From: Christopher Faulet <cfaulet@haproxy.com>
Date: Wed, 24 Jun 2026 14:35:54 +0000 (+0200)
Subject: BUG/MEDIUM: mux-fcgi: Truly drain outgoing HTX data when the stream is closed
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7668409cf23855ee55a36086160ac79950ed4e95;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: mux-fcgi: Truly drain outgoing HTX data when the stream is closed

When we try to send data to the server and the stream is closed (in error,
in half-closed state or fully closed), remaining data must be drained. This
way the upper stream is able to properly handle the stream close.

However, there was a bug here. The mux claimed to have consumed these data
without draining them from the buffer. So the upper stream will try to send
these data in loop. Because of this bug, it is possible to trigger the
watchdog with a bogus stream.

This patch should fix the issue #3425. It must be backported to all
supported versions.
---

diff --git a/src/mux_fcgi.c b/src/mux_fcgi.c
index d882a8288..f3a9b9d2c 100644
--- a/src/mux_fcgi.c
+++ b/src/mux_fcgi.c
@@ -4242,11 +4242,14 @@ static size_t fcgi_snd_buf(struct stconn *sc, struct buffer *buf, size_t count,
 
   done:
 	if (fstrm->state >= FCGI_SS_HLOC) {
+		struct htx_ret htxret;
+
 		/* trim any possibly pending data after we close (extra CR-LF,
 		 * unprocessed trailers, abnormal extra data, ...)
 		 */
-		total += count;
-		count = 0;
+		htxret = htx_drain(htx, count);
+		total += htxret.ret;
+		count -= htxret.ret;
 	}
 
 	if (fstrm->state == FCGI_SS_ERROR) {