From acd20f80c113087de0385f82b541e80cc789f92a Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Tue, 1 Mar 2011 20:04:36 +0100 Subject: [PATCH] [BUG] http: fix possible incorrect forwarded wrapping chunk size It seems like if a response message is chunked and the chunk size wraps at the end of the buffer and the crlf sequence is incomplete, then we can forward a wrong chunk size due to incorrect handling of the wrapped size. It seems extremely unlikely to occur on real traffic (no reason to have half of the CRLF after a chunk) but nothing prevents it from being possible. This fix must be backported to 1.4. --- src/proto_http.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/proto_http.c b/src/proto_http.c index 61ec462cf7..12bb2a3ece 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -5522,6 +5522,9 @@ int http_response_forward_body(struct session *s, struct buffer *res, int an_bit /* forward the chunk size as well as any pending data */ if (msg->hdr_content_len || msg->som != msg->sov) { + int bytes = msg->sov - msg->som; + if (bytes < 0) /* sov may have wrapped at the end */ + bytes += res->size; buffer_forward(res, msg->sov - msg->som + msg->hdr_content_len); msg->hdr_content_len = 0; /* don't forward that again */ msg->som = msg->sov; -- 2.39.5