From 1a2a196fcffebd77d853c843ebc599ffec6dc3aa Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Wed, 21 Feb 2024 09:30:46 +0100 Subject: [PATCH] BUG/MEDIUM: mux-h1: Don't emit 0-CRLF chunk in h1_done_ff() when iobuf is empty A chunk message transferred via zero-copy forwarding in H1 may be corrupted. This only happens when the chunk size is not known during the nego stage and when there is nothing to forward when h1_donn_ff() is called. In this case, we always emit a chunk. Because there is nothing to forward, a 0-CRLF is emitted in the middle of the message. The issue occurred with the HTTP stats applet only. A simple fix is to check the size of data in the iobuf before emitting a new chunk in h1_done_ff(). However, we still try to send outgoing data because when this happens, it is most of time because the H1 output buffer is almost full. This patch should fix the issue #2453. No backport needed. --- src/mux_h1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mux_h1.c b/src/mux_h1.c index 15faa4fc35..19fce077e5 100644 --- a/src/mux_h1.c +++ b/src/mux_h1.c @@ -4602,7 +4602,7 @@ static size_t h1_done_ff(struct stconn *sc) if (b_room(&h1c->obuf) == sd->iobuf.offset) h1c->flags |= H1C_F_OUT_FULL; - if (sd->iobuf.offset) { + if (sd->iobuf.data && sd->iobuf.offset) { struct buffer buf = b_make(b_orig(&h1c->obuf), b_size(&h1c->obuf), b_peek_ofs(&h1c->obuf, b_data(&h1c->obuf) - sd->iobuf.data + sd->iobuf.offset), sd->iobuf.data); -- 2.47.3