From: Christopher Faulet <cfaulet@haproxy.com>
Date: Tue, 31 Mar 2026 20:24:32 +0000 (+0200)
Subject: BUG/MINOR: http_act: Properly handle decoding errors in *-headers-bin actions
X-Git-Tag: v3.4-dev8~72
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=7c73b08a9843d61238c4baf11714be1dc8b85fee;p=thirdparty%2Fhaproxy.git

BUG/MINOR: http_act: Properly handle decoding errors in *-headers-bin actions

When binary headers are decoded, return value of decode_varint() function is
not properly handled. On error, it can return -1. However, the result is
inconditionnaly added to an unsigned offset.

Now, a temporary variable is used to be abl to test decode_varint() return
value. It is added to the offset on success only.

No backport needed.
---

diff --git a/src/http_act.c b/src/http_act.c
index ce98bd7d8..c2aab4ecc 100644
--- a/src/http_act.c
+++ b/src/http_act.c
@@ -1515,14 +1515,18 @@ static enum act_return http_action_set_headers_bin(struct act_rule *rule, struct
 	decoded->data = bytes_read;
 
 	while (1) {
-		offset += decode_varint(&decoded->area, decoded->area + decoded->data - offset, &sz);
-		if (offset == -1)
+		int ret;
+
+		ret = decode_varint(&decoded->area, decoded->area + decoded->data - offset, &sz);
+		if (ret == -1)
 			goto fail_rewrite;
+		offset += ret;
 
 		if (!sz) {
-			offset += decode_varint(&decoded->area, decoded->area + decoded->data - offset, &sz);
-			if (offset == -1)
+			ret = decode_varint(&decoded->area, decoded->area + decoded->data - offset, &sz);
+			if (ret == -1)
 				goto fail_rewrite;
+			offset += ret;
 			if (!sz)
 				goto leave;
 			else
@@ -1533,9 +1537,10 @@ static enum act_return http_action_set_headers_bin(struct act_rule *rule, struct
 		offset += sz;
 		decoded->area += sz;
 
-		offset += decode_varint(&decoded->area, decoded->area + decoded->data - offset, &sz);
-		if (offset == -1)
+		ret = decode_varint(&decoded->area, decoded->area + decoded->data - offset, &sz);
+		if (ret == -1)
 			goto fail_rewrite;
+		offset += ret;
 
 		v = ist2(decoded->area, sz);
 		offset += sz;
@@ -1977,14 +1982,18 @@ static enum act_return http_action_del_headers_bin(struct act_rule *rule, struct
 	decoded->data = bytes_read;
 
 	while (1) {
-		offset += decode_varint(&decoded->area, decoded->area + decoded->data - offset, &sz);
-		if (offset == -1)
+		int ret;
+
+		ret = decode_varint(&decoded->area, decoded->area + decoded->data - offset, &sz);
+		if (ret == -1)
 			goto fail_rewrite;
+		offset += ret;
 
 		if (!sz) {
-			offset += decode_varint(&decoded->area, decoded->area + decoded->data - offset, &sz);
-			if (offset == -1)
+			ret = decode_varint(&decoded->area, decoded->area + decoded->data - offset, &sz);
+			if (ret == -1)
 				goto fail_rewrite;
+			offset += ret;
 			if (!sz)
 				goto leave;
 			else