On Wed, Aug 3, 2016 at 3:21 PM, Jacob Champion <[email protected]> wrote:
> On 08/03/2016 09:46 AM, [email protected] wrote: > >> Modified: httpd/httpd/trunk/server/protocol.c >> URL: >> http://svn.apache.org/viewvc/httpd/httpd/trunk/server/protocol.c?rev=1755098&r1=1755097&r2=1755098&view=diff >> >> ============================================================================== >> --- httpd/httpd/trunk/server/protocol.c (original) >> +++ httpd/httpd/trunk/server/protocol.c Wed Aug 3 16:46:20 2016 >> @@ -835,8 +835,15 @@ AP_DECLARE(void) ap_get_mime_headers_cor >> return; >> } >> >> - if (last_field != NULL) { >> - if ((len > 0) && ((*field == '\t') || *field == ' ')) { >> + if ((len > 0) && ((*field == '\t') || *field == ' ')) { >> + if (last_field == NULL) { >> + r->status = HTTP_BAD_REQUEST; >> + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, >> APLOGNO(03442) >> + "Line folding encounterd before first" >> + " header line"); >> + return; >> + } >> + >> > > I don't think this is an equivalent transformation. More logic below this > case relies on the last_field NULL check, and I'm currently getting > segfaults on trunk due to the strchr on line 907. > > The addition of the `== NULL` check also triggers a C90 compiler warning > for the combo declaration/assignment of fold_len. Thanks for the heads-up. Investigating.
