From: Christopher Faulet Date: Mon, 26 Apr 2021 15:46:13 +0000 (+0200) Subject: BUG/MINOR: mux-h2: Don't encroach on the reserve when decoding headers X-Git-Tag: v2.4-dev18~36 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3d87558f3589c97c809c0c74be7c9fd08293db86;p=thirdparty%2Fhaproxy.git BUG/MINOR: mux-h2: Don't encroach on the reserve when decoding headers Since the input buffer is transferred to the stream when it is created, there is no longer control on the request size to be sure the buffer's reserve is still respected. It was automatically performed in h2_rcv_buf() because the caller took care to provide the correct available space in the buffer. The control is still there but it is no longer applied on the request headers. Now, we should take care of the reserve when the headers are decoded, before the stream creation. The test is performed for the request and the response. It is a 2.4-specific bug. No backport is needed. --- diff --git a/src/mux_h2.c b/src/mux_h2.c index 950dc9e73a..f1749f8d13 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -4736,9 +4736,10 @@ next_frame: else outlen = h2_make_htx_request(list, htx, &msgf, body_len); - if (outlen < 0) { + if (outlen < 0 || htx_free_space(htx) < global.tune.maxrewrite) { /* too large headers? this is a stream error only */ - TRACE_STATE("request headers too large", H2_EV_RX_FRAME|H2_EV_RX_HDR|H2_EV_H2S_ERR|H2_EV_PROTO_ERR, h2c->conn); + TRACE_STATE("message headers too large", H2_EV_RX_FRAME|H2_EV_RX_HDR|H2_EV_H2S_ERR|H2_EV_PROTO_ERR, h2c->conn); + htx->flags |= HTX_FL_PARSING_ERROR; goto fail; }