From: Willy Tarreau <w@1wt.eu>
Date: Sun, 16 Dec 2018 08:38:30 +0000 (+0100)
Subject: BUG/MAJOR: hpack: fix length check for short names encoding
X-Git-Tag: v1.9-dev11~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0dc1b84839ef235a3153d1ef3e729fe1c89f2ea9;p=thirdparty%2Fhaproxy.git

BUG/MAJOR: hpack: fix length check for short names encoding

Commit 19ed92b ("MINOR: hpack: optimize header encoding for short names")
introduced an error in the space computation for short names, as it removed
the length encoding from the count without replacing with 1 (the minimum
byte). This results in the last byte of the area being occasionally
overwritten, which is immediately detected with -DDEBUG_MEMORY_POOLS as
the canary at the end gets overwritten.

No backport is needed.
---

diff --git a/src/hpack-enc.c b/src/hpack-enc.c
index 818a0abd7b..1e57153f22 100644
--- a/src/hpack-enc.c
+++ b/src/hpack-enc.c
@@ -177,7 +177,7 @@ int hpack_encode_header(struct buffer *out, const struct ist n,
 	}
 
  make_literal:
-	if (likely(n.len < 127 && len + 1 + n.len <= size)) {
+	if (likely(n.len < 127 && len + 2 + n.len <= size)) {
 		out->area[len++] = 0x00;      /* literal without indexing -- new name */
 		out->area[len++] = n.len;     /* single-byte length encoding */
 		ist2bin(out->area + len, n);