BUG/MEDIUM: htx: Fix headers rollback on partial copy in htx_xfer()

In htx_xfer() function, when headers are partially copied, depending on the
flags, a rollback may be performed to remove all copied headers from the
destination message. However, there was an issue in the loop performing the
rollback. Instead of decrementing the returned value using the size of the
HTX block from the destination message, the one from the source message was
used. So the wrong value was be returned and in worst case, it could
overflow.

In addition, the BUG_ON() in the loop was removed because test condition was
wrong.

It is a 3.4-specific issue. No backport needed.

diff --git a/src/htx.c b/src/htx.c
index 5e2a8ba0448b084981bf088a87779e4b50b70147..cc0b6d1d4df3ef06ea77fbf211c470748475316c 100644 (file)
--- a/src/htx.c
+++ b/src/htx.c
@@ -831,8 +831,7 @@ size_t htx_xfer(struct htx *dst, struct htx *src, size_t count, unsigned int fla
 
                        /* Remove partial headers/trailers from <dst> and rollback on <src> to not remove them later */
                        while (type == HTX_BLK_REQ_SL || type == HTX_BLK_RES_SL || type == HTX_BLK_HDR || type == HTX_BLK_TLR) {
-                               BUG_ON(type != htx_get_blk_type(blk));
-                               ret -= meta_sz + htx_get_blksz(blk);
+                               ret -= meta_sz + htx_get_blksz(dstblk);
                                htx_remove_blk(dst, dstblk);
                                dstblk = htx_get_tail_blk(dst);
                                blk = htx_get_prev_blk(src, blk);