BUG/MEDIUM: htx: wrong count computation in htx_xfer_blks()

When transfering blocks from an src to another dst htx representation,
htx_xfer_blks() decreases the size of each block removed from the <count>
value passed in parameter, so it can't transfer more than <count>. The
size must also contains the metadata, represented by a simple
sizeof(struct htk_blk).

However, the code was doing a sizeof(dstblk) instead of a
sizeof(*dstblk) which as the consequence of removing only a size_t from
count. Fortunately htx_blk size is 64bits, so that does not provoke any
problem in 64bits. But on 32bits architecture, the count value is not
decreased correctly and the function could try to transfer more blocks
than allowed by the count parameter.

Must be backported in every stable release.

diff --git a/src/htx.c b/src/htx.c
index feb7eec8771bb0e471a4f84cb2c65c11d42f4bf1..a438d7ff5de05a1392dc9f31a8c9606a9a58a3f2 100644 (file)
--- a/src/htx.c
+++ b/src/htx.c
@@ -722,7 +722,7 @@ struct htx_ret htx_xfer_blks(struct htx *dst, struct htx *src, uint32_t count,
                dstblk->info = info;
                htx_memcpy(htx_get_blk_ptr(dst, dstblk), htx_get_blk_ptr(src, blk), sz);
 
-               count -= sizeof(dstblk) + sz;
+               count -= sizeof(*dstblk) + sz;
                if (blk->info != info) {
                        /* Partial xfer: don't remove <blk> from <src> but
                         * resize its content */