From: Willy Tarreau Date: Fri, 18 Feb 2022 16:28:25 +0000 (+0100) Subject: BUG/MEDIUM: httpclient: limit transfers to the maximum available room X-Git-Tag: v2.6-dev2~107 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=11adb1d8fcab29ef8b12c93e3b036bb3dcf1607b;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: httpclient: limit transfers to the maximum available room A bug was uncovered by commit fc5912914 ("MINOR: httpclient: Don't limit data transfer to 1024 bytes"), it happens that callers of b_xfer() and b_force_xfer() are expected to check for available room in the target buffer. Previously it was unlikely to be full but now with full buffer- sized transfers, it happens more often and in practice it is possible to crash the process with the debug command "httpclient" on the CLI by going beyond a the max buffer size. Other call places ought to be rechecked by now and it might be time to rethink this API if it tends to generalize. This must be backported to 2.5. --- diff --git a/src/http_client.c b/src/http_client.c index d2e23fff50..f2b60ae2fb 100644 --- a/src/http_client.c +++ b/src/http_client.c @@ -352,9 +352,10 @@ error: */ int httpclient_res_xfer(struct httpclient *hc, struct buffer *dst) { + size_t room = b_room(dst); int ret; - ret = b_force_xfer(dst, &hc->res.buf, b_data(&hc->res.buf)); + ret = b_force_xfer(dst, &hc->res.buf, MIN(room, b_data(&hc->res.buf))); /* call the client once we consumed all data */ if (!b_data(&hc->res.buf)) { b_free(&hc->res.buf);