From 999d71560d9487d8b5782b5c4ec8d6cd56e97935 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Tue, 5 May 2026 15:54:21 +0200 Subject: [PATCH] BUG/MINOR: haterm: Fix a possible integer overflow on the request body length When request data were received, the request body length was decremented accordingly with no check on it to be sure it was set. However, it remains equal to 0 for chunked requests or H2/H3 requests with no content-length. So now, it is only decremented when it is greater than 0. --- src/haterm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/haterm.c b/src/haterm.c index e5a74e32a..bab6d810f 100644 --- a/src/haterm.c +++ b/src/haterm.c @@ -281,7 +281,9 @@ static int hstream_htx_buf_rcv(struct connection *conn, struct hstream *hs) } end_recv: - hs->req_body -= cur_read; + if (cur_read) { + hs->req_body = ((hs->req_body < cur_read) ? 0 : hs->req_body - cur_read); + } if (((conn->flags & CO_FL_ERROR) || sc_ep_test(hs->sc, SE_FL_ERROR))) { hs->flags |= HS_ST_CONN_ERROR;