From owner-freebsd-bugs  Sun Jan  6  6:40:15 2002
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id BEF3337B419
	for <freebsd-bugs@hub.freebsd.org>; Sun,  6 Jan 2002 06:40:06 -0800 (PST)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g06Ee6X82763;
	Sun, 6 Jan 2002 06:40:06 -0800 (PST)
	(envelope-from gnats)
Received: from slovo.yandex.ru (slovo.yandex.ru [213.180.194.148])
	by hub.freebsd.org (Postfix) with ESMTP id D483C37B417
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  6 Jan 2002 06:30:25 -0800 (PST)
Received: (from tejblum@localhost)
	by slovo.yandex.ru (8.11.3/8.9.3) id g06EUJ467960;
	Sun, 6 Jan 2002 17:30:20 +0300 (MSK)
	(envelope-from tejblum)
Message-Id: <200201061430.g06EUJ467960@slovo.yandex.ru>
Date: Sun, 6 Jan 2002 17:30:20 +0300 (MSK)
From: tejblum@yandex-team.ru
Reply-To: tejblum@yandex-team.ru
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.113
Subject: bin/33608: libfetch work unreliable fetching dynamic content, e.g. PHP
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         33608
>Category:       bin
>Synopsis:       libfetch work unreliable fetching dynamic content, e.g. PHP
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jan 06 06:40:05 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     Dmitrij Tejblum
>Release:        FreeBSD 4.3-RELEASE i386
>Organization:
Yandex
>Environment:

>Description:
There is the following code in the _http_fillbuf function:

    if (c->chunksize == 0) {
        char endl[2];
        read(c->fd, endl, 2);
    }

It supposed to skip "\r\n" from an end-of-chunk. But c->fd is a socket, thus 
the read may return after reading just one byte, and leave the connection in
an inconsistent state.

>How-To-Repeat:
Observed mostly on files generated by PHP. PHP tends to make chunks of a lot 
of different sizes.
>Fix:
A very simple patch:

Index: http.c
===================================================================
RCS file: /home/ncvs/src/lib/libfetch/http.c,v
retrieving revision 1.13.2.13
diff -u -p -r1.13.2.13 http.c
--- http.c	2001/03/15 23:54:09	1.13.2.13
+++ http.c	2001/12/27 20:33:30
@@ -190,8 +190,9 @@ _http_fillbuf(struct cookie *c)
     c->chunksize -= c->b_len;
     
     if (c->chunksize == 0) {
-	char endl[2];
-	read(c->fd, endl, 2);
+	char endl;
+	read(c->fd, &endl, 1);
+	read(c->fd, &endl, 1);
     }
     
     c->b_pos = 0;
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message