Detect runaway chunks in ngx_http_parse_chunked(). As defined in HTTP/1.1, body chunks have the following ABNF: chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF where chunk-data is a sequence of chunk-size octets. With this change, chunk-data that doesn't end up with CRLF at chunk-size offset will be treated as invalid, such as in the example provided below: 4 SEE-THIS-AND- 4 THAT 0

commit: 9701642af39efeb06a119f62bc0255db0a0f0a0f [log] [tgz]
author: Sergey Kandaurov <pluknet@nginx.com> Tue Sep 03 17:26:56 2019 +0300
committer: Sergey Kandaurov <pluknet@nginx.com> Tue Sep 03 17:26:56 2019 +0300
tree: 21a7e00b9548d030ed7bc476a62837229294b83b
parent: 79279b6a61e8685e6d3e030768620665e32cb296 [diff]
diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
index d9a1dbe..8e1b118 100644
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c

@@ -2268,6 +2268,9 @@
                 break;
             case LF:
                 state = sw_chunk_start;
+                break;
+            default:
+                goto invalid;
             }
             break;
commit	9701642af39efeb06a119f62bc0255db0a0f0a0f	[log] [tgz]
author	Sergey Kandaurov <pluknet@nginx.com>	Tue Sep 03 17:26:56 2019 +0300
committer	Sergey Kandaurov <pluknet@nginx.com>	Tue Sep 03 17:26:56 2019 +0300
tree	21a7e00b9548d030ed7bc476a62837229294b83b
parent	79279b6a61e8685e6d3e030768620665e32cb296 [diff]