Fixed duplicate name/value header block detection

This commit is contained in:
Tatsuhiro Tsujikawa 2012-03-29 23:50:08 +09:00
parent dea8a484b2
commit 67e83e09a6
1 changed files with 15 additions and 10 deletions

View File

@ -218,17 +218,22 @@ int spdylay_frame_unpack_nv_check_name(uint8_t *buf, size_t buflen,
len = spdylay_frame_get_nv_len(in, len_size); len = spdylay_frame_get_nv_len(in, len_size);
in += len_size+len; in += len_size+len;
} }
if(n > 0) {
uint32_t len1, len2;
qsort(buf, n, sizeof(uint8_t*), qsort(buf, n, sizeof(uint8_t*),
len_size == 2 ? len_size == 2 ?
spdylay_length_prefix_str_compar2 : spdylay_length_prefix_str_compar4); spdylay_length_prefix_str_compar2 :
spdylay_length_prefix_str_compar4);
index = (const uint8_t**)buf; index = (const uint8_t**)buf;
len1 = spdylay_frame_get_nv_len(*index, len_size);
for(i = 1; i < n; ++i) { for(i = 1; i < n; ++i) {
uint32_t len1 = spdylay_frame_get_nv_len(*(index+i-1), len_size); len2 = spdylay_frame_get_nv_len(*(index+i), len_size);
uint32_t len2 = spdylay_frame_get_nv_len(*(index+i), len_size);
if(len1 == len2 && memcmp(*(index+i-1)+len_size, *(index+i)+len_size, if(len1 == len2 && memcmp(*(index+i-1)+len_size, *(index+i)+len_size,
len_size) == 0) { len1) == 0) {
return SPDYLAY_ERR_INVALID_HEADER_BLOCK; return SPDYLAY_ERR_INVALID_HEADER_BLOCK;
} }
len1 = len2;
}
} }
return 0; return 0;
} }