BUG/MEDIUM: mux-h1: Use buf_room_for_htx_data() to detect too large messages

During headers parsing, an error is returned if the message is too large and
does not fit in the input buffer. The mux h1 used the function b_full() to do
so. But to allow zero copy transfers, in h1_recv(), the input buffer is
pre-aligned and thus few bytes remains always free.

To fix the bug, as during the trailers parsing, the function
buf_room_for_htx_data() should be used instead.

This patch must be backported to 2.0 and 1.9.

diff --git a/src/mux_h1.c b/src/mux_h1.c
index 4594a62b43f8631bc63f4b2b38ffc69ec7a1a3c5..78145df5c583e265ee58f6bf16788238042b832e 100644 (file)
--- a/src/mux_h1.c
+++ b/src/mux_h1.c
@@ -984,7 +984,7 @@ static size_t h1_process_headers(struct h1s *h1s, struct h1m *h1m, struct htx *h
                /* Incomplete or invalid message. If the buffer is full, it's an
                 * error because headers are too large to be handled by the
                 * parser. */
-               if (ret < 0 || (!ret && b_full(buf)))
+               if (ret < 0 || (!ret && !buf_room_for_htx_data(buf)))
                        goto error;
                goto end;
        }