From e6dee9c10f2693022bb248c1c0b6f2b9dbb3e491 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Tue, 28 Aug 2007 18:16:32 +0000
Subject: [PATCH 1/1] Fix possible memory corruption in server_http, make sure
 it's not executed for ordinary server headers and mark some problems for
 later.

---
 parsers.c | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/parsers.c b/parsers.c
index 522f3cb1..ccba8a7d 100644
--- a/parsers.c
+++ b/parsers.c
@@ -1,4 +1,4 @@
-const char parsers_rcs[] = "$Id: parsers.c,v 1.105 2007/08/11 14:49:49 fabiankeil Exp $";
+const char parsers_rcs[] = "$Id: parsers.c,v 1.106 2007/08/18 14:30:32 fabiankeil Exp $";
 /*********************************************************************
  *
  * File        :  $Source: /cvsroot/ijbswa/current/parsers.c,v $
@@ -44,6 +44,9 @@ const char parsers_rcs[] = "$Id: parsers.c,v 1.105 2007/08/11 14:49:49 fabiankei
  *
  * Revisions   :
  *    $Log: parsers.c,v $
+ *    Revision 1.106  2007/08/18 14:30:32  fabiankeil
+ *    Let content-type-overwrite{} honour force-text-mode again.
+ *
  *    Revision 1.105  2007/08/11 14:49:49  fabiankeil
  *    - Add prototpyes for the header parsers and make them static.
  *    - Comment out client_accept_encoding_adder() which isn't used right now.
@@ -816,7 +819,7 @@ const struct parsers client_patterns[] = {
 };
 
 const struct parsers server_patterns[] = {
-   { "HTTP",                      4, server_http },
+   { "HTTP/",                     5, server_http },
    { "set-cookie:",              11, server_set_cookie },
    { "connection:",              11, connection },
    { "Content-Type:",            13, server_content_type },
@@ -3703,6 +3706,7 @@ static jb_err connection_close_adder(struct client_state *csp)
  *********************************************************************/
 static jb_err server_http(struct client_state *csp, char **header)
 {
+   /* XXX: Doesn't belong here. */
    sscanf(*header, "HTTP/%*d.%*d %d", &(csp->http->status));
    if (csp->http->status == 206)
    {
@@ -3711,8 +3715,21 @@ static jb_err server_http(struct client_state *csp, char **header)
 
    if ((csp->action->flags & ACTION_DOWNGRADE) != 0)
    {
-      (*header)[7] = '0';
-      log_error(LOG_LEVEL_HEADER, "Downgraded answer to HTTP/1.0");
+      /* XXX: Should we do a real validity check here? */
+      if (strlen(*header) > 8)
+      {
+         (*header)[7] = '0';
+         log_error(LOG_LEVEL_HEADER, "Downgraded answer to HTTP/1.0");
+      }
+      else
+      {
+         /*
+          * XXX: Should we block the request or
+          * enlist a valid status code line here?
+          */
+         log_error(LOG_LEVEL_INFO, "Malformed server response detected. "
+            "Downgrading to HTTP/1.0 impossible.");
+      }
    }
 
    return JB_ERR_OK;
-- 
2.39.2