StringIndexOutOfBoundsException caused by empty content value #11408

togetsukyo · 2021-06-22T19:16:21Z

Actual behavior

A recent commit causing this line to throw exception if we've got empty content-length header:

Content-Length: \r\n\r\n

Stack trace:

java.lang.StringIndexOutOfBoundsException: String index out of range: 0
    at java.lang.StringLatin1.charAt(StringLatin1.java:47) 
    at java.lang.String.charAt(String.java:693) 
    at io.netty.handler.codec.http.HttpUtil.normalizeAndGetContentLength(HttpUtil.java:600) 
    at io.netty.handler.codec.http.HttpObjectDecoder.readHeaders(HttpObjectDecoder.java:642) 
    at io.netty.handler.codec.http.HttpObjectDecoder.decode(HttpObjectDecoder.java:257)
    at io.netty.handler.codec.http.HttpServerCodec$HttpServerRequestDecoder.decode(HttpServerCodec.java:123)
    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:508)
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:447)
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276) 
    at io.netty.channel.CombinedChannelDuplexHandler.channelRead(CombinedChannelDuplexHandler.java:251) 
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) 
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) 
    at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) 
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) 
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) 
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) 
    at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:795)
    at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:480) 
    at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:378)
    at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)     at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) 
    at java.lang.Thread.run(Thread.java:829)

Expected behavior

It should gracefully handle the StringIndexOutOfBoundsException and throw exception saying that Content-Length header is invalid.

Steps to reproduce

This can be easily reproduced by the following test code:

@Test
public void test() {
    assertThatThrownBy(() -> {
        ch.writeInbound(Unpooled.copiedBuffer("GET / HTTP/1.0\r\n", CharsetUtil.UTF_8));
        ch.writeInbound(Unpooled.copiedBuffer("Content-Length: \r\n\r\n", CharsetUtil.UTF_8));
    }).hasCauseInstanceOf(StringIndexOutOfBoundsException.class)
            .hasMessageContaining("String index out of range: 0");
}

Minimal yet complete reproducer code (or URL to code)

Netty version

4.1.63.Final

JVM version (e.g. `java -version`)

OS version (e.g. `uname -a`)

The text was updated successfully, but these errors were encountered:

__Motivation__ `HttpUtil#normalizeAndGetContentLength()` throws `StringIndexOutOfBoundsException` for empty `content-length` values, it should instead throw `IllegalArgumentException` for all invalid values. __Modification__ - Throw `IllegalArgumentException` if the `content-length` value is empty. - Add tests __Result__ Fixes netty#11408

NiteshKant · 2021-06-22T22:27:10Z

Thanks for the report @togetsukyo , here is the PR for the fix: #11409

…11409) __Motivation__ `HttpUtil#normalizeAndGetContentLength()` throws `StringIndexOutOfBoundsException` for empty `content-length` values, it should instead throw `IllegalArgumentException` for all invalid values. __Modification__ - Throw `IllegalArgumentException` if the `content-length` value is empty. - Add tests __Result__ Fixes #11408

…etty#11409) __Motivation__ `HttpUtil#normalizeAndGetContentLength()` throws `StringIndexOutOfBoundsException` for empty `content-length` values, it should instead throw `IllegalArgumentException` for all invalid values. __Modification__ - Throw `IllegalArgumentException` if the `content-length` value is empty. - Add tests __Result__ Fixes netty#11408

NiteshKant mentioned this issue Jun 22, 2021

HttpUtil#normalizeAndGetContentLength() should handle empty value #11409

Merged

NiteshKant added this to the 4.1.66.Final milestone Jun 22, 2021

normanmaurer closed this as completed in #11409 Jun 23, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

StringIndexOutOfBoundsException caused by empty content value #11408

StringIndexOutOfBoundsException caused by empty content value #11408

togetsukyo commented Jun 22, 2021

NiteshKant commented Jun 22, 2021

StringIndexOutOfBoundsException caused by empty content value #11408

StringIndexOutOfBoundsException caused by empty content value #11408

Comments

togetsukyo commented Jun 22, 2021

Actual behavior

Expected behavior

Steps to reproduce

Minimal yet complete reproducer code (or URL to code)

Netty version

JVM version (e.g. java -version)

OS version (e.g. uname -a)

NiteshKant commented Jun 22, 2021

JVM version (e.g. `java -version`)

OS version (e.g. `uname -a`)