BUG/MAJOR: http: fix the 'next' pointer when performing a redirect

Commit bed410e ("MAJOR: http: centralize data forwarding in the request path")
has woken up an issue in redirects, where msg->next is not reset when flushing
the input buffer. The result is an attempt to forward a negative amount of
data, making haproxy crash.

This bug does not seem to affect versions prior to dev23, so no backport is
needed.

diff --git a/src/proto_http.c b/src/proto_http.c
index 8d42a1d50bb9a8beba50f8784078f3ff797e8dd1..3675b85aa1fe17bb191e5c3c7ab8539e0265f5d0 100644 (file)
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -3530,6 +3530,7 @@ static int http_apply_redirect_rule(struct redirect_rule *rule, struct session *
                bo_inject(txn->rsp.chn, trash.str, trash.len);
                /* "eat" the request */
                bi_fast_delete(txn->req.chn->buf, msg->sov);
+               msg->next -= msg->sov;
                msg->sov = 0;
                txn->req.chn->analysers = AN_REQ_HTTP_XFER_BODY;
                s->rep->analysers = AN_RES_HTTP_XFER_BODY;