Properly update examined when parsing chunked requests (part 2) (#8360)

2019-03-08 22:24:02 -08:00 · 2019-03-08 22:24:02 -08:00 · 1ac6f3d4fd
parent bc009fc0f1
commit 1ac6f3d4fd
1 changed files with 11 additions and 7 deletions
--- a/src/Servers/Kestrel/Core/src/Internal/Http/Http1ChunkedEncodingMessageBody.cs
+++ b/src/Servers/Kestrel/Core/src/Internal/Http/Http1ChunkedEncodingMessageBody.cs
@ -323,7 +323,7 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http
                return;
            }

-            // Assigned this before calculating the chunk size since that can throw
+            // Advance examined before possibly throwing, so we don't risk examining less than the previous call to ParseChunkedPrefix.
            examined = reader.Position;

            var chunkSize = CalculateChunkSize(ch1, 0);
@ -348,10 +348,12 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http
                    return;
                }

+                // Advance examined before possibly throwing, so we don't risk examining less than the previous call to ParseChunkedPrefix.
+                examined = reader.Position;
+
                if (ch1 == '\r' && ch2 == '\n')
                {
                    consumed = reader.Position;
-                    examined = reader.Position;

                    AddAndCheckConsumedBytes(reader.Consumed);
                    _inputLength = chunkSize;
@ -363,9 +365,6 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http
                ch1 = ch2;
            }

-            // Set examined so that we capture the progress that way made
-            examined = reader.Position;
-
            // At this point, 10 bytes have been consumed which is enough to parse the max value "7FFFFFFF\r\n".
            BadHttpRequestException.Throw(RequestRejectionReason.BadChunkSizeData);
        }
@ -453,10 +452,13 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http

            var suffixBuffer = buffer.Slice(0, 2);
            var suffixSpan = suffixBuffer.ToSpan();
+
+            // Advance examined before possibly throwing, so we don't risk examining less than the previous call to ParseChunkedSuffix.
+            examined = suffixBuffer.End;
+
            if (suffixSpan[0] == '\r' && suffixSpan[1] == '\n')
            {
                consumed = suffixBuffer.End;
-                examined = suffixBuffer.End;
                AddAndCheckConsumedBytes(2);
                _mode = Mode.Prefix;
            }
@ -480,10 +482,12 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http
            var trailerBuffer = buffer.Slice(0, 2);
            var trailerSpan = trailerBuffer.ToSpan();

+            // Advance examined before possibly throwing, so we don't risk examining less than the previous call to ParseChunkedTrailer.
+            examined = trailerBuffer.End;
+
            if (trailerSpan[0] == '\r' && trailerSpan[1] == '\n')
            {
                consumed = trailerBuffer.End;
-                examined = trailerBuffer.End;
                AddAndCheckConsumedBytes(2);
                _mode = Mode.Complete;
            }