From: Willy Tarreau <w@1wt.eu>
Date: Thu, 27 Sep 2012 13:08:56 +0000 (+0200)
Subject: BUG/MAJOR: http: chunk parser was broken with buffer changes
X-Git-Tag: v1.5-dev13~258
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b8ffd378f0dfe57e4b613db80600816e83d8e2fa;p=thirdparty%2Fhaproxy.git

BUG/MAJOR: http: chunk parser was broken with buffer changes

Since at least commit a458b679, msg->sov could become negative in
http_parse_chunk_size() if a chunk size wrapped around the buffer.
The effect is that at some point channel_forward() was called with
a negative size, causing all data to be transferred without being
analyzed anymore.

Since haproxy does not support keep-alive with the server yet, this
issue is not really noticeable, as the server closes the connection
in response. Still, when tunnel mode is used or when pretent-keepalive
is used, it is possible to see the problem.

This issue was reported and diagnosed by William Lallemand at
Exceliance.
---

diff --git a/src/proto_http.c b/src/proto_http.c
index 983d3946d1..85ee021379 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -1826,6 +1826,8 @@ int http_parse_chunk_size(struct http_msg *msg)
 	 * which may or may not be present. We save that into ->next and
 	 * ->sov.
 	 */
+	if (ptr < ptr_old)
+		msg->sov += buf->buf.size;
 	msg->sov += ptr - ptr_old;
 	msg->next = buffer_count(&buf->buf, buf->buf.p, ptr);
 	msg->chunk_len = chunk;