From: Christopher Faulet Date: Mon, 25 Feb 2019 14:29:51 +0000 (+0100) Subject: BUG/MEDIUM: mux-h1: Report the right amount of data xferred in h1_rcv_buf() X-Git-Tag: v2.0-dev1~15 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b8d2ee0406666aa21f2906a4921e5e1c7afefb7e;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: mux-h1: Report the right amount of data xferred in h1_rcv_buf() h1_rcv_buf() must return the amount of data copied in the channel's buffer and not the number of bytes parsed. Because this value is used during the fast forwarding to decrement to_forward value, returning the wrong value leads to undefined behaviours. This patch must be backported to 1.9. --- diff --git a/src/mux_h1.c b/src/mux_h1.c index 1e4041bd7e..a88722c6d2 100644 --- a/src/mux_h1.c +++ b/src/mux_h1.c @@ -1316,12 +1316,14 @@ static size_t h1_process_input(struct h1c *h1c, struct buffer *buf, int flags) struct h1s *h1s = h1c->h1s; struct h1m *h1m; struct htx *htx; + size_t data = 0; size_t total = 0; size_t ret = 0; size_t count, rsv; int errflag; htx = htx_from_buf(buf); + data = htx->data; count = b_data(&h1c->ibuf); if (!count) goto end; @@ -1373,7 +1375,7 @@ static size_t h1_process_input(struct h1c *h1c, struct buffer *buf, int flags) end: htx_to_buf(htx, buf); - + data = (htx->data - data); if (h1c->flags & H1C_F_IN_FULL && buf_room_for_htx_data(&h1c->ibuf)) { h1c->flags &= ~H1C_F_IN_FULL; tasklet_wakeup(h1c->wait_event.task); @@ -1390,9 +1392,11 @@ static size_t h1_process_input(struct h1c *h1c, struct buffer *buf, int flags) if ((h1s->cs->flags & CS_FL_REOS) && (!b_data(&h1c->ibuf) || htx_is_empty(htx))) { h1s->cs->flags |= CS_FL_EOS; + if (h1m->state < H1_MSG_DONE) + h1s->cs->flags |= CS_FL_ERROR; } - return total; + return data; parsing_err: b_reset(&h1c->ibuf);