BUG/MEDIUM: mux-h1: Trim excess server data at the end of a transaction

At the end of a transaction, when the conn_stream is detach from the H1
connection, on the server side, we must release the input buffer to trim any
excess data received from the server to be sure to block invalid responses.  A
typical example of such data would be from a buggy server responding to a HEAD
with some data, or sending more than the advertised content-length.

This issue was reported on Gitbub. See issue #176.

This patch must be backported to 2.0 and 1.9.

diff --git a/src/mux_h1.c b/src/mux_h1.c
index 099cd223521ecdb4bffeb021d8f23e11341e317b..6517b61f3fd4d9e8f650de66f608c3bbfbd22e53 100644 (file)
--- a/src/mux_h1.c
+++ b/src/mux_h1.c
@@ -2177,6 +2177,11 @@ static void h1_detach(struct conn_stream *cs)
 
        if (conn_is_back(h1c->conn) && has_keepalive &&
            !(h1c->conn->flags & (CO_FL_ERROR | CO_FL_SOCK_RD_SH | CO_FL_SOCK_WR_SH))) {
+               /* Release input buffer to trim any excess data received from
+                * the server to be sure to block invalid responses.
+                */
+               h1_release_buf(h1c, &h1c->ibuf);
+
                /* Never ever allow to reuse a connection from a non-reuse backend */
                if ((h1c->px->options & PR_O_REUSE_MASK) == PR_O_REUSE_NEVR)
                        h1c->conn->flags |= CO_FL_PRIVATE;