mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2026-05-06 13:36:09 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MINOR: haterm: Fix a possible integer overflow on the request body length

Browse Source 
When request data were received, the request body length was decremented
accordingly with no check on it to be sure it was set. However, it remains
equal to 0 for chunked requests or H2/H3 requests with no content-length.

So now, it is only decremented when it is greater than 0.
This commit is contained in:
Christopher Faulet 2026-05-05 15:54:21 +02:00
parent 3f7b2023c9
commit 999d71560d
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/haterm.c
View File

@ -281,7 +281,9 @@ static int hstream_htx_buf_rcv(struct connection *conn, struct hstream *hs)
}
end_recv:
hs->req_body -= cur_read;
if (cur_read) {
hs->req_body = ((hs->req_body < cur_read) ? 0 : hs->req_body - cur_read);
}
if (((conn->flags & CO_FL_ERROR) || sc_ep_test(hs->sc, SE_FL_ERROR))) {
hs->flags |= HS_ST_CONN_ERROR;