From: Christopher Faulet <cfaulet@haproxy.com>
Date: Thu, 25 Jan 2024 13:57:17 +0000 (+0100)
Subject: MINOR: mux-h1: Stop zero-copy forwarding during nego for too big requested size
X-Git-Tag: v3.0-dev3~44
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dcb964f8db45d6bcd367ad6f587c49b9727cfa50;p=thirdparty%2Fhaproxy.git

MINOR: mux-h1: Stop zero-copy forwarding during nego for too big requested size

Now, during the zero-copy forwarding negotiation, when the requested size is
exact, we are now able to check if it is bigger than the expected one or
not. If it is indeed bigger than expeceted, the zero-copy forwarding is
disabled, the error will be triggered later on the normal sending path.
---

diff --git a/src/mux_h1.c b/src/mux_h1.c
index a08d08520f..6f6b95e060 100644
--- a/src/mux_h1.c
+++ b/src/mux_h1.c
@@ -4460,13 +4460,24 @@ static size_t h1_nego_ff(struct stconn *sc, struct buffer *input, size_t count,
 		goto out;
 	}
 
-	/* TODO: add check on curr_len if CLEN */
-
-	if (h1m->flags & H1_MF_CHNK) {
+	if (h1m->flags & H1_MF_CLEN) {
+		if ((flags & NEGO_FF_FL_EXACT_SIZE) && count > h1m->curr_len) {
+			TRACE_ERROR("more payload than announced", H1_EV_STRM_SEND|H1_EV_STRM_ERR, h1c->conn, h1s);
+			h1s->sd->iobuf.flags |= IOBUF_FL_NO_FF;
+			goto out;
+		}
+	}
+	else if (h1m->flags & H1_MF_CHNK) {
 		if (h1m->curr_len) {
 			BUG_ON(h1m->state != H1_MSG_DATA);
-			if (count > h1m->curr_len)
+			if (count > h1m->curr_len) {
+				if ((flags & NEGO_FF_FL_EXACT_SIZE) && count > h1m->curr_len) {
+					TRACE_ERROR("chunk bigger than announced", H1_EV_STRM_SEND|H1_EV_STRM_ERR, h1c->conn, h1s);
+					h1s->sd->iobuf.flags |= IOBUF_FL_NO_FF;
+					goto out;
+				}
 				count = h1m->curr_len;
+			}
 		}
 		else {
 			BUG_ON(h1m->state != H1_MSG_CHUNK_CRLF && h1m->state != H1_MSG_CHUNK_SIZE);