From: Christopher Faulet <cfaulet@haproxy.com>
Date: Tue, 1 Feb 2022 17:11:50 +0000 (+0100)
Subject: BUG/MEDIUM: htx: Be sure to have a buffer to perform a raw copy of a message
X-Git-Tag: v2.6-dev2~104
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dc523e3b89d8ff3b73eb7d3218cbf2907c94f6ae;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: htx: Be sure to have a buffer to perform a raw copy of a message

In htx_copy_msg(), if the destination buffer is empty, we perform a raw copy
of the message instead of a copy block per block. But we must be sure the
destianation buffer was really allocated. In other word, to perform a raw
copy, the HTX message must be empty _AND_ it must have some free space
available.

This function is only used to copy an HTTP reply (for instance, an error or
a redirect) in the buffer of the response channel. For now, we are sure the
buffer was allocated because it is a pre-requisite to call stream
analyzers. However, it may be a source of bug in future.

This patch may be backported as far as 2.3.
---

diff --git a/include/haproxy/htx.h b/include/haproxy/htx.h
index c7ae308913..c74d0db268 100644
--- a/include/haproxy/htx.h
+++ b/include/haproxy/htx.h
@@ -749,8 +749,8 @@ static inline int htx_expect_more(const struct htx *htx)
  */
 static inline int htx_copy_msg(struct htx *htx, const struct buffer *msg)
 {
-	/* The destination HTX message is empty, we can do a raw copy */
-	if (htx_is_empty(htx)) {
+	/* The destination HTX message is allocated and empty, we can do a raw copy */
+	if (htx_is_empty(htx) && htx_free_space(htx)) {
 		memcpy(htx, msg->area, msg->size);
 		return 1;
 	}