Skip to content

Commit 3e306b1

Browse files
committed
fix: prevent httplib header processing crashes on Android
This fixes a crash in httplib::Server::process_request during header map operations that was causing SIGSEGV on Android devices. The crash occurred in std::map operations with case-insensitive header comparison when processing malformed or excessive HTTP headers. Root causes: 1. Unbounded header sizes: Headers could grow arbitrarily large, causing memory allocation failures in map node construction 2. No payload limits: Requests without size limits could exhaust memory during processing 3. No timeouts: Slow or malicious clients could tie up server threads Fixes: 1. Runtime limits via httplib API: - set_payload_max_length(100MB): Prevents unbounded memory usage - set_read_timeout(30s): Prevents slow requests from blocking threads - set_write_timeout(60s): Allows time for large document transfers 2. Compile-time limits via preprocessor definitions: - CPPHTTPLIB_HEADER_MAX_LENGTH=4KB: Reduced from default 8KB to limit header map memory consumption - CPPHTTPLIB_PAYLOAD_MAX_LENGTH=100MB: Compile-time enforcement as additional safety layer These limits are appropriate for document serving use case and prevent the crashes seen in Google Play crash reports affecting Android users. Backtrace showed crash at: httplib::Server::process_request -> std::__tree::__assign_multi (header map operations) -> std::__tree::__construct_node (memory allocation)
1 parent 280ec20 commit 3e306b1

2 files changed

Lines changed: 18 additions & 0 deletions

File tree

CMakeLists.txt

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -198,6 +198,15 @@ target_include_directories(odr
198198
src
199199
${CMAKE_CURRENT_BINARY_DIR}/src
200200
)
201+
target_compile_definitions(odr
202+
PRIVATE
203+
# httplib resource limits to prevent crashes from malformed requests
204+
# Reduce header max length to 4KB (default is 8KB)
205+
# This prevents memory allocation crashes in header map operations
206+
CPPHTTPLIB_HEADER_MAX_LENGTH=4096
207+
# Limit payload to 100MB at compile-time as additional safety
208+
CPPHTTPLIB_PAYLOAD_MAX_LENGTH=104857600
209+
)
201210
target_link_libraries(odr
202211
PRIVATE
203212
pugixml::pugixml

src/odr/http_server.cpp

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,15 @@ class HttpServer::Impl {
1919
Impl(Config config, std::shared_ptr<Logger> logger)
2020
: m_config{std::move(config)}, m_logger{std::move(logger)},
2121
m_server{std::make_unique<httplib::Server>()} {
22+
// Set resource limits to prevent crashes from malformed or excessive requests.
23+
// This prevents memory exhaustion and header processing crashes on Android.
24+
// Max payload: 100MB (reasonable for document serving, prevents DoS)
25+
m_server->set_payload_max_length(100 * 1024 * 1024);
26+
// Read timeout: 30 seconds (prevents slow requests from tying up threads)
27+
m_server->set_read_timeout(30, 0);
28+
// Write timeout: 60 seconds (allows time for large document transfers)
29+
m_server->set_write_timeout(60, 0);
30+
2231
// Set up exception handler to catch any internal httplib exceptions.
2332
// This prevents crashes when exceptions occur during request processing.
2433
m_server->set_exception_handler([this](const httplib::Request & /*req*/,

0 commit comments

Comments
 (0)