Skip to content

net/http: MaxBytesReader's Read panics when n < -1 #45101

Closed
@amwolff

Description

@amwolff

What version of Go are you using (go version)?

$ go version
go version go1.16.2 linux/amd64

Does this issue reproduce with the latest release?

Affirmative.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env

What did you do?

Passed n < -1 to the MaxBytesReader constructor.

https://play.golang.org/p/aFTkl-eFmOZ

It won't compile in the playground, not sure why (timeout running go build).

What did you expect to see?

An error; behaviour similar to how io.LimitReader behaves (https://play.golang.org/p/ZcUjYXNlGgR).

What did you see instead?

panic: runtime error: slice bounds out of range [:-1]

goroutine 1 [running]:
net/http.(*maxBytesReader).Read(0xc000121f40, 0xc000022350, 0x4, 0x4, 0xc000048710, 0x44164a, 0xc000026000)
        /usr/local/go/src/net/http/request.go:1147 +0x206
...

The fix would be pretty simple, although far from an elegant one:

func MaxBytesReader(w http.ResponseWriter, r io.ReadCloser, n int64) io.ReadCloser {
+	if n < -1 {
+		return &maxBytesReader{w: w, r: r, n: -1}
+	}
	return &maxBytesReader{w: w, r: r, n: n}
}

It was a bit unexpected for me, and if it's indeed an unexpected behaviour, I can work on this and provide some fix.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions