BUG/MAJOR: mux-h1: Properly handle wrapping on obuf when dumping the first-line

The formatting of the first-line, for a request or a response, does not
properly handle the wrapping of the output buffer. This may lead to a data
corruption for the current response or eventually for the previous one.

Utility functions used to format the first-line of the request or the
response rely on the chunk API. So it is not expected to pass a buffer that
wraps. Unfortunatly, because of a change performed during the 2.9 dev cycle,
the output buffer was direclty used instead of a non-wrapping buffer created
from it with b_make() function. It is not an issue for the request because
its start-line is always the first block formatted in the output buffer. But
for the response, the output may be not empty and may wrap. In that case,
the response start-line is dumped at a random position in the buffer,
corrupting data. AFAIK, it is only an issue if the HTTP request pipelining
is used.

To fix the issue, we now take care to create a non-wapping buffer from the
output buffer.

This patch should fix issues #2779 and #2996. It must be backported as far as
2.9.

diff --git a/src/h1_htx.c b/src/h1_htx.c
index 33a86faa7fa0dce42b5ce38dff3aadd43ff36f92..79d739d7929934fa9a671df386988a14f529e656 100644 (file)
--- a/src/h1_htx.c
+++ b/src/h1_htx.c
@@ -951,6 +951,7 @@ int h1_parse_msg_tlrs(struct h1m *h1m, struct htx *dsthtx,
 
 /* Appends the H1 representation of the request line <sl> to the chunk <chk>. It
  * returns 1 if data are successfully appended, otherwise it returns 0.
+ * <chk> buffer must not wrap.
  */
 int h1_format_htx_reqline(const struct htx_sl *sl, struct buffer *chk)
 {
@@ -985,6 +986,7 @@ int h1_format_htx_reqline(const struct htx_sl *sl, struct buffer *chk)
 
 /* Appends the H1 representation of the status line <sl> to the chunk <chk>. It
  * returns 1 if data are successfully appended, otherwise it returns 0.
+ * <chk> buffer must not wrap.
  */
 int h1_format_htx_stline(const struct htx_sl *sl, struct buffer *chk)
 {
@@ -1018,6 +1020,7 @@ int h1_format_htx_stline(const struct htx_sl *sl, struct buffer *chk)
 /* Appends the H1 representation of the header <n> with the value <v> to the
  * chunk <chk>. It returns 1 if data are successfully appended, otherwise it
  * returns 0.
+ * <chk> buffer must not wrap.
  */
 int h1_format_htx_hdr(const struct ist n, const struct ist v, struct buffer *chk)
 {
@@ -1042,6 +1045,7 @@ int h1_format_htx_hdr(const struct ist n, const struct ist v, struct buffer *chk
 /* Appends the H1 representation of the data <data> to the chunk <chk>. If
  * <chunked> is non-zero, it emits HTTP/1 chunk-encoded data. It returns 1 if
  * data are successfully appended, otherwise it returns 0.
+ * <chk> buffer must not wrap.
  */
 int h1_format_htx_data(const struct ist data, struct buffer *chk, int chunked)
 {

diff --git a/src/mux_h1.c b/src/mux_h1.c
index 0382427634f5fd4c08ce98f4041204eb78adff6f..734d0627b7937b93dfbca56617441bab460ab49c 100644 (file)
--- a/src/mux_h1.c
+++ b/src/mux_h1.c
@@ -2341,6 +2341,7 @@ static size_t h1_make_reqline(struct h1s *h1s, struct h1m *h1m, struct htx *htx,
 {
        struct h1c *h1c = h1s->h1c;
         struct htx_blk *blk;
+       struct buffer outbuf;
        struct htx_sl *sl;
        enum htx_blk_type type;
        uint32_t sz;
@@ -2365,11 +2366,14 @@ static size_t h1_make_reqline(struct h1s *h1s, struct h1m *h1m, struct htx *htx,
 
        if (b_space_wraps(&h1c->obuf))
                b_slow_realign(&h1c->obuf, trash.area, b_data(&h1c->obuf));
+       outbuf = b_make(b_tail(&h1c->obuf), b_contig_space(&h1c->obuf), 0, 0);
 
        sl = htx_get_blk_ptr(htx, blk);
-       if (!h1_format_htx_reqline(sl, &h1c->obuf))
+       if (!h1_format_htx_reqline(sl, &outbuf))
                goto full;
 
+       b_add(&h1c->obuf, outbuf.data);
+
        h1s->meth = sl->info.req.meth;
        h1_parse_req_vsn(h1m, sl);
 
@@ -2424,6 +2428,7 @@ static size_t h1_make_stline(struct h1s *h1s, struct h1m *h1m, struct htx *htx,
 {
        struct h1c *h1c = h1s->h1c;
        struct htx_blk *blk;
+       struct buffer outbuf;
        struct htx_sl *sl;
        enum htx_blk_type type;
        uint32_t sz;
@@ -2450,11 +2455,14 @@ static size_t h1_make_stline(struct h1s *h1s, struct h1m *h1m, struct htx *htx,
 
        if (b_space_wraps(&h1c->obuf))
                b_slow_realign(&h1c->obuf, trash.area, b_data(&h1c->obuf));
+       outbuf = b_make(b_tail(&h1c->obuf), b_contig_space(&h1c->obuf), 0, 0);
 
        sl = htx_get_blk_ptr(htx, blk);
-       if (!h1_format_htx_stline(sl, &h1c->obuf))
+       if (!h1_format_htx_stline(sl, &outbuf))
                goto full;
 
+       b_add(&h1c->obuf, outbuf.data);
+
        h1s->status = sl->info.res.status;
        h1_parse_res_vsn(h1m, sl);