host, example.com ]
+        - [ uuid, 107 ]
+
+    # The connection will be dropped and this response will not go out.
+    server-response:
+      status: 200
+      reason: OK
+      headers:
+        fields:
+        - [ Transfer-Encoding, chunked ]
+      content:
+        transfer: plain
+        encoding: uri
+        # Chunk header must end with a sequence of CRLF.
+        data: 3%0Adef%0D%0A0%0D%0A%0D%0A

Reply via email to