From: Christopher Faulet <cfaulet@haproxy.com>
Date: Mon, 10 Dec 2018 14:30:06 +0000 (+0100)
Subject: BUG/MEDIUM: mux-h1: Don't loop on the headers parsing if the read0 was received
X-Git-Tag: v1.9-dev11~136
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f6ce9d61f98f9c59d18711295836cf17b506a344;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: mux-h1: Don't loop on the headers parsing if the read0 was received

If a server sends part of headers and then close its connection, the mux H1
reamins blocked in an infinite loop trying to read more data to finish the
parsing of the message. The flag CS_FL_REOS is set on the conn_stream. But
because there are some data in the input buffer, CS_FL_EOS is never set.

To fix the bug, in h1_process_input, when CS_FL_REOS is set on the conn_stream,
we also set CS_FL_EOS if the input buffer is empty OR if the channel's buffer is
empty.
---

diff --git a/src/mux_h1.c b/src/mux_h1.c
index f7026c9c56..fa3ffa8d06 100644
--- a/src/mux_h1.c
+++ b/src/mux_h1.c
@@ -1304,11 +1304,14 @@ static size_t h1_process_input(struct h1c *h1c, struct buffer *buf, int flags)
 	else {
 		h1_release_buf(h1c, &h1c->ibuf);
 		h1_sync_messages(h1c);
+		h1s->cs->flags &= ~(CS_FL_RCV_MORE | CS_FL_WANT_ROOM);
+	}
 
+	if ((h1s->cs->flags & CS_FL_REOS) && (!b_data(&h1c->ibuf) || htx_is_empty(htx))) {
+		h1s->cs->flags |= CS_FL_EOS;
 		h1s->cs->flags &= ~(CS_FL_RCV_MORE | CS_FL_WANT_ROOM);
-		if (h1s->cs->flags & CS_FL_REOS)
-			h1s->cs->flags |= CS_FL_EOS;
 	}
+
 	return total;
 
   parsing_err: