From 811ad12414e43608fd9d20865990496918ca2dd6 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Sun, 3 Dec 2017 09:44:50 +0100
Subject: [PATCH] BUG/MAJOR: h2: correctly check the request length when
 building an H1 request

Due to a typo in the request maximum length calculation, we count the
request path twice instead of counting it added to the method's length.
This has two effects, the first one being that a path cannot be larger
than half a buffer, and the second being that the method's length isn't
properly checked. Due to the way the temporary buffers are used internally,
it is quite difficult to meet this condition. In practice, the only
situation where this can cause a problem is when exactly one of either
the method or the path are compressed and the other ones is sent as a
literal.

Thanks to Yves Lafon for providing useful traces exhibiting this issue.

To be backported to 1.8.
---
 src/h2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/h2.c b/src/h2.c
index 3d03b12aa..183b7c374 100644
--- a/src/h2.c
+++ b/src/h2.c
@@ -83,7 +83,7 @@ static int h2_prepare_h1_reqline(uint32_t fields, struct ist *phdr, char **ptr,
 		}
 	}
 
-	if (out + phdr[uri_idx].len + 1 + phdr[uri_idx].len + 11 > end) {
+	if (out + phdr[H2_PHDR_IDX_METH].len + 1 + phdr[uri_idx].len + 11 > end) {
 		/* too large */
 		goto fail;
 	}