BUG/MEDIUM: chunks: always reject negative-length chunks
The recent addition of "show env" on the CLI has revealed an interesting
design bug. Chunks are supposed to support a negative length to indicate
that they carry no data. chunk_printf() sets this size to -1 if the string
is too large for the buffer. At a few places in the http engine we may end
up with trash.len = -1. But bi_putchk(), chunk_appendf() and a few other
chunks consumers don't consider this case as possible and will use such a
chunk, possibly restoring an invalid string or trying to copy -1 bytes.
This fix takes care of clarifying the situation in a backportable way
where such sizes are used, so that a negative length indicating an error
remains present until the chunk is reinitialized or overwritten. But a
cleaner design adjustment needs to be done so that there's a clear contract
on how to use these chunks. At first glance it doesn't seem *that* useful
to support negative sizes, so probably this is what should change.
This fix must be backported to 1.6 and 1.5.
diff --git a/src/chunk.c b/src/chunk.c
index 1359adc..e251107 100644
--- a/src/chunk.c
+++ b/src/chunk.c
@@ -111,7 +111,7 @@
va_list argp;
int ret;
- if (!chk->str || !chk->size)
+ if (chk->len < 0 || !chk->str || !chk->size)
return 0;
va_start(argp, fmt);
@@ -136,6 +136,9 @@
int olen, free;
char c;
+ if (dst->len < 0)
+ return dst->len;
+
olen = dst->len;
for (i = 0; i < src->len; i++) {
@@ -177,6 +180,9 @@
int olen, free;
char c;
+ if (dst->len < 0)
+ return dst->len;
+
olen = dst->len;
for (i = 0; i < src->len; i++) {