diff options
| author | Sebastian Benoit <benno@cvs.openbsd.org> | 2015-07-18 16:01:29 +0000 |
|---|---|---|
| committer | Sebastian Benoit <benno@cvs.openbsd.org> | 2015-07-18 16:01:29 +0000 |
| commit | bba92d5355ab193337ef6636ee333071be41fcca (patch) | |
| tree | b4963a7fb545ce3c6a596f63c1e756c1c11c8432 /usr.sbin/relayd/relay_http.c | |
| parent | 157cfa18ebcb64477576ae720a776a46d8f7a188 (diff) | |
Fix unbounded buffer growth. In the case of a slow client reading large files,
we would consume large ammounts of memory.
Found by Matthew Martin <matt DOT a DOT martin AT gmail DOT com> in
httpd, fixed in httpd by florian@
feedback from florian, reyk and bluhm, ok bluhm, reyk
Diffstat (limited to 'usr.sbin/relayd/relay_http.c')
| -rw-r--r-- | usr.sbin/relayd/relay_http.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/usr.sbin/relayd/relay_http.c b/usr.sbin/relayd/relay_http.c index 200700d2dda..351e89181ec 100644 --- a/usr.sbin/relayd/relay_http.c +++ b/usr.sbin/relayd/relay_http.c @@ -1,4 +1,4 @@ -/* $OpenBSD: relay_http.c,v 1.50 2015/06/12 14:40:55 reyk Exp $ */ +/* $OpenBSD: relay_http.c,v 1.51 2015/07/18 16:01:28 benno Exp $ */ /* * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -461,6 +461,8 @@ relay_read_httpcontent(struct bufferevent *bev, void *arg) { struct ctl_relay_event *cre = arg; struct rsession *con = cre->con; + struct protocol *proto = con->se_relay->rl_proto; + struct evbuffer *src = EVBUFFER_INPUT(bev); size_t size; @@ -498,6 +500,11 @@ relay_read_httpcontent(struct bufferevent *bev, void *arg) if (con->se_done) goto done; bufferevent_enable(bev, EV_READ); + + if (cre->dst->bev && EVBUFFER_LENGTH(EVBUFFER_OUTPUT(cre->dst->bev)) > + (size_t)RELAY_MAX_PREFETCH * proto->tcpbufsiz) + bufferevent_disable(cre->bev, EV_READ); + if (bev->readcb != relay_read_httpcontent) bev->readcb(bev, arg); /* The callback readcb() might have freed the session. */ @@ -514,6 +521,7 @@ relay_read_httpchunks(struct bufferevent *bev, void *arg) { struct ctl_relay_event *cre = arg; struct rsession *con = cre->con; + struct protocol *proto = con->se_relay->rl_proto; struct evbuffer *src = EVBUFFER_INPUT(bev); char *line; long long llval; @@ -616,6 +624,11 @@ relay_read_httpchunks(struct bufferevent *bev, void *arg) if (con->se_done) goto done; bufferevent_enable(bev, EV_READ); + + if (cre->dst->bev && EVBUFFER_LENGTH(EVBUFFER_OUTPUT(cre->dst->bev)) > + (size_t)RELAY_MAX_PREFETCH * proto->tcpbufsiz) + bufferevent_disable(cre->bev, EV_READ); + if (EVBUFFER_LENGTH(src)) bev->readcb(bev, arg); /* The callback readcb() might have freed the session. */ |