From: Christopher Faulet Date: Mon, 17 Jun 2019 09:44:47 +0000 (+0200) Subject: BUG/MEDIUM: h2/htx: Update data length of the HTX when the cookie list is built X-Git-Tag: v2.1-dev1~85 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0c6de00d7c842a682bba7586ef34fb10f69ec63c;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: h2/htx: Update data length of the HTX when the cookie list is built When an H2 request is converted into an HTX message, All cookie headers are grouped into one, each value separated by a semicolon (;). To do so, we add the header "cookie" with the first value and then we update the value by appending other cookies. But during this operation, only the size of the HTX block is updated. And not the data length of the whole HTX message. It is an old bug and it seems to work by chance till now. But it may lead to undefined behaviour by time to time. This patch must be backported to 2.0 and 1.9 --- diff --git a/src/h2.c b/src/h2.c index 9681aca532..32c1ef16be 100644 --- a/src/h2.c +++ b/src/h2.c @@ -737,6 +737,7 @@ int h2_make_htx_request(struct http_hdr *list, struct htx *htx, unsigned int *ms goto fail; htx_set_blk_value_len(blk, tl); + htx->data += vl+2; *(char *)(htx_get_blk_ptr(htx, blk) + bs + 0) = ';'; *(char *)(htx_get_blk_ptr(htx, blk) + bs + 1) = ' '; memcpy(htx_get_blk_ptr(htx, blk) + bs + 2, list[ck].v.ptr, vl);