BUG/MAJOR: mux-h1: Properly copy chunked input data during zero-copy nego

When data are transfered via zero-copy data forwarding, if some data were already received, we try to immediately tranfer it during the negociation step. If data are chunked and the chunk size is unknown, 10 bytes are reserved to write the chunk size during the done step. However, when input data are finally transferred, the offset is ignored. Data are copied into the output buffer. But the first 10 bytes are then crushed by the chunk size. Thus the chunk is truncated leading to a malformed message. This patch should fix the issue #2598. It must be backported to 3.0.
2024-12-19 01:54:37 +00:00 · 2024-06-10 11:33:08 +02:00 · 2024-06-10 11:33:08 +02:00 · e8cc8a60be
commit e8cc8a60be
parent 52eb6b23f8
1 changed files with 2 additions and 0 deletions
--- a/src/mux_h1.c
+++ b/src/mux_h1.c
@ -4724,7 +4724,9 @@ static size_t h1_nego_ff(struct stconn *sc, struct buffer *input, size_t count,

 		if (xfer > b_data(input))
 			xfer = b_data(input);
+		h1c->obuf.head += offset;
 		h1s->sd->iobuf.data = b_xfer(&h1c->obuf, input, xfer);
+		h1c->obuf.head -= offset;

 		/* Cannot forward more data, wait for room */
 		if (b_data(input))