From 03627245c67216bb003912df42150ec1401cd716 Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfaulet@haproxy.com>
Date: Fri, 19 Jul 2019 11:34:08 +0200
Subject: [PATCH] BUG/MEDIUM: mux-h1: Trim excess server data at the end of a
 transaction

At the end of a transaction, when the conn_stream is detach from the H1
connection, on the server side, we must release the input buffer to trim any
excess data received from the server to be sure to block invalid responses.  A
typical example of such data would be from a buggy server responding to a HEAD
with some data, or sending more than the advertised content-length.

This issue was reported on Gitbub. See issue #176.

This patch must be backported to 2.0 and 1.9.
---
 src/mux_h1.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/mux_h1.c b/src/mux_h1.c
index 099cd22352..6517b61f3f 100644
--- a/src/mux_h1.c
+++ b/src/mux_h1.c
@@ -2177,6 +2177,11 @@ static void h1_detach(struct conn_stream *cs)
 
 	if (conn_is_back(h1c->conn) && has_keepalive &&
 	    !(h1c->conn->flags & (CO_FL_ERROR | CO_FL_SOCK_RD_SH | CO_FL_SOCK_WR_SH))) {
+		/* Release input buffer to trim any excess data received from
+		 * the server to be sure to block invalid responses.
+		 */
+		h1_release_buf(h1c, &h1c->ibuf);
+
 		/* Never ever allow to reuse a connection from a non-reuse backend */
 		if ((h1c->px->options & PR_O_REUSE_MASK) == PR_O_REUSE_NEVR)
 			h1c->conn->flags |= CO_FL_PRIVATE;
-- 
2.39.5