mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-07 23:56:57 +02:00
Code Issues Projects Releases Wiki Activity

[BUG] http: fix possible incorrect forwarded wrapping chunk size

Browse Source 
It seems like if a response message is chunked and the chunk size wraps
at the end of the buffer and the crlf sequence is incomplete, then we
can forward a wrong chunk size due to incorrect handling of the wrapped
size. It seems extremely unlikely to occur on real traffic (no reason to
have half of the CRLF after a chunk) but nothing prevents it from being
possible.

This fix must be backported to 1.4.
This commit is contained in:
Willy Tarreau 2011-03-01 20:04:36 +01:00
parent a11460540f
commit acd20f80c1
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/proto_http.c
View File

@ -5522,6 +5522,9 @@ int http_response_forward_body(struct session *s, struct buffer *res, int an_bit
/* forward the chunk size as well as any pending data */ /* forward the chunk size as well as any pending data */
if (msg->hdr_content_len || msg->som != msg->sov) { if (msg->hdr_content_len || msg->som != msg->sov) {
int bytes = msg->sov - msg->som;
if (bytes < 0) /* sov may have wrapped at the end */
bytes += res->size;
buffer_forward(res, msg->sov - msg->som + msg->hdr_content_len); buffer_forward(res, msg->sov - msg->som + msg->hdr_content_len);
msg->hdr_content_len = 0; /* don't forward that again */ msg->hdr_content_len = 0; /* don't forward that again */
msg->som = msg->sov; msg->som = msg->sov;