const size_t hdr_len = headersEnd(buf->content(), buf->contentSize());
// TODO: move to httpReplyParseStep()
- if (hdr_len > Config.maxReplyHeaderSize || (hdr_len <= 0 && (size_t)buf->contentSize() > Config.maxReplyHeaderSize)) {
+ if (hdr_len >= Config.maxReplyHeaderSize || (hdr_len <= 0 && (size_t)buf->contentSize() > Config.maxReplyHeaderSize)) {
debugs(58, 1, "HttpMsg::parse: Too large reply header (" <<
hdr_len << " > " << Config.maxReplyHeaderSize);
*error = HTTP_HEADER_TOO_LARGE;
/* pre-set these values to make aborting simpler */
*method_p = METHOD_NONE;
+ /* NP: don't be tempted to move this down or remove again.
+ * It's the only DDoS protection old-String has against long URL */
+ if ( hp->bufsiz <= 0) {
+ debugs(33, 5, "Incomplete request, waiting for end of request line");
+ return NULL;
+ }
+ else if ( hp->bufsiz >= Config.maxRequestHeaderSize && (req_sz = headersEnd(hp->buf, Config.maxRequestHeaderSize)) == 0) {
+ debugs(33, 5, "parseHttpRequest: Too large request");
+ return parseHttpRequestAbort(conn, "error:request-too-large");
+ }
+
/* Attempt to parse the first line; this'll define the method, url, version and header begin */
r = HttpParserParseReqLine(hp);
projects / thirdparty / squid.git / commitdiff
