Skip to content

Commit

Permalink
http: fix out-of-order 'finish' bug in pipelining
Browse files Browse the repository at this point in the history
Changes to `stream_base.cc` are required to support empty writes.
Fixes CVE-2015-7384, #3138

Fix: #2639
PR-URL: #3128
  • Loading branch information
indutny authored and rvagg committed Oct 5, 2015
1 parent 9faf4c6 commit 99943e1
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 7 deletions.
10 changes: 4 additions & 6 deletions lib/_http_outgoing.js
Original file line number Diff line number Diff line change
Expand Up @@ -133,12 +133,6 @@ OutgoingMessage.prototype._writeRaw = function(data, encoding, callback) {
encoding = null;
}

if (data.length === 0) {
if (typeof callback === 'function')
process.nextTick(callback);
return true;
}

var connection = this.connection;
if (connection &&
connection._httpMessage === this &&
Expand All @@ -158,6 +152,10 @@ OutgoingMessage.prototype._writeRaw = function(data, encoding, callback) {
this.output = [];
this.outputEncodings = [];
this.outputCallbacks = [];
} else if (data.length === 0) {
if (typeof callback === 'function')
process.nextTick(callback);
return true;
}

// Directly write to socket.
Expand Down
2 changes: 1 addition & 1 deletion src/stream_base.cc
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,7 @@ int StreamBase::Writev(const FunctionCallbackInfo<Value>& args) {

// Write string
offset = ROUND_UP(offset, WriteWrap::kAlignSize);
CHECK_LT(offset, storage_size);
CHECK_LE(offset, storage_size);
char* str_storage = req_wrap->Extra(offset);
size_t str_size = storage_size - offset;

Expand Down
34 changes: 34 additions & 0 deletions test/parallel/test-http-pipeline-regr-2639.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
'use strict';
const common = require('../common');
const assert = require('assert');
const http = require('http');
const net = require('net');

const COUNT = 10;

var received = 0;

var server = http.createServer(function(req, res) {
// Close the server, we have only one TCP connection anyway
if (received++ === 0)
server.close();

res.writeHead(200);
res.write('data');

setTimeout(function() {
res.end();
}, (Math.random() * 100) | 0);
}).listen(common.PORT, function() {
const s = net.connect(common.PORT);

var big = '';
for (var i = 0; i < COUNT; i++)
big += 'GET / HTTP/1.0\r\n\r\n';
s.write(big);
s.resume();
});

process.on('exit', function() {
assert.equal(received, COUNT);
});

0 comments on commit 99943e1

Please sign in to comment.