Fix server hang on chunked transfer encoding size mismatch#12119
Merged
Dreamsorcerer merged 3 commits intoaio-libs:masterfrom Feb 22, 2026
Merged
Fix server hang on chunked transfer encoding size mismatch#12119Dreamsorcerer merged 3 commits intoaio-libs:masterfrom
Dreamsorcerer merged 3 commits intoaio-libs:masterfrom
Conversation
When chunk-size does not match actual data length, the server now raises TransferEncodingError instead of hanging indefinitely. Per RFC 9112, chunk-data must be exactly chunk-size octets followed by CRLF. Previously, in PARSE_CHUNKED_CHUNK_EOF state, any data that didn't start with CRLF was stored in _chunk_tail and the parser returned False, waiting forever for more data that would never arrive. The fix detects when we have enough bytes to determine the separator is wrong (or the available bytes don't match the start of the expected separator) and raises TransferEncodingError immediately. Fixes aio-libs#10596. Co-Authored-By: Claude Opus 4.6 <[email protected]>
psf-chronographer
bot
added
the
bot:chronographer:provided
Dreamsorcerer
added
backport-3.13
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #12119 +/- ##
==========================================
- Coverage 98.78% 98.78% -0.01%
==========================================
Files 128 128
Lines 45279 45295 +16
Branches 2401 2402 +1
==========================================
+ Hits 44730 44745 +15
Misses 390 390
- Partials 159 160 +1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Contributor
Backport to 3.13: 💚 backport PR created✅ Backport PR branch: Backported as #12121 🤖 @patchback |
patchback bot
pushed a commit
that referenced
this pull request
Feb 22, 2026
(cherry picked from commit 0e2d3ec)
Contributor
Backport to 3.14: 💚 backport PR created✅ Backport PR branch: Backported as #12122 🤖 @patchback |
3 tasks
patchback bot
pushed a commit
that referenced
this pull request
Feb 22, 2026
(cherry picked from commit 0e2d3ec)
3 tasks
Dreamsorcerer
pushed a commit
that referenced
this pull request
Feb 22, 2026
…er encoding size mismatch (#12122) **This is a backport of PR #12119 as merged into master (0e2d3ec).** Co-authored-by: Fridayai700 <[email protected]>
Dreamsorcerer
pushed a commit
that referenced
this pull request
Feb 22, 2026
…er encoding size mismatch (#12121) **This is a backport of PR #12119 as merged into master (0e2d3ec).** Co-authored-by: Fridayai700 <[email protected]>
wavebyrd
pushed a commit
to wavebyrd/aiohttp
that referenced
this pull request
Mar 13, 2026
…d transfer encoding size mismatch (aio-libs#12121) **This is a backport of PR aio-libs#12119 as merged into master (cf2b944).** Co-authored-by: Fridayai700 <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #10596.
When chunked transfer encoding
chunk-sizedoes not match the actual data length, the server hangs indefinitely instead of rejecting the request. Per RFC 9112,chunk-datamust be exactlychunk-sizeoctets followed by CRLF.Root cause: In
PARSE_CHUNKED_CHUNK_EOFstate (after consumingchunk-sizebytes), any data that doesn't start with\r\nis stored in_chunk_tailand the parser returnsFalse— waiting forever for more data. When the chunk-size is wrong (e.g., declared 4 but sent 5 bytes), the byte after the consumed data is not\rand will never become\r\n.Fix: Before falling through to the wait-for-more-data path, check whether the available data can't possibly be the start of the expected CRLF separator. If we have enough bytes to determine the separator is wrong, raise
TransferEncodingErrorimmediately. The legitimate partial-separator case (received\rbut not yet\n) is preserved.Changes:
aiohttp/http_parser.py: Addelifbranch inPARSE_CHUNKED_CHUNK_EOFthat raisesTransferEncodingErrorwhen data doesn't match CRLF prefixtests/test_http_parser.py: Two regression tests — data too long (5 bytes for chunk-size 4) and data too short (5 bytes for chunk-size 6)CHANGES/10596.bugfix.rst: Changelog entryTest plan
test_parse_chunked_payload_size_data_mismatchandtest_parse_chunked_payload_size_data_mismatch_too_shorttest_http_parser.pysuite: 299 passed, 4 pre-existing failures (missing C extension/brotli)