From: Willy Tarreau <w@1wt.eu>
Date: Tue, 1 Mar 2011 19:04:36 +0000 (+0100)
Subject: [BUG] http: fix possible incorrect forwarded wrapping chunk size
X-Git-Tag: v1.5-dev8~309
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=acd20f80;p=thirdparty%2Fhaproxy.git

[BUG] http: fix possible incorrect forwarded wrapping chunk size

It seems like if a response message is chunked and the chunk size wraps
at the end of the buffer and the crlf sequence is incomplete, then we
can forward a wrong chunk size due to incorrect handling of the wrapped
size. It seems extremely unlikely to occur on real traffic (no reason to
have half of the CRLF after a chunk) but nothing prevents it from being
possible.

This fix must be backported to 1.4.
---

diff --git a/src/proto_http.c b/src/proto_http.c
index 61ec462cf7..12bb2a3ece 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -5522,6 +5522,9 @@ int http_response_forward_body(struct session *s, struct buffer *res, int an_bit
 
 	/* forward the chunk size as well as any pending data */
 	if (msg->hdr_content_len || msg->som != msg->sov) {
+		int bytes = msg->sov - msg->som;
+		if (bytes < 0) /* sov may have wrapped at the end */
+			bytes += res->size;
 		buffer_forward(res, msg->sov - msg->som + msg->hdr_content_len);
 		msg->hdr_content_len = 0; /* don't forward that again */
 		msg->som = msg->sov;