From: Christopher Faulet <cfaulet@haproxy.com>
Date: Wed, 21 Apr 2021 09:11:21 +0000 (+0200)
Subject: BUG/MEDIUM: mux-h2: Fix dfl calculation when merging CONTINUATION frames
X-Git-Tag: v2.4-dev17~33
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cb1847c77285ba6dbd413774fcf2282cafa19bd2;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: mux-h2: Fix dfl calculation when merging CONTINUATION frames

When header are splitted over several frames, payload of HEADERS and
CONTINUATION frames are merged to form a unique HEADERS frame before
decoding the payload. To do so, info about the current frame are updated
(dff, dfl..) with info of the next one. Here there is a bug when the frame
length (dfl) is update. We must add the next frame length (hdr.dfl) and not
only the amount of data found in the buffer (clen). Because HEADERS frames
are decoded in one pass, dfl value is the whole frame length or 0. nothing
intermediary.

This patch must be backported as far as 2.0.
---

diff --git a/src/mux_h2.c b/src/mux_h2.c
index 695eb160d4..35767b1853 100644
--- a/src/mux_h2.c
+++ b/src/mux_h2.c
@@ -4642,7 +4642,7 @@ next_frame:
 		 * above). The hole moves after the new aggragated frame.
 		 */
 		b_move(&h2c->dbuf, b_peek_ofs(&h2c->dbuf, h2c->dfl + hole + 9), clen, -(h2c->dpl + hole + 9));
-		h2c->dfl += clen - h2c->dpl;
+		h2c->dfl += hdr.len - h2c->dpl;
 		hole     += h2c->dpl + 9;
 		h2c->dpl  = 0;
 		TRACE_STATE("waiting for next continuation frame", H2_EV_RX_FRAME|H2_EV_RX_FHDR|H2_EV_RX_CONT|H2_EV_RX_HDR, h2c->conn);