Hi Bernhard, thanks very much for your traces. They made it easier for me to reproduce the issue. It happens when the chunked data are split in chunks of a size which divides the buffer size. This causes situations where the chunk parser tries to find a CRLF followed by a chunk size and due to a wrong comparison, it checks for the CRLF in data which are not yet received. It does not see it and finds something else instead, so it concludes the response is invalid.
I've fixed the check to consider only unparsed data instead of the whole buffer, and it's now OK for me. Here's the patch that I've merged, in case you want to try now. Thanks again for your kind responsiveness, Willy
>From bf3f1de5b58aa77c2a3da4e143d5a7b2f1056b53 Mon Sep 17 00:00:00 2001 From: Willy Tarreau <[email protected]> Date: Wed, 17 Mar 2010 15:54:24 +0100 Subject: [BUG] http: fix truncated responses on chunk encoding when size divides buffer size Bernhard Krieger reported truncated HTTP responses in presence of some specific chunk-encoded data, and kindly offered complete traces of the issue which made it easy to reproduce it. Those traces showed that the chunks were of exactly 8192 bytes, chunk size and CRLF included, which was exactly half the size of the buffer. In this situation, the function http_chunk_skip_crlf() could erroneously try to parse a CRLF after the chunk believing there were more data pending, because the number of bytes present in the buffer was considered instead of the number of remaining bytes to be parsed. --- src/proto_http.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/proto_http.c b/src/proto_http.c index f1ec7cd..694e98d 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -2245,7 +2245,7 @@ int http_skip_chunk_crlf(struct buffer *buf, struct http_msg *msg) ptr = buf->data; } - if (buf->l < bytes) + if (bytes > buf->l - buf->send_max) return 0; if (*ptr != '\n') -- 1.5.3.3
