From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: X-Spam-Status: No, score=-3.9 required=3.0 tests=ALL_TRUSTED,AWL,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from localhost (dcvr.yhbt.net [127.0.0.1]) by dcvr.yhbt.net (Postfix) with ESMTP id 073AA1F9FC for ; Thu, 22 Dec 2022 09:02:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yhbt.net; s=selector1; t=1671699732; bh=hP3ig9V4jr6fHtwdBM85Yr4yy5O75rnWiu88/sSq/UU=; h=From:To:Subject:Date:In-Reply-To:References:From; b=CUlCvb6i6Mf9s/GcEwrUHqVpXvbncz16vZaQt9CMVlcp3dNYD+ZyucCOfYteh/Olq euXr5NWq6/Y/ZTEb56gI8A3w+CZIkGHFH+scj3DK741omrxr/fDLwHUrsDv5aS2Wq7 33qeDSpwqiAAv7pBdIY/9uMURbdYrgmFusylw1X8= From: Eric Wong To: yahns-public@yhbt.net Subject: [PATCH 2/4] http_response: clamp body read size Date: Thu, 22 Dec 2022 09:02:09 +0000 Message-Id: <20221222090211.9056-3-bofh@yhbt.net> In-Reply-To: <20221222090211.9056-1-bofh@yhbt.net> References: <20221222090211.9056-1-bofh@yhbt.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit List-Id: We don't want to overread in case a broken HTTP backend sends us excessive data. --- lib/yahns/proxy_http_response.rb | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/yahns/proxy_http_response.rb b/lib/yahns/proxy_http_response.rb index 7df2834..d4a3dda 100644 --- a/lib/yahns/proxy_http_response.rb +++ b/lib/yahns/proxy_http_response.rb @@ -146,6 +146,12 @@ def proxy_res_headers(res, req_res) have_body end + def read_len(len) + max = 0x2000 + max = len if len && len < max + max + end + def proxy_read_body(tip, kcar, req_res) chunk = ''.dup if kcar.chunked? len = kcar.body_bytes_left @@ -153,7 +159,7 @@ def proxy_read_body(tip, kcar, req_res) alive = req_res.alive wbuf = req_res.resbuf - case tmp = tip.shift || req_res.kgio_tryread(0x2000, rbuf) + case tmp = tip.shift || req_res.kgio_tryread(read_len(len), rbuf) when String if len kcar.body_bytes_left -= tmp.size # progress for body_eof? => true