From: Christopher Faulet <cfaulet@haproxy.com>
Date: Fri, 19 Jul 2019 09:34:08 +0000 (+0200)
Subject: BUG/MEDIUM: mux-h1: Trim excess server data at the end of a transaction
X-Git-Tag: v2.1-dev2~330
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=03627245c;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: mux-h1: Trim excess server data at the end of a transaction

At the end of a transaction, when the conn_stream is detach from the H1
connection, on the server side, we must release the input buffer to trim any
excess data received from the server to be sure to block invalid responses.  A
typical example of such data would be from a buggy server responding to a HEAD
with some data, or sending more than the advertised content-length.

This issue was reported on Gitbub. See issue #176.

This patch must be backported to 2.0 and 1.9.
---

diff --git a/src/mux_h1.c b/src/mux_h1.c
index 099cd22352..6517b61f3f 100644
--- a/src/mux_h1.c
+++ b/src/mux_h1.c
@@ -2177,6 +2177,11 @@ static void h1_detach(struct conn_stream *cs)
 
 	if (conn_is_back(h1c->conn) && has_keepalive &&
 	    !(h1c->conn->flags & (CO_FL_ERROR | CO_FL_SOCK_RD_SH | CO_FL_SOCK_WR_SH))) {
+		/* Release input buffer to trim any excess data received from
+		 * the server to be sure to block invalid responses.
+		 */
+		h1_release_buf(h1c, &h1c->ibuf);
+
 		/* Never ever allow to reuse a connection from a non-reuse backend */
 		if ((h1c->px->options & PR_O_REUSE_MASK) == PR_O_REUSE_NEVR)
 			h1c->conn->flags |= CO_FL_PRIVATE;