From 3250ec6e9c0ab0e20913f9c9b43d13afe38ad6cb Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Thu, 12 Mar 2026 11:21:34 +0100 Subject: [PATCH] BUG/MINOR: h2/h3: Only test number of trailers inserted in HTX message When H2 or H3 trailers are inserted in an HTX message, we must take care to not exceed the maximum number of trailers allowed in a message (same than the maximum number of headers, i.e tune.http.maxhdr). However, all HTX blocks in the HTX message were considered. Only TRAILERS HTX blocks must be considered. To fix the issue, in h2_make_htx_trailers(), we rely on the "idx" variable at the end of the for loop. In h3_trailers_to_htx(), we rely on the "hdr_idx" variable. This patch must be backported to all stables versions for the H2 part and as far as 2.8 for the H3 one. pouet --- src/h2.c | 4 ++-- src/h3.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/h2.c b/src/h2.c index 9cc006ea9..64c23d474 100644 --- a/src/h2.c +++ b/src/h2.c @@ -861,8 +861,8 @@ int h2_make_htx_trailers(struct http_hdr *list, struct htx *htx) goto fail; } - /* Check the number of blocks against "tune.http.maxhdr" value before adding EOT block */ - if (htx_nbblks(htx) > global.tune.max_http_hdr) + /* Check the number of trailers against "tune.http.maxhdr" value before adding EOT block */ + if (idx > global.tune.max_http_hdr) goto fail; if (!htx_add_endof(htx, HTX_BLK_EOT)) diff --git a/src/h3.c b/src/h3.c index 0b7c53303..09634f14c 100644 --- a/src/h3.c +++ b/src/h3.c @@ -1505,7 +1505,7 @@ static ssize_t h3_trailers_to_htx(struct qcs *qcs, const struct buffer *buf, } /* Check the number of blocks against "tune.http.maxhdr" value before adding EOT block */ - if (htx_nbblks(htx) > global.tune.max_http_hdr) { + if (hdr_idx > global.tune.max_http_hdr) { len = -1; goto out; }