From 674b91b82b0ea6e3462aa5b26a424925a08fade8 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Wed, 23 Aug 2023 12:18:34 +0200
Subject: net.http.parser: Reject overlarge header section earlier

This case would eventually be rejected by the buffer size limit.
---
 net/http/parser.lua | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'net/http/parser.lua')

diff --git a/net/http/parser.lua b/net/http/parser.lua
index a6624662..12d40883 100644
--- a/net/http/parser.lua
+++ b/net/http/parser.lua
@@ -59,7 +59,13 @@ function httpstream.new(success_cb, error_cb, parser_type, options_cb)
 			while buffer:length() > 0 do
 				if state == nil then -- read request
 					local index = buffer:sub(1, headlimit):find("\r\n\r\n", nil, true);
-					if not index then return; end -- not enough data
+					if not index then
+						if buffer:length() > headlimit then
+							return error_cb("header-too-large");
+						end
+						-- not enough data
+						return;
+					end
 					-- FIXME was reason_phrase meant to be passed on somewhere?
 					local method, path, httpversion, status_code, reason_phrase; -- luacheck: ignore reason_phrase
 					local first_line;
-- 
cgit v1.2.3