diff -up http-parser-2.7.1/http_parser.c.cve http-parser-2.7.1/http_parser.c

--- http-parser-2.7.1/http_parser.c.cve	2019-03-23 09:08:12.831806096 +0100

+++ http-parser-2.7.1/http_parser.c	2019-03-23 09:09:45.047875248 +0100

@@ -1483,6 +1483,11 @@ reexecute:

             parser->header_state = h_content_length_num;

             break;

+          /* when obsolete line folding is encountered for content length

+           * continue to the s_header_value state */

+          case h_content_length_ws:

+            break;

+

           case h_connection:

             /* looking for 'Connection: keep-alive' */

             if (c == 'k') {

@@ -1727,6 +1732,10 @@ reexecute:

       case s_header_value_lws:

       {

         if (ch == ' ' || ch == '\t') {

+          if (parser->header_state == h_content_length_num) {

+              /* treat obsolete line folding as space */

+              parser->header_state = h_content_length_ws;

+          }

           UPDATE_STATE(s_header_value_start);

           REEXECUTE();

         }

diff -up http-parser-2.7.1/test.c.cve http-parser-2.7.1/test.c

--- http-parser-2.7.1/test.c.cve	2019-03-23 09:08:12.831806096 +0100

+++ http-parser-2.7.1/test.c	2019-03-23 09:09:45.049875249 +0100

@@ -3968,6 +3968,20 @@ main (void)

       HPE_INVALID_CONTENT_LENGTH,

       HTTP_REQUEST);

+  test_simple_type(

+      "POST / HTTP/1.1\r\n"

+      "Content-Length:  42\r\n"

+      " Hello world!\r\n",

+      HPE_INVALID_CONTENT_LENGTH,

+      HTTP_REQUEST);

+

+  test_simple_type(

+      "POST / HTTP/1.1\r\n"

+      "Content-Length:  42\r\n"

+      " \r\n",

+      HPE_OK,

+      HTTP_REQUEST);

+

   //// RESPONSES

   for (i = 0; i < response_count; i++) {