BUG/MINOR: hq-interop: fix leak in case of rcv_buf early return

HTTP/0.9 parser was recently updated to support truncated requests in
rcv_buf operation. However, this caused a leak as input buffer is
allocated early.

In fact, the leak was already present in case of fatal errors. Fix this
by first delaying buffer allocation, so that initial checks are
performed before. Then, ensure that buffer is released in case of a
latter error.

This is considered as minor, as HTTP/0.9 is reserved for experiment and
QUIC interop usages.

This should be backported up to 2.6.

diff --git a/src/hq_interop.c b/src/hq_interop.c
index caf45656bcf0fe8ff625953b861d8e14b7aadcfa..55cccf134616422b8d0e57144ba882a7ee3fdb71 100644 (file)
--- a/src/hq_interop.c
+++ b/src/hq_interop.c
@@ -23,9 +23,6 @@ static ssize_t hq_interop_rcv_buf(struct qcs *qcs, struct buffer *b, int fin)
        /* hq-interop parser does not support buffer wrapping. */
        BUG_ON(b_data(b) != b_contig_data(b, 0));
 
-       b_alloc(&htx_buf, DB_MUX_RX);
-       htx = htx_from_buf(&htx_buf);
-
        /* skip method */
        while (data && HTTP_IS_TOKEN(*ptr)) {
                ptr++;
@@ -62,9 +59,14 @@ static ssize_t hq_interop_rcv_buf(struct qcs *qcs, struct buffer *b, int fin)
 
        path.len = ptr - path.ptr;
 
+       b_alloc(&htx_buf, DB_MUX_RX);
+       htx = htx_from_buf(&htx_buf);
+
        sl = htx_add_stline(htx, HTX_BLK_REQ_SL, 0, ist("GET"), path, ist("HTTP/1.0"));
-       if (!sl)
+       if (!sl) {
+               b_free(&htx_buf);
                return -1;
+       }
 
        sl->flags |= HTX_SL_F_BODYLESS;
        sl->info.req.meth = find_http_meth("GET", 3);
@@ -73,8 +75,10 @@ static ssize_t hq_interop_rcv_buf(struct qcs *qcs, struct buffer *b, int fin)
        htx->flags |= HTX_FL_EOM;
        htx_to_buf(htx, &htx_buf);
 
-       if (qcs_attach_sc(qcs, &htx_buf, fin))
+       if (qcs_attach_sc(qcs, &htx_buf, fin)) {
+               b_free(&htx_buf);
                return -1;
+       }
 
        b_free(&htx_buf);