From: Christopher Faulet Date: Wed, 20 May 2026 14:13:25 +0000 (+0200) Subject: BUG/MEDIUM: htx: Alloc a chunk of right size in htx_replace_blk_value() X-Git-Tag: v3.4-dev13~5 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=482b6763a32c37a42ace8f1ede959cba1942afa9;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: htx: Alloc a chunk of right size in htx_replace_blk_value() Since support for large buffers was added, we must be careful when chunks are allocated. Indeed, depending on the context a large chunks may be required if data are copied from a large buffer. In htx_replace_blk_value() function, when a defragmentation is necessary, the data to be replaced are copied to a chunk before the defragmentation. However, I forgot to get large chunk when necessary by calling alloc_trash_chunk_sz() instead of alloc_trash_chunk(). Because of this issue, it is possible to copy data to a too small chunk, leading to a crash. So let's fix the issue. Thanks to Vincent55 for finding and reporting this. No backport needed. --- diff --git a/src/htx.c b/src/htx.c index f502da4f0..5e2a8ba04 100644 --- a/src/htx.c +++ b/src/htx.c @@ -681,7 +681,7 @@ struct htx_blk *htx_replace_blk_value(struct htx *htx, struct htx_blk *blk, } else { /* Do a defrag first (it is always an expansion) */ struct htx_blk tmpblk; - struct buffer *chunk = alloc_trash_chunk(); + struct buffer *chunk = alloc_trash_chunk_sz(n.len + v.len + delta); void *ptr; if (!chunk)