Server hangs when chunk-size does not match actual data size in chunked transfer encoding

[TUO-Wu]

Describe the bug

Aiohttp does not properly handle chunked transfer encoding when the chunk-size does not match the actual data size. Instead of rejecting the request with a 400 Bad Request, the server hangs indefinitely.

To Reproduce

1. Run aiohttp.
2. Send the following request:

POST / HTTP/1.1\r\n
Host: victim.com\r\n
Transfer-Encoding: chunked\r\n
\r\n
4(or 6)\r\n
Hello\r\n
0\r\n
\r\n

3. aiohttp does not reject, but hangs unresponsive.

Expected behavior

The server should reject with 400 Bad Request. RFC 9112 says this:

chunk-data = 1*OCTET ; a sequence of chunk-size octets.

This may imply that the length of chunk-data should be as indicated by chunk-size. Take waitress as example:

$ echo -ne "POST / HTTP/1.1\r\nHost: victim.com\r\nTransfer-Encoding: chunked\r\n\r\n4\r\nHello\r\n0\r\n\r\n" | nc 172.18.0.6 80
HTTP/1.1 400 Bad Request
Connection: close
Content-Length: 71
Content-Type: text/plain; charset=utf-8
Date: Tue, 18 Mar 2025 14:50:37 GMT
Server: waitress

Bad Request

Chunk not properly terminated

(generated by waitress)

Logs/tracebacks

/

Python Version

$ python --version
Python 3.10.12

aiohttp Version

$ python -m pip show aiohttp
Judging by the response:
aiohttp/4.0.0a2.dev0
(Instead of downloading aiohttp via pip, I deployed aiohttp via docker)

multidict Version

$ python -m pip show multidict
/

propcache Version

$ python -m pip show propcache
/

yarl Version

$ python -m pip show yarl
/

OS

Ubuntu 11.4.0-1ubuntu1~22.04

Related component

Server

Additional context

No response

Code of Conduct

• [x] I agree to follow the aio-libs Code of Conduct