From: Christopher Faulet <cfaulet@haproxy.com>
Date: Wed, 26 Jun 2019 12:56:27 +0000 (+0200)
Subject: BUG/MEDIUM: mux-h1: Use buf_room_for_htx_data() to detect too large messages
X-Git-Tag: v2.1-dev1~52
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e5438b749c6381f7cb7c63155669f375b51943ff;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: mux-h1: Use buf_room_for_htx_data() to detect too large messages

During headers parsing, an error is returned if the message is too large and
does not fit in the input buffer. The mux h1 used the function b_full() to do
so. But to allow zero copy transfers, in h1_recv(), the input buffer is
pre-aligned and thus few bytes remains always free.

To fix the bug, as during the trailers parsing, the function
buf_room_for_htx_data() should be used instead.

This patch must be backported to 2.0 and 1.9.
---

diff --git a/src/mux_h1.c b/src/mux_h1.c
index 4594a62b43..78145df5c5 100644
--- a/src/mux_h1.c
+++ b/src/mux_h1.c
@@ -984,7 +984,7 @@ static size_t h1_process_headers(struct h1s *h1s, struct h1m *h1m, struct htx *h
 		/* Incomplete or invalid message. If the buffer is full, it's an
 		 * error because headers are too large to be handled by the
 		 * parser. */
-		if (ret < 0 || (!ret && b_full(buf)))
+		if (ret < 0 || (!ret && !buf_room_for_htx_data(buf)))
 			goto error;
 		goto end;
 	}