Bug 632419 - HTTP 100 level parser race condition r=bz

2024-09-13 09:24:08 -07:00 · 2011-03-23 10:59:58 -04:00 · 2011-03-23 10:59:58 -04:00 · 4bd3cac746
commit 4bd3cac746
parent 88b5ba318f
1 changed files with 19 additions and 3 deletions
--- a/netwerk/protocol/http/nsHttpTransaction.cpp
+++ b/netwerk/protocol/http/nsHttpTransaction.cpp
@ -797,6 +797,7 @@ nsHttpTransaction::ParseLineSegment(char *segment, PRUint32 len)
            LOG(("ignoring 1xx response\n"));
            mHaveStatusLine = PR_FALSE;
            mHttpResponseMatched = PR_FALSE;
+            mConnection->SetLastTransactionExpectedNoContent(PR_TRUE);
            mResponseHead->Reset();
            return NS_OK;
        }
@ -885,6 +886,7 @@ nsHttpTransaction::ParseHead(char *buf,
    }
    // otherwise we can assume that we don't have a HTTP/0.9 response.

+    NS_ABORT_IF_FALSE (mHttpResponseMatched, "inconsistent");
    while ((eol = static_cast<char *>(memchr(buf, '\n', count - *countRead))) != nsnull) {
        // found line in range [buf:eol]
        len = eol - buf + 1;
@ -905,6 +907,12 @@ nsHttpTransaction::ParseHead(char *buf,

        // skip over line
        buf = eol + 1;
+
+        if (!mHttpResponseMatched) {
+            // a 100 class response has caused us to throw away that set of
+            // response headers and look for the next response
+            return NS_ERROR_NET_INTERRUPT;
+        }
    }

    // do something about a partial header line
@ -1100,9 +1108,17 @@ nsHttpTransaction::ProcessData(char *buf, PRUint32 count, PRUint32 *countRead)
    if (!mHaveAllHeaders) {
        PRUint32 bytesConsumed = 0;

-        rv = ParseHead(buf, count, &bytesConsumed);
-        if (NS_FAILED(rv)) return rv;
-
+        do {
+            PRUint32 localBytesConsumed = 0;
+            char *localBuf = buf + bytesConsumed;
+            PRUint32 localCount = count - bytesConsumed;
+            
+            rv = ParseHead(localBuf, localCount, &localBytesConsumed);
+            if (NS_FAILED(rv) && rv != NS_ERROR_NET_INTERRUPT)
+                return rv;
+            bytesConsumed += localBytesConsumed;
+        } while (rv == NS_ERROR_NET_INTERRUPT);
+        
        count -= bytesConsumed;

        // if buf has some content in it, shift bytes to top of buf.