BUG/MINOR: hpack: fix off-by-one in header name encoding length calculation

In hpack_encode_header() there is a length check to verify that a literal
header name fits in the buffer, but there it an off-by-one in this length
check, which forgets the byte required to mark the encoding type (literal
without indexing). It should be harmless though as it cannot be triggered
since response headers passing through haproxy are limited by the reserve,
which is not the case of the output buffer.

This fix should be backported to 1.8.

diff --git a/src/hpack-enc.c b/src/hpack-enc.c
index c4c8ea2408825016f8057d9c141ce6818c2594b5..836584ab41e43524c3eea6723c9311ee885cf9bf 100644 (file)
--- a/src/hpack-enc.c
+++ b/src/hpack-enc.c
@@ -109,7 +109,7 @@ int hpack_encode_header(struct buffer *out, const struct ist n,
                out->area[len++] = 0x58; // literal with indexing -- name="cache-control" (idx 24)
        else if (isteq(n, ist("content-length")))
                out->area[len++] = 0x5c; // literal with indexing -- name="content-length" (idx 28)
-       else if (len_to_bytes(n.len) && len + len_to_bytes(n.len) + n.len <= size) {
+       else if (len_to_bytes(n.len) && len + 1 + len_to_bytes(n.len) + n.len <= size) {
                out->area[len++] = 0x00;      /* literal without indexing -- new name */
 
                len = hpack_encode_len(out->area, len, n.len);