mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2025-02-18 19:56:59 +00:00
BUG/MEDIUM: h1-htx: Never copy more than the max data allowed during parsing
A bug during H1 data parsing may lead to copy more data than the maximum allowed. The bug is an overflow on this max threshold when it is lower than the size of an htx_blk structure. At first glance, it means it is possible to not respsect the buffer's reserve. So it may lead to rewrite errors but it may also block any progress on the stream if the compression is enabled. In this case, the channel buffer appears as full and the compression must wait for space to proceed. Outside of any bug, it is only possible when there are outgoing data to forward, so the compression filter just waits. Because of this bug, there is nothing to forward. The buffer is just full of input data. Thus nothing move and the stream is infinitly blocked. To fix the bug, we must be sure to be able to create an HTX block of 1 byte without exceeding the maximum allowed. This patch should fix the issue #2053. It must be backported as far as 2.5.
This commit is contained in:
Christopher Faulet
parent
e51891a01d
commit
c9ec9bc834
12
src/h1_htx.c
12
src/h1_htx.c
@ -417,6 +417,8 @@ static size_t h1_copy_msg_data(struct htx **dsthtx, struct buffer *srcbuf, size_
|
||||
/* Be prepared to create at least one HTX block by reserving its size
|
||||
* and adjust <count> accordingly.
|
||||
*/
|
||||
if (max <= sizeof(struct htx_blk))
|
||||
goto end;
|
||||
max -= sizeof(struct htx_blk);
|
||||
if (count > max)
|
||||
count = max;
|
||||
@ -507,8 +509,7 @@ static size_t h1_parse_chunk(struct h1m *h1m, struct htx **dsthtx,
|
||||
case H1_MSG_DATA:
|
||||
new_chunk:
|
||||
used = htx_used_space(*dsthtx);
|
||||
|
||||
if (b_data(srcbuf) == ofs || !lmax)
|
||||
if (b_data(srcbuf) == ofs || lmax <= sizeof(struct htx_blk))
|
||||
break;
|
||||
|
||||
sz = b_data(srcbuf) - ofs;
|
||||
@ -588,6 +589,10 @@ static size_t h1_parse_full_contig_chunks(struct h1m *h1m, struct htx **dsthtx,
|
||||
uint64_t chksz;
|
||||
struct htx_ret htxret;
|
||||
|
||||
lmax = *max;
|
||||
if (lmax <= sizeof(struct htx_blk))
|
||||
goto out;
|
||||
|
||||
/* source info :
|
||||
* start : pointer at <ofs> position
|
||||
* end : pointer marking the end of data to parse
|
||||
@ -616,7 +621,6 @@ static size_t h1_parse_full_contig_chunks(struct h1m *h1m, struct htx **dsthtx,
|
||||
* from <max>. Then we must adjust it if it exceeds the free size in the
|
||||
* block.
|
||||
*/
|
||||
lmax = *max;
|
||||
if (!dpos)
|
||||
lmax -= sizeof(struct htx_blk);
|
||||
if (lmax > htx_get_blksz(htxret.blk) - dpos)
|
||||
@ -829,7 +833,7 @@ size_t h1_parse_msg_data(struct h1m *h1m, struct htx **dsthtx,
|
||||
{
|
||||
size_t sz, total = 0;
|
||||
|
||||
if (b_data(srcbuf) == ofs || !max)
|
||||
if (b_data(srcbuf) == ofs || max <= sizeof(struct htx_blk))
|
||||
return 0;
|
||||
|
||||
if (h1m->flags & H1_MF_CLEN) {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user