BUG/MAJOR: mux-h1: Properly copy chunked input data during zero-copy nego

When data are transfered via zero-copy data forwarding, if some data were
already received, we try to immediately tranfer it during the negociation
step. If data are chunked and the chunk size is unknown, 10 bytes are reserved
to write the chunk size during the done step. However, when input data are
finally transferred, the offset is ignored. Data are copied into the output
buffer. But the first 10 bytes are then crushed by the chunk size. Thus the
chunk is truncated leading to a malformed message.

This patch should fix the issue #2598. It must be backported to 3.0.

diff --git a/src/mux_h1.c b/src/mux_h1.c
index 2928751a5b3a9d09c91525f618c90713e9eeecc5..4973527a981fd436e04c7d50f026b4007023740a 100644 (file)
--- a/src/mux_h1.c
+++ b/src/mux_h1.c
@@ -4724,7 +4724,9 @@ static size_t h1_nego_ff(struct stconn *sc, struct buffer *input, size_t count,
 
                if (xfer > b_data(input))
                        xfer = b_data(input);
+               h1c->obuf.head += offset;
                h1s->sd->iobuf.data = b_xfer(&h1c->obuf, input, xfer);
+               h1c->obuf.head -= offset;
 
                /* Cannot forward more data, wait for room */
                if (b_data(input))