From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 7 Apr 2026 07:48:10 +0000 (+0200)
Subject: BUG/MEDIUM: chunk: fix typo allocating small trash with bufsize_large
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f712841cf09ecc13cd6e26d161cd2f685d84a4cd;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: chunk: fix typo allocating small trash with bufsize_large

A copy-paste error in alloc_trash_buffers_per_thread() passes
global.tune.bufsize_large to alloc_small_trash_buffers() instead of
global.tune.bufsize_small. This sets small_trash_size = bufsize_large.

When tune.bufsize.large is configured, get_larger_trash_chunk() then
incorrectly matches a large buffer against small_trash_size at line
169 and "grows" it to a regular (smaller) buffer. b_xfer() at line
179 attempts to copy the large buffer's contents into the smaller one:

  - Default builds (DEBUG_STRICT=1): BUG_ON in __b_putblk() aborts
    the process -> remote DoS
  - DEBUG_STRICT=0 builds: BUG_ON becomes ASSUME() and the compiler
    elides the check -> heap overflow with attacker-controlled bytes

Reachable via the json converter (sample.c:2862) when escaping
~bufsize_large/6 control characters in attacker-supplied data such
as a request header or body.

Introduced in commit 92a24a4e875b ("MEDIUM: chunk: Add support for
small chunks"). No backport needed.
---

diff --git a/src/chunk.c b/src/chunk.c
index 639c73157..e6d9a44a7 100644
--- a/src/chunk.c
+++ b/src/chunk.c
@@ -233,7 +233,7 @@ static int alloc_trash_buffers_per_thread()
 {
 	return (alloc_trash_buffers(global.tune.bufsize) &&
 		alloc_large_trash_buffers(global.tune.bufsize_large) &&
-		alloc_small_trash_buffers(global.tune.bufsize_large));
+		alloc_small_trash_buffers(global.tune.bufsize_small));
 }
 
 static void free_trash_buffers_per_thread()