1 files changed, 13 insertions, 6 deletions

diff --git a/net/http/http_stream_parser.cc b/net/http/http_stream_parser.cc
index 0e7610c..d3e4abd 100644
--- a/net/http/http_stream_parser.cc
+++ b/net/http/http_stream_parser.cc
@@ -53,7 +53,7 @@ int HttpStreamParser::SendRequest(const std::string& headers,
   DCHECK(response);
 
   response_ = response;
-  scoped_refptr<StringIOBuffer> headers_io_buf = new StringIOBuffer(headers);
+  scoped_refptr<StringIOBuffer> headers_io_buf(new StringIOBuffer(headers));
   request_headers_ = new DrainableIOBuffer(headers_io_buf,
                                            headers_io_buf->size());
   request_body_.reset(request_body);
@@ -510,13 +510,20 @@ int HttpStreamParser::DoParseResponseHeaders(int end_offset) {
 
   void* it = NULL;
   const std::string content_length_header("Content-Length");
-  std::string ignored_header_value;
+  std::string content_length_value;
   if (!headers->HasHeader("Transfer-Encoding") &&
       headers->EnumerateHeader(
-          &it, content_length_header, &ignored_header_value) &&
-      headers->EnumerateHeader(
-          &it, content_length_header, &ignored_header_value)) {
-    return ERR_RESPONSE_HEADERS_MULTIPLE_CONTENT_LENGTH;
+          &it, content_length_header, &content_length_value)) {
+    // Ok, there's no Transfer-Encoding header and there's at least one
+    // Content-Length header.  Check if there are any more Content-Length
+    // headers, and if so, make sure they have the same value.  Otherwise, it's
+    // a possible response smuggling attack.
+    std::string content_length_value2;
+    while (headers->EnumerateHeader(
+        &it, content_length_header, &content_length_value2)) {
+      if (content_length_value != content_length_value2)
+        return ERR_RESPONSE_HEADERS_MULTIPLE_CONTENT_LENGTH;
+    }
   }
 
   response_->headers = headers;