From: Christopher Faulet Date: Fri, 4 Aug 2023 08:36:06 +0000 (+0200) Subject: BUG/MEDIUM: stconn: Fix comparison sign in sc_need_room() X-Git-Tag: v2.9-dev7~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a633338b55b453752a88134299cd93d9a01997d0;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: stconn: Fix comparison sign in sc_need_room() sc_need_room() function may be called with a negative value. In this case, the intent is to be notified if any space was made in the channel buffer. In the function, we get the min between the requested room and the maximum possible room in the buffer, considering it may be an HTX buffer. However this max value is unsigned and leads to an unsigned comparison, casting the negative value to an unsigned value. Of course, in this case, this always leads to the wrong result. This bug seems to have no effect but it is hard to be sure. To fix the issue, we take care to respect the requested room sign by casting the max value to a signed integer. This patch must be backported to 2.8. --- diff --git a/include/haproxy/stconn.h b/include/haproxy/stconn.h index 8d9ac66506..ac2cbd84ea 100644 --- a/include/haproxy/stconn.h +++ b/include/haproxy/stconn.h @@ -457,7 +457,7 @@ static inline void sc_have_room(struct stconn *sc) static inline void sc_need_room(struct stconn *sc, ssize_t room_needed) { sc->flags |= SC_FL_NEED_ROOM; - sc->room_needed = MIN(global.tune.bufsize - global.tune.maxrewrite - sizeof(struct htx), room_needed); + sc->room_needed = MIN((ssize_t)(global.tune.bufsize - global.tune.maxrewrite - sizeof(struct htx)), room_needed); } /* The stream endpoint indicates that it's ready to consume data from the