From: Andrea Cocito <andrea@cocito.eu>
Date: Tue, 23 Jun 2026 09:44:39 +0000 (+0200)
Subject: BUG/MEDIUM: h3: increment unknown request payload length
X-Git-Tag: v3.5-dev1~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=859a50a5c024d11f8d0f592d572bf35cee9fa60a;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: h3: increment unknown request payload length

When an HTTP/3 request carries DATA frames without a Content-Length
header, the H3 mux updates the stream endpoint known input payload
length so the stream layer can pass this information to the output mux.

The current code assigns h3s->data_len to qcs->sd->kip. However,
h3s->data_len is cumulative, while sedesc->kip is an incremental value:
it is moved to the opposite side as kop and then consumed by the output
mux. With multiple DATA frames, the H1 output mux may therefore announce
chunk sizes based on the total body length received so far instead of
the next payload length.

For an H3-to-H1 request without Content-Length, this can produce
malformed chunked encoding on the backend connection. A backend HTTP/1
parser may then reject the request, and HAProxy can return a 500 to the
client.

Fix this by incrementing qcs->sd->kip with the current DATA frame length
instead of assigning the cumulative body length.

This should be backported up to 3.3.
---

diff --git a/src/h3.c b/src/h3.c
index f3c18bfe3..fddc845f9 100644
--- a/src/h3.c
+++ b/src/h3.c
@@ -1937,7 +1937,7 @@ static ssize_t h3_rcv_buf(struct qcs *qcs, struct buffer *b, int fin)
 				}
 				else if (qcs->sd) {
 					/* content-length not present, update estimated payload length. */
-					qcs->sd->kip = h3s->data_len;
+					qcs->sd->kip += flen;
 				}
 			}