From: Christopher Faulet Date: Wed, 21 Feb 2024 08:30:46 +0000 (+0100) Subject: BUG/MEDIUM: mux-h1: Don't emit 0-CRLF chunk in h1_done_ff() when iobuf is empty X-Git-Tag: v3.0-dev4~17 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1a2a196fcffebd77d853c843ebc599ffec6dc3aa;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: mux-h1: Don't emit 0-CRLF chunk in h1_done_ff() when iobuf is empty A chunk message transferred via zero-copy forwarding in H1 may be corrupted. This only happens when the chunk size is not known during the nego stage and when there is nothing to forward when h1_donn_ff() is called. In this case, we always emit a chunk. Because there is nothing to forward, a 0-CRLF is emitted in the middle of the message. The issue occurred with the HTTP stats applet only. A simple fix is to check the size of data in the iobuf before emitting a new chunk in h1_done_ff(). However, we still try to send outgoing data because when this happens, it is most of time because the H1 output buffer is almost full. This patch should fix the issue #2453. No backport needed. --- diff --git a/src/mux_h1.c b/src/mux_h1.c index 15faa4fc35..19fce077e5 100644 --- a/src/mux_h1.c +++ b/src/mux_h1.c @@ -4602,7 +4602,7 @@ static size_t h1_done_ff(struct stconn *sc) if (b_room(&h1c->obuf) == sd->iobuf.offset) h1c->flags |= H1C_F_OUT_FULL; - if (sd->iobuf.offset) { + if (sd->iobuf.data && sd->iobuf.offset) { struct buffer buf = b_make(b_orig(&h1c->obuf), b_size(&h1c->obuf), b_peek_ofs(&h1c->obuf, b_data(&h1c->obuf) - sd->iobuf.data + sd->iobuf.offset), sd->iobuf.data);