From: Christopher Faulet Date: Tue, 12 Feb 2019 13:29:57 +0000 (+0100) Subject: BUG/MEDIUM: proto_htx: Fix data size update if end of the cookie is removed X-Git-Tag: v2.0-dev1~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6cdaf2ad9a73f3b319cac409c7116ab090342049;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: proto_htx: Fix data size update if end of the cookie is removed When client-side or server-side cookies are parsed, if the end of the cookie line is removed, the HTX message must be updated. The length of the HTX block is decreased and the data size of the HTX message is modified accordingly. The update of the HTX block was ok but the update of the HTX message was wrong, leading to undefined behaviours during the data forwarding. One of possible effect was a freeze of the connection and no data forward. This patch must be backported in 1.9. --- diff --git a/src/proto_htx.c b/src/proto_htx.c index 9e285f216a..59b7cb2738 100644 --- a/src/proto_htx.c +++ b/src/proto_htx.c @@ -4281,7 +4281,7 @@ static void htx_manage_client_side_cookies(struct stream *s, struct channel *req if ((hdr_end - hdr_beg) != ctx.value.len) { if (hdr_beg != hdr_end) { htx_set_blk_value_len(ctx.blk, hdr_end - hdr_beg); - htx->data -= (hdr_end - ctx.value.ptr); + htx->data -= ctx.value.len - (hdr_end - hdr_beg); } else http_remove_header(htx, &ctx); @@ -4460,9 +4460,9 @@ static void htx_manage_server_side_cookies(struct stream *s, struct channel *res next += stripped_before; hdr_end += stripped_before; + htx_set_blk_value_len(ctx.blk, hdr_end - hdr_beg); + htx->data -= ctx.value.len - (hdr_end - hdr_beg); ctx.value.len = hdr_end - hdr_beg; - htx_set_blk_value_len(ctx.blk, ctx.value.len); - htx->data -= (hdr_end - ctx.value.ptr); } /* First, let's see if we want to capture this cookie. We check