BUG/MEDIUM: htx: Alloc a chunk of right size in htx_replace_blk_value()

Since support for large buffers was added, we must be careful when chunks
are allocated. Indeed, depending on the context a large chunks may be
required if data are copied from a large buffer.

In htx_replace_blk_value() function, when a defragmentation is necessary,
the data to be replaced are copied to a chunk before the
defragmentation. However, I forgot to get large chunk when necessary by
calling alloc_trash_chunk_sz() instead of alloc_trash_chunk(). Because of
this issue, it is possible to copy data to a too small chunk, leading to a
crash.

So let's fix the issue.

Thanks to Vincent55 for finding and reporting this.

No backport needed.

diff --git a/src/htx.c b/src/htx.c
index f502da4f0641189cce46603f78ea1469eac277bf..5e2a8ba0448b084981bf088a87779e4b50b70147 100644 (file)
--- a/src/htx.c
+++ b/src/htx.c
@@ -681,7 +681,7 @@ struct htx_blk *htx_replace_blk_value(struct htx *htx, struct htx_blk *blk,
        }
        else { /* Do a defrag first (it is always an expansion) */
                struct htx_blk tmpblk;
-               struct buffer *chunk = alloc_trash_chunk();
+               struct buffer *chunk = alloc_trash_chunk_sz(n.len + v.len + delta);
                void *ptr;
 
                if (!chunk)