From: Amaury Denoyelle Date: Thu, 27 Feb 2025 17:07:17 +0000 (+0100) Subject: BUG/MINOR: hq-interop: fix leak in case of rcv_buf early return X-Git-Tag: v3.2-dev7~50 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d0f97040a33c31f7d4b839ced4f5aa598f76bcdd;p=thirdparty%2Fhaproxy.git BUG/MINOR: hq-interop: fix leak in case of rcv_buf early return HTTP/0.9 parser was recently updated to support truncated requests in rcv_buf operation. However, this caused a leak as input buffer is allocated early. In fact, the leak was already present in case of fatal errors. Fix this by first delaying buffer allocation, so that initial checks are performed before. Then, ensure that buffer is released in case of a latter error. This is considered as minor, as HTTP/0.9 is reserved for experiment and QUIC interop usages. This should be backported up to 2.6. --- diff --git a/src/hq_interop.c b/src/hq_interop.c index caf45656b..55cccf134 100644 --- a/src/hq_interop.c +++ b/src/hq_interop.c @@ -23,9 +23,6 @@ static ssize_t hq_interop_rcv_buf(struct qcs *qcs, struct buffer *b, int fin) /* hq-interop parser does not support buffer wrapping. */ BUG_ON(b_data(b) != b_contig_data(b, 0)); - b_alloc(&htx_buf, DB_MUX_RX); - htx = htx_from_buf(&htx_buf); - /* skip method */ while (data && HTTP_IS_TOKEN(*ptr)) { ptr++; @@ -62,9 +59,14 @@ static ssize_t hq_interop_rcv_buf(struct qcs *qcs, struct buffer *b, int fin) path.len = ptr - path.ptr; + b_alloc(&htx_buf, DB_MUX_RX); + htx = htx_from_buf(&htx_buf); + sl = htx_add_stline(htx, HTX_BLK_REQ_SL, 0, ist("GET"), path, ist("HTTP/1.0")); - if (!sl) + if (!sl) { + b_free(&htx_buf); return -1; + } sl->flags |= HTX_SL_F_BODYLESS; sl->info.req.meth = find_http_meth("GET", 3); @@ -73,8 +75,10 @@ static ssize_t hq_interop_rcv_buf(struct qcs *qcs, struct buffer *b, int fin) htx->flags |= HTX_FL_EOM; htx_to_buf(htx, &htx_buf); - if (qcs_attach_sc(qcs, &htx_buf, fin)) + if (qcs_attach_sc(qcs, &htx_buf, fin)) { + b_free(&htx_buf); return -1; + } b_free(&htx_buf);