Missing Content-Length framing validation in HttpContentStream ctor (RFC 9112 §6.3) #49
Description
HttpContentStream does not currently enforce HTTP/1.1 message framing rules when a valid Content-Length header field is present. This allows already-buffered body bytes to exceed the declared length without triggering a protocol error.
This violates the HTTP/1.1 specification.
From RFC 9112, Section 6.2 (Content-Length):
For messages that do include content, the Content-Length field value provides the framing information necessary for determining where the data (and message) ends.
From Section 6.3 (Message Body Length):
“If a valid Content-Length header field is present without Transfer-Encoding, its decimal value defines the expected message body length in octets.”
“If the sender closes the connection or the recipient times out before the indicated number of octets are received, the recipient MUST consider the message to be incomplete and close the connection.”
Although not stated as a single sentence, Section 6.3 makes clear that the declared length is authoritative framing; any deviation indicates an invalid or incomplete message.
The security implications are explicitly called out in RFC 9110 Section 17.5 (Attacks via Protocol Element Length):
Recipients ought to carefully limit the extent to which they process other protocol elements, including (but not limited to) request methods, response status phrases, field names, numeric values, and chunk lengths. Failure to limit such processing can result in arbitrary code execution due to buffer or arithmetic overflows, and increased vulnerability to denial-of-service attacks.
Current behavior
The constructor accepts (stream, buffer, offset, length, contentLength) without checking whether (length - offset) > contentLength, even though header parsing may have already consumed body bytes.
Expected behavior
If Content-Length is specified and the number of already-buffered body bytes exceeds it, the constructor must immediately fail with a protocol-level error (e.g., HttpRequestException or InvalidDataException).