BUG/MEDIUM: htx: Be sure to have a buffer to perform a raw copy of a message

In htx_copy_msg(), if the destination buffer is empty, we perform a raw copy
of the message instead of a copy block per block. But we must be sure the
destianation buffer was really allocated. In other word, to perform a raw
copy, the HTX message must be empty _AND_ it must have some free space
available.

This function is only used to copy an HTTP reply (for instance, an error or
a redirect) in the buffer of the response channel. For now, we are sure the
buffer was allocated because it is a pre-requisite to call stream
analyzers. However, it may be a source of bug in future.

This patch may be backported as far as 2.3.

diff --git a/include/haproxy/htx.h b/include/haproxy/htx.h
index c7ae3089137894d7c36c75a01338c2a52d62cb21..c74d0db2684bc1307585ce572f9d9f9a3faeae99 100644 (file)
--- a/include/haproxy/htx.h
+++ b/include/haproxy/htx.h
@@ -749,8 +749,8 @@ static inline int htx_expect_more(const struct htx *htx)
  */
 static inline int htx_copy_msg(struct htx *htx, const struct buffer *msg)
 {
-       /* The destination HTX message is empty, we can do a raw copy */
-       if (htx_is_empty(htx)) {
+       /* The destination HTX message is allocated and empty, we can do a raw copy */
+       if (htx_is_empty(htx) && htx_free_space(htx)) {
                memcpy(htx, msg->area, msg->size);
                return 1;
        }