What is the maximum chunk size in HTTP response with Transfer-Encoding chunked?

Asked 14/8, 2011 at 18:32 Answered 14/8, 2011 at 18:39

Solved http http-headers transfer-encoding rfc2616

The w3.org (RFC2616) seems not to define a maximum size for chunks. But without a maximum chunk-size there is no space for the chunk-extension. There must be a maximum chunk-size, else I can't ignore the chunk-extension as I'm advised to do if it can't be understood (Quote:"MUST ignore chunk-extension extensions they do not understand").

Umbilicus answered 14/8, 2011 at 18:32 Comment(1)

why do you think you need a maximum size ? are you implementing a server ? a client ? a proxy ? – Felten 14/8, 2011 at 18:37

Each chunk extension must begin with a semi-colon and the list of chunk extensions must end with a CRLF. When parsing the chunk-size, stop at either a semi-colon or a CRLF. If you stopped at a semi-colon, ignore everything up to the next CRLF. There is no need for a maximum chunk-size.

chunk          = chunk-size [ chunk-extension ] CRLF
                 chunk-data CRLF

chunk-size     = 1*HEX

chunk-extension= *( ";" chunk-ext-name [ "=" chunk-ext-val ] )

Segura answered 14/8, 2011 at 18:36 Comment(2)

Request your thoughts for the same question I posted in Roland's answer. – Thread 18/3, 2015 at 4:19

Is there a maximum size of the chunk size? – Despot 16/7 at 16:19

The HTTP specification is pretty clear about the syntax of the HTTP messages.

The chunk size is always given as a hexadecimal number. If that number is not directly followed by a CRLF, but a ; instead, you know that there is an extension. This extension is identified by its name (chunk-ext-name). If you never heard of that particular name, you MUST ignore it.

So what exactly is your problem?

Read a hexadecimal number
Ignore everything up to the next CRLF
Be happy

Misunderstanding answered 14/8, 2011 at 18:39 Comment(4)

I would like to ask what would you suggest to do when the server is corrupt and sending never ending hexadecimal number ? Be a victim and read the never ending hexadecimal number forever or fix a limit that suits your application and throw out a warning when that happens? – Thread 18/3, 2015 at 4:18

@Thread Whatever makes the most sense in your application, probably setting a reasonable limit. – Segura 18/3, 2015 at 4:52

You can't just ignore, this is the potential security leak. You have to limit chunk metadata (size and list of extensions) by reasonable length. – Protocol 5/5, 2020 at 22:42

PS that's why you shouldn't use abandoned nodejs http parser. Please look here. It doesn't make overflow check it is possible to hang this parser forever by simple attack. – Protocol 5/5, 2020 at 22:50

Recommended topics

Hot tags