From: Willy Tarreau <w@1wt.eu>
Date: Tue, 18 Dec 2018 10:00:41 +0000 (+0100)
Subject: BUG/MEDIUM: h2: fix aggregated cookie length computation in HTX mode
X-Git-Tag: v1.9.0~38
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=164e0610669af0a2646a0b816f60f96753e6f5dd;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: h2: fix aggregated cookie length computation in HTX mode

Cyril Bonté reported a bug in the way the cookie length is computed
when aggregating multiple cookies : the first cookie name was counted
as part of the value length, causing random contents to be placed there,
possibly leading to bad requests.

No backport is needed.
---

diff --git a/src/h2.c b/src/h2.c
index 1b784fd4ab..883075262b 100644
--- a/src/h2.c
+++ b/src/h2.c
@@ -537,29 +537,32 @@ int h2_make_htx_request(struct http_hdr *list, struct htx *htx, unsigned int *ms
 		uint32_t fs; // free space
 		uint32_t bs; // block size
 		uint32_t vl; // value len
+		uint32_t tl; // total length
 		struct htx_blk *blk;
 
 		blk = htx_add_header(htx, ist("cookie"), list[ck].v);
 		if (!blk)
 			goto fail;
 
+		tl = list[ck].v.len;
 		fs = htx_free_data_space(htx);
 		bs = htx_get_blksz(blk);
 
 		/* for each extra cookie, we'll extend the cookie's value and
 		 * insert "; " before the new value.
 		 */
-		for ( ; (ck = list[ck].n.len) >= 0 ; ) {
+		fs += tl; // first one is already counted
+		for (; (ck = list[ck].n.len) >= 0 ; ) {
 			vl = list[ck].v.len;
-			if (vl + 2 > fs)
+			tl += vl + 2;
+			if (tl > fs)
 				goto fail;
 
-			htx_set_blk_value_len(blk, bs + 2 + vl);
+			htx_set_blk_value_len(blk, tl);
 			*(char *)(htx_get_blk_ptr(htx, blk) + bs + 0) = ';';
 			*(char *)(htx_get_blk_ptr(htx, blk) + bs + 1) = ' ';
 			memcpy(htx_get_blk_ptr(htx, blk) + bs + 2, list[ck].v.ptr, vl);
 			bs += vl + 2;
-			fs -= vl + 2;
 		}
 
 	}