From d9ca8f6b71cd17bae0718f0b1e9da919fc00264d Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Tue, 8 Jul 2025 08:04:01 +0200 Subject: [PATCH] BUG/MEDIUM: http-client: Properly inc input data when HTX blocks are xferred When HTX blocks from the requests are transferred into the channel buffer, the return value of htx_xfer_blks() function must not be used to increment the channel input value because meta data are counted here while they are not part of input data. Because of this bug, it is possible to forward more data than these present in the channel buffer. Instead, we look at the input data before and after the transfer and the difference is added. It is only an issue with large POSTs, when the payload is streamed. This patch must be backported as far as 2.6. --- src/http_client.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/http_client.c b/src/http_client.c index 47d73e004..96156ecc3 100644 --- a/src/http_client.c +++ b/src/http_client.c @@ -592,9 +592,11 @@ void httpclient_applet_io_handler(struct appctx *appctx) channel_add_input(req, data); } else { struct htx_ret ret; + size_t data = htx->data; ret = htx_xfer_blks(htx, hc_htx, htx_used_space(hc_htx), HTX_BLK_UNUSED); - channel_add_input(req, ret.ret); + data = htx->data - data; + channel_add_input(req, data); /* we must copy the EOM if we empty the buffer */ if (htx_is_empty(hc_htx)) { -- 2.47.2