From b4eca0e9087762ba7b8c36690001792ac454b7ea Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Mon, 10 Jan 2022 17:27:51 +0100 Subject: [PATCH] BUG/MAJOR: mux-h1: Don't decrement .curr_len for unsent data A regression was introduced by commit 140f1a58 ("BUG/MEDIUM: mux-h1: Fix splicing by properly detecting end of message"). To detect end of the outgoing message, when the content-length is announced, we count amount of data already sent. But only data really sent must be counted. If the output buffer is full, we can fail to send data (fully or partially). In this case, we must take care to only count sent data. Otherwise we may think too much data were sent and an internal error may be erroneously reported. This patch should fix issues #1510 and #1511. It must be backported as far as 2.4. --- src/mux_h1.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/mux_h1.c b/src/mux_h1.c index 1ec6cb77c..a00ac60f2 100644 --- a/src/mux_h1.c +++ b/src/mux_h1.c @@ -2332,7 +2332,6 @@ static size_t h1_process_mux(struct h1c *h1c, struct buffer *buf, size_t count) H1_EV_TX_DATA|H1_EV_STRM_ERR|H1_EV_H1C_ERR|H1_EV_H1S_ERR, h1c->conn, h1s); goto error; } - h1m->curr_len -= vlen; } if ((h1m->flags & H1_MF_RESP) && (h1s->flags & H1S_F_BODYLESS_RESP)) { TRACE_PROTO("Skip data for bodyless response", H1_EV_TX_DATA|H1_EV_TX_BODY, h1c->conn, h1s, chn_htx); @@ -2378,6 +2377,8 @@ static size_t h1_process_mux(struct h1c *h1c, struct buffer *buf, size_t count) H1_EV_TX_DATA|H1_EV_TX_BODY, h1c->conn, h1s, 0, (size_t[]){v.len}); skip_data: + if (h1m->state == H1_MSG_DATA && (h1m->flags & H1_MF_CLEN)) + h1m->curr_len -= vlen; if (last_data) goto done; break;