Fix for Kestrel's ParseHeaders throwing ArgumentOutOfRange exception (#61316)

WereWind1 · web-flow · commit 7ced4d6df649 · 2025-04-18T07:18:45.000Z
diff --git a/src/Servers/Kestrel/Core/src/Internal/Http/HttpParser.cs b/src/Servers/Kestrel/Core/src/Internal/Http/HttpParser.cs
@@ -250,7 +250,7 @@ public bool ParseHeaders(TRequestHandler handler, ref SequenceReader<byte> reade
                         else
                         {
                             // Include the thing after the CR in the rejection exception.
-                            var stopIndex = crIndex + 2;
+                            var stopIndex = Math.Min(crIndex + 2, span.Length);
                             RejectRequestHeader(span[..stopIndex]);
                         }
                     }
diff --git a/src/Servers/Kestrel/Core/test/HttpParserTests.cs b/src/Servers/Kestrel/Core/test/HttpParserTests.cs
@@ -795,6 +795,27 @@ public void ParseHeadersWithSplitBuffersThrowsForSmallHeader()
         Assert.Equal(StatusCodes.Status400BadRequest, exception.StatusCode);
     }
 
+    [Fact]
+    public void ParseMultispanHeaderWithCrAtSpanEnd()
+    {
+        var parser = CreateParser(CreateEnabledTrace(), false);
+
+        var buffer = ReadOnlySequenceFactory.CreateSegments(
+            Encoding.ASCII.GetBytes("Head\r"),
+            Encoding.ASCII.GetBytes("va\r"));
+        var requestHandler = new RequestHandler();
+
+        var reader = new SequenceReader<byte>(buffer);
+
+#pragma warning disable CS0618 // Type or member is obsolete
+        var exception = Assert.Throws<BadHttpRequestException>(() =>
+#pragma warning restore CS0618 // Type or member is obsolete
+        {
+            var reader = new SequenceReader<byte>(buffer);
+            parser.ParseHeaders(requestHandler, ref reader);
+        });
+    }
+
     private bool ParseRequestLine(IHttpParser<RequestHandler> parser, RequestHandler requestHandler, ReadOnlySequence<byte> readableBuffer, out SequencePosition consumed, out SequencePosition examined)
     {
         var reader = new SequenceReader<byte>(readableBuffer);

Original file line number	Diff line number	Diff line change
`@@ -250,7 +250,7 @@ public bool ParseHeaders(TRequestHandler handler, ref SequenceReader<byte> reade`
`250`	`250`	`else`
`251`	`251`	`{`
`252`	`252`	`// Include the thing after the CR in the rejection exception.`
`253`		`- var stopIndex = crIndex + 2;`
	`253`	`+ var stopIndex = Math.Min(crIndex + 2, span.Length);`
`254`	`254`	`RejectRequestHeader(span[..stopIndex]);`
`255`	`255`	`}`
`256`	`256`	`}`