From: Christopher Faulet <cfaulet@haproxy.com>
Date: Fri, 29 May 2026 14:26:29 +0000 (+0200)
Subject: BUG/MEDIUM: mux-h1: Dup connection/upgrade value to parse it when making headers
X-Git-Tag: v3.4.0~34
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=de25313cd8c58f120d52ddb57a26fff5ca4951c6;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: mux-h1: Dup connection/upgrade value to parse it when making headers

When message headers are formatted, the connection and upgrade header values
are parsed to be sanitized and to fill H1M flags. The values are modified in
place without changing the HTX message information accordingly (the block
info and the HTX info). It could be an issue if the output buffer is full
and the header cannot be formatted. Because the formatting can be stopped
with a HTX message in hazardous state.

It should be quite difficult to trigger this issue. But now, a copy of the
value is performed before parsing it. So only the copy will be altered,
leaving the HTX message in a safe state.

This patch must be backported to all stable versions.
---

diff --git a/src/mux_h1.c b/src/mux_h1.c
index 1ad6260fe..556250144 100644
--- a/src/mux_h1.c
+++ b/src/mux_h1.c
@@ -2708,11 +2708,17 @@ static size_t h1_make_headers(struct h1s *h1s, struct h1m *h1m, struct htx *htx,
 				h1s->flags |= H1S_F_HAVE_CLEN;
 			}
 			else if (isteq(n, ist("connection"))) {
+				/* copy the value because it can be modified, but the HTX blocks will not */
+				memcpy(trash.area, v.ptr, v.len);
+				v.ptr = trash.area;
 				h1_parse_connection_header(h1m, &v);
 				if (!v.len)
 					goto nextblk;
 			}
 			else if (isteq(n, ist("upgrade"))) {
+				/* copy the value because it can be modified, but the HTX blocks will not */
+				memcpy(trash.area, v.ptr, v.len);
+				v.ptr = trash.area;
 				h1_parse_upgrade_header(h1m, &v);
 				if (!v.len)
 					goto nextblk;