From: Christopher Faulet <cfaulet@haproxy.com>
Date: Tue, 8 Jul 2025 06:04:01 +0000 (+0200)
Subject: BUG/MEDIUM: http-client: Properly inc input data when HTX blocks are xferred
X-Git-Tag: v3.3-dev3~14
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d9ca8f6b71cd17bae0718f0b1e9da919fc00264d;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: http-client: Properly inc input data when HTX blocks are xferred

When HTX blocks from the requests are transferred into the channel buffer,
the return value of htx_xfer_blks() function must not be used to increment
the channel input value because meta data are counted here while they are
not part of input data. Because of this bug, it is possible to forward more
data than these present in the channel buffer.

Instead, we look at the input data before and after the transfer and the
difference is added.

It is only an issue with large POSTs, when the payload is streamed.

This patch must be backported as far as 2.6.
---

diff --git a/src/http_client.c b/src/http_client.c
index 47d73e004..96156ecc3 100644
--- a/src/http_client.c
+++ b/src/http_client.c
@@ -592,9 +592,11 @@ void httpclient_applet_io_handler(struct appctx *appctx)
 							channel_add_input(req, data);
 						} else {
 							struct htx_ret ret;
+							size_t data = htx->data;
 
 							ret = htx_xfer_blks(htx, hc_htx, htx_used_space(hc_htx), HTX_BLK_UNUSED);
-							channel_add_input(req, ret.ret);
+							data = htx->data - data;
+							channel_add_input(req, data);
 
 							/* we must copy the EOM if we empty the buffer */
 							if (htx_is_empty(hc_htx)) {