From b1ab03f7f8da7348cc072140d083c78015534143 Mon Sep 17 00:00:00 2001
From: Jonathan Reem <jonathan.reem@gmail.com>
Date: Thu, 11 Dec 2014 17:08:57 -0800
Subject: [PATCH] (fix) Harden header parsing against memory exhaustion
 attacks.

Adds new limits on the lengths of header names and fields.

Fixes #187
---
 src/http.rs | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/http.rs b/src/http.rs
index 56c14780..d3a61a1b 100644
--- a/src/http.rs
+++ b/src/http.rs
@@ -486,6 +486,9 @@ pub fn read_http_version<R: Reader>(stream: &mut R) -> HttpResult<HttpVersion> {
     }
 }
 
+const MAX_HEADER_NAME_LENGTH: uint = 100;
+const MAX_HEADER_FIELD_LENGTH: uint = 1000;
+
 /// The raw bytes when parsing a header line.
 ///
 /// A String and Vec<u8>, divided by COLON (`:`). The String is guaranteed
@@ -525,7 +528,10 @@ pub fn read_header<R: Reader>(stream: &mut R) -> HttpResult<Option<RawHeaderLine
                 }
             },
             b':' => break,
-            b if is_token(b) => name.push(b as char),
+            b if is_token(b) => {
+                if name.len() > MAX_HEADER_NAME_LENGTH { return Err(HttpHeaderError); }
+                name.push(b as char)
+            },
             _nontoken => return Err(HttpHeaderError)
         };
     }
@@ -542,6 +548,7 @@ pub fn read_header<R: Reader>(stream: &mut R) -> HttpResult<Option<RawHeaderLine
             b' ' if ows => {},
             b => {
                 ows = false;
+                if value.len() > MAX_HEADER_FIELD_LENGTH { return Err(HttpHeaderError); }
                 value.push(b)
             }
         };