BUG/MAJOR: http: chunk parser was broken with buffer changes

Since at least commit a458b679, msg->sov could become negative in
http_parse_chunk_size() if a chunk size wrapped around the buffer.
The effect is that at some point channel_forward() was called with
a negative size, causing all data to be transferred without being
analyzed anymore.

Since haproxy does not support keep-alive with the server yet, this
issue is not really noticeable, as the server closes the connection
in response. Still, when tunnel mode is used or when pretent-keepalive
is used, it is possible to see the problem.

This issue was reported and diagnosed by William Lallemand at
Exceliance.

diff --git a/src/proto_http.c b/src/proto_http.c
index 983d3946d17bef300bb0908c832223a53a23783a..85ee021379222c4ba8cc4e4bd62bb3b3b653c2a2 100644 (file)
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -1826,6 +1826,8 @@ int http_parse_chunk_size(struct http_msg *msg)
         * which may or may not be present. We save that into ->next and
         * ->sov.
         */
+       if (ptr < ptr_old)
+               msg->sov += buf->buf.size;
        msg->sov += ptr - ptr_old;
        msg->next = buffer_count(&buf->buf, buf->buf.p, ptr);
        msg->chunk_len = chunk;