net: don't preserve 1xx responses in parser buffer.

net/http/http_stream_parser.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_stream_parser.h"
 
 #include "base/bind.h"
 #include "base/compiler_specific.h"
 #include "base/strings/string_util.h"
 #include "base/values.h"
@@ skipping 286 matching lines @@
   // This function can be called with io_state_ == STATE_DONE if the
   // connection is closed after seeing just a 1xx response code.
   if (io_state_ == STATE_DONE)
     return ERR_CONNECTION_CLOSED;
 
   int result = OK;
   io_state_ = STATE_READ_HEADERS;
 
   if (read_buf_->offset() > 0) {
     // Simulate the state where the data was just read from the socket.
-    result = read_buf_->offset() - read_buf_unused_offset_;
-    read_buf_->set_offset(read_buf_unused_offset_);
+    DCHECK_EQ(0, read_buf_unused_offset_);

[SkyLined, 2013/09/30 18:27:47]

Should we move this DCHECK to the start of the function?

[agl, 2013/09/30 20:59:28]

Done.

+    result = read_buf_->offset();
+    read_buf_->set_offset(0);
   }
   if (result > 0)
     io_state_ = STATE_READ_HEADERS_COMPLETE;
 
   result = DoLoop(result);
   if (result == ERR_IO_PENDING)
     callback_ = callback;
 
   return result > 0 ? OK : result;
 }
@@ skipping 254 matching lines @@
   int end_of_header_offset = ParseResponseHeaders();
 
   // Note: -1 is special, it indicates we haven't found the end of headers.
   // Anything less than -1 is a net::Error, so we bail out.
   if (end_of_header_offset < -1)
     return end_of_header_offset;
 
   if (end_of_header_offset == -1) {
     io_state_ = STATE_READ_HEADERS;
     // Prevent growing the headers buffer indefinitely.
-    if (read_buf_->offset() - read_buf_unused_offset_ >= kMaxHeaderBufSize) {
+    DCHECK_EQ(0, read_buf_unused_offset_);

[SkyLined, 2013/09/30 18:27:47]

Should we move this DCHECK to the start of the function?

[agl, 2013/09/30 20:59:28]

Done.

+    if (read_buf_->offset() >= kMaxHeaderBufSize) {
       io_state_ = STATE_DONE;
       return ERR_RESPONSE_HEADERS_TOO_BIG;
     }
   } else {
     // Note where the headers stop.
     read_buf_unused_offset_ = end_of_header_offset;

[SkyLined, 2013/09/30 18:27:47]

This is only needed if the response contains a body. Otherwise the value gets
set to 0. It should therefore probably be moved down to just above line 620,
before "io_state_ = STATE_BODY_PENDING;".

[agl, 2013/09/30 20:59:28]

Done.

 
-    if (response_->headers->response_code() / 100 == 1) {
-      // After processing a 1xx response, the caller will ask for the next
-      // header, so reset state to support that.  We don't just skip these
-      // completely because 1xx codes aren't acceptable when establishing a
-      // tunnel.
-      io_state_ = STATE_REQUEST_SENT;
-      response_header_start_offset_ = -1;
+    CalculateResponseBodySize();
+    // If the body is 0, the caller may not call ReadResponseBody, which
+    // is where any extra data is copied to read_buf_, so we move the
+    // data here.
+    if (response_body_length_ == 0) {
+      int extra_bytes = read_buf_->offset() - read_buf_unused_offset_;
+      if (extra_bytes) {
+        CHECK_GT(extra_bytes, 0);
+        memmove(read_buf_->StartOfBuffer(),
+                read_buf_->StartOfBuffer() + read_buf_unused_offset_,
+                extra_bytes);
+      }
+      read_buf_->SetCapacity(extra_bytes);
+      read_buf_unused_offset_ = 0;
+      if (response_->headers->response_code() / 100 == 1) {
+        // After processing a 1xx response, the caller will ask for the next
+        // header, so reset state to support that.  We don't just skip these
+        // completely because 1xx codes aren't acceptable when establishing a
+        // tunnel.
+        response_header_start_offset_ = -1;
+        response_body_length_ = -1;
+        io_state_ = STATE_REQUEST_SENT;
+      } else {
+        io_state_ = STATE_DONE;
+      }
+      return OK;
     } else {
       io_state_ = STATE_BODY_PENDING;
-      CalculateResponseBodySize();
-      // If the body is 0, the caller may not call ReadResponseBody, which
-      // is where any extra data is copied to read_buf_, so we move the
-      // data here and transition to DONE.
-      if (response_body_length_ == 0) {
-        io_state_ = STATE_DONE;
-        int extra_bytes = read_buf_->offset() - read_buf_unused_offset_;
-        if (extra_bytes) {
-          CHECK_GT(extra_bytes, 0);
-          memmove(read_buf_->StartOfBuffer(),
-                  read_buf_->StartOfBuffer() + read_buf_unused_offset_,
-                  extra_bytes);
-        }
-        read_buf_->SetCapacity(extra_bytes);
-        read_buf_unused_offset_ = 0;
-        return OK;
-      }
     }
   }
   return result;
 }
 
 int HttpStreamParser::DoReadBody() {
   io_state_ = STATE_READ_BODY_COMPLETE;
 
   // There may be some data left over from reading the response headers.
   if (read_buf_->offset()) {
@@ skipping 120 matching lines @@
   }
 
   return result;
 }
 
 int HttpStreamParser::ParseResponseHeaders() {
   int end_offset = -1;
 
   // Look for the start of the status line, if it hasn't been found yet.
   if (response_header_start_offset_ < 0) {
+    DCHECK_EQ(0, read_buf_unused_offset_);

[SkyLined, 2013/09/30 18:27:47]

Should we move this DCHECK to the start of the function?

[agl, 2013/09/30 20:59:28]

Done.

     response_header_start_offset_ = HttpUtil::LocateStartOfStatusLine(
-        read_buf_->StartOfBuffer() + read_buf_unused_offset_,
-        read_buf_->offset() - read_buf_unused_offset_);
+        read_buf_->StartOfBuffer(), read_buf_->offset());
   }
 
   if (response_header_start_offset_ >= 0) {
-    end_offset = HttpUtil::LocateEndOfHeaders(
-        read_buf_->StartOfBuffer() + read_buf_unused_offset_,
-        read_buf_->offset() - read_buf_unused_offset_,
-        response_header_start_offset_);
+    DCHECK_EQ(0, read_buf_unused_offset_);

[SkyLined, 2013/09/30 18:27:47]

Should we move this DCHECK to the start of the function?

[agl, 2013/09/30 20:59:28]

Done.

+    end_offset = HttpUtil::LocateEndOfHeaders(read_buf_->StartOfBuffer(),
+                                              read_buf_->offset(),
+                                              response_header_start_offset_);
   } else if (read_buf_->offset() - read_buf_unused_offset_ >= 8) {
     // Enough data to decide that this is an HTTP/0.9 response.
     // 8 bytes = (4 bytes of junk) + "http".length()
     end_offset = 0;
   }
 
   if (end_offset == -1)
     return -1;
 
   int rv = DoParseResponseHeaders(end_offset);
   if (rv < 0)
     return rv;
-  return end_offset + read_buf_unused_offset_;
+  DCHECK_EQ(0, read_buf_unused_offset_);

[SkyLined, 2013/09/30 18:27:47]

Should we move this DCHECK to the start of the function?

[agl, 2013/09/30 20:59:28]

Done.

+  return end_offset;
 }
 
 int HttpStreamParser::DoParseResponseHeaders(int end_offset) {
   scoped_refptr<HttpResponseHeaders> headers;
   if (response_header_start_offset_ >= 0) {
     headers = new HttpResponseHeaders(HttpUtil::AssembleRawHeaders(
         read_buf_->StartOfBuffer() + read_buf_unused_offset_, end_offset));

[SkyLined, 2013/09/30 18:27:47]

"read_buf_unused_offset_" should be removed here too.

[agl, 2013/09/30 20:59:28]

Done.

   } else {
     // Enough data was read -- there is no status line.
     headers = new HttpResponseHeaders(std::string("HTTP/0.9 200 OK"));
   }
 
   // Check for multiple Content-Length headers with no Transfer-Encoding header.
   // If they exist, and have distinct values, it's a potential response
   // smuggling attack.
   if (!headers->HasHeader("Transfer-Encoding")) {
     if (HeadersContainMultipleCopiesOfField(*headers.get(), "Content-Length"))
@@ skipping 26 matching lines @@
   // RFC 2616 Section 4.3 Message Body:
   //
   // For response messages, whether or not a message-body is included with
   // a message is dependent on both the request method and the response
   // status code (section 6.1.1). All responses to the HEAD request method
   // MUST NOT include a message-body, even though the presence of entity-
   // header fields might lead one to believe they do. All 1xx
   // (informational), 204 (no content), and 304 (not modified) responses
   // MUST NOT include a message-body. All other responses do include a
   // message-body, although it MAY be of zero length.
-  switch (response_->headers->response_code()) {
-    // Note that 1xx was already handled earlier.
-    case 204:  // No Content
-    case 205:  // Reset Content
-    case 304:  // Not Modified
-      response_body_length_ = 0;
-      break;
+  if (response_->headers->response_code() / 100 == 1) {
+    response_body_length_ = 0;
+  } else {
+    switch (response_->headers->response_code()) {
+      case 204:  // No Content
+      case 205:  // Reset Content
+      case 304:  // Not Modified
+        response_body_length_ = 0;
+        break;
+    }
   }
   if (request_->method == "HEAD")
     response_body_length_ = 0;
 
   if (response_body_length_ == -1) {
     // "Transfer-Encoding: chunked" trumps "Content-Length: N"
     if (response_->headers->IsChunkEncoded()) {
       chunked_decoder_.reset(new HttpChunkedDecoder());
     } else {
       response_body_length_ = response_->headers->GetContentLength();
@@ skipping 96 matching lines @@
       request_body->IsInMemory() &&
       request_body->size() > 0) {
     size_t merged_size = request_headers.size() + request_body->size();
     if (merged_size <= kMaxMergedHeaderAndBodySize)
       return true;
   }
   return false;
 }
 
 }  // namespace net