[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #50845] Wrong SSI tag handling if tag places on the ed

From: Dmitry
Subject: [lwip-devel] [bug #50845] Wrong SSI tag handling if tag places on the edge of 2xMSS buffer and LWIP_HTTPD_SSI_INCLUDE_TAG = 0
Date: Fri, 21 Apr 2017 04:12:14 -0400 (EDT)
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0


                 Summary: Wrong SSI tag handling if tag places on the edge of
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: gdi
            Submitted on: Fri 21 Apr 2017 08:12:13 AM UTC
                Category: apps
                Severity: 3 - Normal
              Item Group: Faulty Behaviour
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: 1.4.1



I found a trouble in SSI handling in httpsever_raw application of lwip v1.4.1
and the same issue presented in v2.0.x too.
The issue is appeared if we will set LWIP_HTTPD_SSI_INCLUDE_TAG = 0 and will
parse a long *.shtml file which size more than 5840 (2x2920) bytes and if you
have SSI tag which starts before 5840-th byte of file and it has its closing
'>' symbol after the 5840-th byte. 
In this case we won't set the hs->tag_end variable and it will point to the
end of previous tag and hs->tag_state will be in a TAG_FOUND state. So the
state machine will be in some unfinished state. And in this situation the next
part of data will be loaded to the 'hs->file' buffer, but the tag state
machine will point to the old addresses. In this case the buffer won't be
handled till the address which is pointed by hs->parsed and then continue to
parse the buffer at near the end position. And file buffer will be sent as is
with all unparsed tags.

I'm also found a solution:
I've add some checking.
Sorry this is not a patch, because I can't find where can I clone this
sources. Initially I've got it from Texas Instruments Tiva Ware examples.

    /* If we drop out of the end of the for loop, this implies we must have
     * file data to send so send it now. In TAG_SENDING state, we've already
     * handled this so skip the send if that's the case. */
    if((hs->tag_state != TAG_SENDING) && (hs->parsed > hs->file)) {
      /* We cannot send more data than space available in the send
         buffer. */
      if (tcp_sndbuf(pcb) < (hs->parsed - hs->file)) {
        len = tcp_sndbuf(pcb);
+      } else if ((hs->tag_state != TAG_NONE) && (hs->tag_started >
+      {/* If we found tag on the edge of 2*mss buffer (5240 bytes) */
+        len = (u16_t)(hs->tag_started - hs->file);
+        hs->left -= (hs->parsed - hs->tag_started);
+        hs->parsed = hs->tag_started;
+        hs->tag_started = hs->buf;
      } else {
        LWIP_ASSERT("Data size does not fit into u16_t!",
                    (hs->parsed - hs->file) <= 0xffff);

The same fix can be applied in appropriate place in lwip v2.0.x httpd


Reply to this item at:


  Message sent via/by Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]