From: Christopher Faulet Date: Mon, 1 Jun 2026 07:45:32 +0000 (+0200) Subject: BUG/MEDIUM: htx: Fix headers rollback on partial copy in htx_xfer() X-Git-Tag: v3.4.0~33 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=21990530188ca07e3d1fadda244314fb40b3f4d9;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: htx: Fix headers rollback on partial copy in htx_xfer() In htx_xfer() function, when headers are partially copied, depending on the flags, a rollback may be performed to remove all copied headers from the destination message. However, there was an issue in the loop performing the rollback. Instead of decrementing the returned value using the size of the HTX block from the destination message, the one from the source message was used. So the wrong value was be returned and in worst case, it could overflow. In addition, the BUG_ON() in the loop was removed because test condition was wrong. It is a 3.4-specific issue. No backport needed. --- diff --git a/src/htx.c b/src/htx.c index 5e2a8ba04..cc0b6d1d4 100644 --- a/src/htx.c +++ b/src/htx.c @@ -831,8 +831,7 @@ size_t htx_xfer(struct htx *dst, struct htx *src, size_t count, unsigned int fla /* Remove partial headers/trailers from and rollback on to not remove them later */ while (type == HTX_BLK_REQ_SL || type == HTX_BLK_RES_SL || type == HTX_BLK_HDR || type == HTX_BLK_TLR) { - BUG_ON(type != htx_get_blk_type(blk)); - ret -= meta_sz + htx_get_blksz(blk); + ret -= meta_sz + htx_get_blksz(dstblk); htx_remove_blk(dst, dstblk); dstblk = htx_get_tail_blk(dst); blk = htx_get_prev_blk(src, blk);