From: Willy Tarreau <w@1wt.eu>
Date: Sun, 3 Dec 2017 08:44:50 +0000 (+0100)
Subject: BUG/MAJOR: h2: correctly check the request length when building an H1 request
X-Git-Tag: v1.9-dev1~624
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=811ad12414e43608fd9d20865990496918ca2dd6;p=thirdparty%2Fhaproxy.git

BUG/MAJOR: h2: correctly check the request length when building an H1 request

Due to a typo in the request maximum length calculation, we count the
request path twice instead of counting it added to the method's length.
This has two effects, the first one being that a path cannot be larger
than half a buffer, and the second being that the method's length isn't
properly checked. Due to the way the temporary buffers are used internally,
it is quite difficult to meet this condition. In practice, the only
situation where this can cause a problem is when exactly one of either
the method or the path are compressed and the other ones is sent as a
literal.

Thanks to Yves Lafon for providing useful traces exhibiting this issue.

To be backported to 1.8.
---

diff --git a/src/h2.c b/src/h2.c
index 3d03b12aaa..183b7c374e 100644
--- a/src/h2.c
+++ b/src/h2.c
@@ -83,7 +83,7 @@ static int h2_prepare_h1_reqline(uint32_t fields, struct ist *phdr, char **ptr,
 		}
 	}
 
-	if (out + phdr[uri_idx].len + 1 + phdr[uri_idx].len + 11 > end) {
+	if (out + phdr[H2_PHDR_IDX_METH].len + 1 + phdr[uri_idx].len + 11 > end) {
 		/* too large */
 		goto fail;
 	}