From: Willy Tarreau <w@1wt.eu>
Date: Fri, 25 Apr 2014 10:19:32 +0000 (+0200)
Subject: BUG/MAJOR: http: fix the 'next' pointer when performing a redirect
X-Git-Tag: v1.5-dev24~14
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6d8bac7ddc4d12c8136ef5843f5d7479390f426e;p=thirdparty%2Fhaproxy.git

BUG/MAJOR: http: fix the 'next' pointer when performing a redirect

Commit bed410e ("MAJOR: http: centralize data forwarding in the request path")
has woken up an issue in redirects, where msg->next is not reset when flushing
the input buffer. The result is an attempt to forward a negative amount of
data, making haproxy crash.

This bug does not seem to affect versions prior to dev23, so no backport is
needed.
---

diff --git a/src/proto_http.c b/src/proto_http.c
index 8d42a1d50b..3675b85aa1 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -3530,6 +3530,7 @@ static int http_apply_redirect_rule(struct redirect_rule *rule, struct session *
 		bo_inject(txn->rsp.chn, trash.str, trash.len);
 		/* "eat" the request */
 		bi_fast_delete(txn->req.chn->buf, msg->sov);
+		msg->next -= msg->sov;
 		msg->sov = 0;
 		txn->req.chn->analysers = AN_REQ_HTTP_XFER_BODY;
 		s->rep->analysers = AN_RES_HTTP_XFER_BODY;