From tejblum@yandex.ru  Sun Jan  6 06:30:29 2002
Return-Path: <tejblum@yandex.ru>
Received: from slovo.yandex.ru (slovo.yandex.ru [213.180.194.148])
	by hub.freebsd.org (Postfix) with ESMTP id D483C37B417
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  6 Jan 2002 06:30:25 -0800 (PST)
Received: (from tejblum@localhost)
	by slovo.yandex.ru (8.11.3/8.9.3) id g06EUJ467960;
	Sun, 6 Jan 2002 17:30:20 +0300 (MSK)
	(envelope-from tejblum)
Message-Id: <200201061430.g06EUJ467960@slovo.yandex.ru>
Date: Sun, 6 Jan 2002 17:30:20 +0300 (MSK)
From: tejblum@yandex-team.ru
Reply-To: tejblum@yandex-team.ru
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: libfetch work unreliable fetching dynamic content, e.g. PHP
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         33608
>Category:       bin
>Synopsis:       libfetch work unreliable fetching dynamic content, e.g. PHP
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    des
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jan 06 06:40:05 PST 2002
>Closed-Date:    Sun Feb 3 04:32:57 PST 2002
>Last-Modified:  Sun Feb 03 04:32:58 PST 2002
>Originator:     Dmitrij Tejblum
>Release:        FreeBSD 4.3-RELEASE i386
>Organization:
Yandex
>Environment:

>Description:
There is the following code in the _http_fillbuf function:

    if (c->chunksize == 0) {
        char endl[2];
        read(c->fd, endl, 2);
    }

It supposed to skip "\r\n" from an end-of-chunk. But c->fd is a socket, thus 
the read may return after reading just one byte, and leave the connection in
an inconsistent state.

>How-To-Repeat:
Observed mostly on files generated by PHP. PHP tends to make chunks of a lot 
of different sizes.
>Fix:
A very simple patch:

Index: http.c
===================================================================
RCS file: /home/ncvs/src/lib/libfetch/http.c,v
retrieving revision 1.13.2.13
diff -u -p -r1.13.2.13 http.c
--- http.c	2001/03/15 23:54:09	1.13.2.13
+++ http.c	2001/12/27 20:33:30
@@ -190,8 +190,9 @@ _http_fillbuf(struct cookie *c)
     c->chunksize -= c->b_len;
     
     if (c->chunksize == 0) {
-	char endl[2];
-	read(c->fd, endl, 2);
+	char endl;
+	read(c->fd, &endl, 1);
+	read(c->fd, &endl, 1);
     }
     
     c->b_pos = 0;
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->des 
Responsible-Changed-By: kris 
Responsible-Changed-When: Sun Jan 6 10:22:16 PST 2002 
Responsible-Changed-Why:  
DES is the fetch maintainer 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=33608 

From: Dag-Erling Smorgrav <des@ofug.org>
To: freebsd-gnats-submit@freebsd.org
Cc:  
Subject: Re: bin/33608
Date: 12 Jan 2002 15:28:27 +0100

 How about the following patch instead:
 
 Index: http.c
 ===================================================================
 RCS file: /home/ncvs/src/lib/libfetch/http.c,v
 retrieving revision 1.49
 diff -u -u -r1.49 http.c
 --- http.c      1 Jan 2002 16:25:29 -0000       1.49
 +++ http.c      12 Jan 2002 14:27:19 -0000
 @@ -196,7 +196,12 @@
 
      if (c->chunksize == 0) {
         char endl[2];
 -       read(c->fd, endl, 2);
 +       if (read(c->fd, endl[0], 1) == -1)
 +           return -1;
 +       if (read(c->fd, endl[1], 1) == -1)
 +           return -1;
 +       if (strncmp(endl, ENDL, 2) != 0)
 +           return -1;
      }
 
      c->b_pos = 0;
 
 DES
 -- 
 Dag-Erling Smorgrav - des@ofug.org

From: Dag-Erling Smorgrav <des@ofug.org>
To: freebsd-gnats-submit@freebsd.org
Cc:  
Subject: Re: bin/33608
Date: 12 Jan 2002 15:58:16 +0100

 Dag-Erling Smorgrav <des@ofug.org> writes:
 > How about the following patch instead:
 
 Argh!  Coffee first, *then* hack.  Disregard this patch; it won't even
 compile.
 
 DES
 -- 
 Dag-Erling Smorgrav - des@ofug.org
State-Changed-From-To: open->feedback 
State-Changed-By: des 
State-Changed-When: Sun Jan 20 11:53:33 PST 2002 
State-Changed-Why:  
Fixed in -CURRENT, awaiting MFC. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=33608 

From: Dag-Erling Smorgrav <des@ofug.org>
To: tejblum@yandex-team.ru
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/33608: libfetch work unreliable fetching dynamic content, e.g. PHP
Date: 20 Jan 2002 20:49:59 +0100

 Here's a correct (and tested) patch:
 
 Index: http.c
 ===================================================================
 RCS file: /home/ncvs/src/lib/libfetch/http.c,v
 retrieving revision 1.49
 diff -u -r1.49 http.c
 --- http.c	1 Jan 2002 16:25:29 -0000	1.49
 +++ http.c	12 Jan 2002 14:58:55 -0000
 @@ -195,8 +195,10 @@
      c->chunksize -= c->b_len;
      
      if (c->chunksize == 0) {
 -	char endl[2];
 -	read(c->fd, endl, 2);
 +	char endl;
 +	if (read(c->fd, &endl, 1) == -1 ||
 +	    read(c->fd, &endl, 1) == -1)
 +	    return -1;
      }
      
      c->b_pos = 0;
 
 DES
 -- 
 Dag-Erling Smorgrav - des@ofug.org
State-Changed-From-To: feedback->closed 
State-Changed-By: des 
State-Changed-When: Sun Feb 3 04:32:57 PST 2002 
State-Changed-Why:  
Fixed in -CURRENT and -STABLE. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=33608 
>Unformatted:
