From 02d83583dd698eb1e989f271d9854d78c5de87de Mon Sep 17 00:00:00 2001 From: Dmitry Volyntsev Date: Thu, 11 Jun 2026 16:50:23 -0700 Subject: [PATCH] Fetch: fix Content-Length reservation in request building Previously, the reservation passed to njs_chb_sprintf() was too small for the maximum size_t output, so the header could be silently truncated for very large request bodies. --- nginx/ngx_js_http.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/nginx/ngx_js_http.c b/nginx/ngx_js_http.c index bd8260a2..e5d367e9 100644 --- a/nginx/ngx_js_http.c +++ b/nginx/ngx_js_http.c @@ -2263,8 +2263,10 @@ ngx_js_fetch_build_request(ngx_js_http_t *http, ngx_js_request_t *request, } if (request->body.len != 0) { - njs_chb_sprintf(&http->chain, 32, "Content-Length: %uz" CRLF CRLF, - request->body.len); + njs_chb_sprintf(&http->chain, + sizeof("Content-Length: " CRLF CRLF) - 1 + + NGX_SIZE_T_LEN, + "Content-Length: %uz" CRLF CRLF, request->body.len); njs_chb_append(&http->chain, request->body.data, request->body.len); } else { -- 2.47.3