From 100beaaf949ab732028e9e7e10757b83b49c5f73 Mon Sep 17 00:00:00 2001
From: Troy Dai <troy.dai@outlook.com>
Date: Tue, 6 Sep 2016 10:54:26 -0700
Subject: [PATCH] Add length constrain in path processing

---
 .../RequestProcessing/NativeRequestContext.cs          |  1 -
 .../RequestProcessing/RawUrlHelper.cs                  | 10 ++++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/Microsoft.Net.Http.Server/RequestProcessing/NativeRequestContext.cs b/src/Microsoft.Net.Http.Server/RequestProcessing/NativeRequestContext.cs
index c950358e0c..3c3572a104 100644
--- a/src/Microsoft.Net.Http.Server/RequestProcessing/NativeRequestContext.cs
+++ b/src/Microsoft.Net.Http.Server/RequestProcessing/NativeRequestContext.cs
@@ -183,7 +183,6 @@ namespace Microsoft.Net.Http.Server
 
         internal byte[] GetRawUrlInBytes()
         {
-
             if (NativeRequest->pRawUrl != null && NativeRequest->RawUrlLength > 0)
             {
                 var result = new byte[NativeRequest->RawUrlLength];
diff --git a/src/Microsoft.Net.Http.Server/RequestProcessing/RawUrlHelper.cs b/src/Microsoft.Net.Http.Server/RequestProcessing/RawUrlHelper.cs
index 0d7d194851..4b6b17d637 100644
--- a/src/Microsoft.Net.Http.Server/RequestProcessing/RawUrlHelper.cs
+++ b/src/Microsoft.Net.Http.Server/RequestProcessing/RawUrlHelper.cs
@@ -93,6 +93,11 @@ namespace Microsoft.Net.Http.Server
         /// <returns>Length of the matched bytes, 0 if it is not matched.</returns>
         private static int FindHttpOrHttps(byte[] raw)
         {
+            if (raw.Length < 7)
+            {
+                return 0;
+            }
+
             if (raw[0] != 'h' && raw[0] != 'H')
             {
                 return 0;
@@ -126,6 +131,11 @@ namespace Microsoft.Net.Http.Server
             }
             else if (raw[4] == 's' || raw[4] == 'S')
             {
+                if (raw.Length < 8)
+                {
+                    return 0;
+                }
+
                 if (raw[5] != ':' || raw[6] != '/' || raw[7] != '/')
                 {
                     return 0;