From b6995d25d1b694f52d1f23463532680b484c775f Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Mon, 4 May 2026 13:42:52 +0200 Subject: [PATCH] BUG/MEDIUM: mux-h2: fix the body_len to check when parsing request trailers The h2 content-length validation in commit d12edebe4a ("BUG/MAJOR: mux-h2: detect incomplete transfers on HEADERS frames as well") was insufficient. The content-length check is still ineffective on request trailers and it could not work by default due to the fact that the default body_len is used in h2c_frt_handle_headers() when processing trailers, instead of passing h2s->body_len, which was necessarily parsed before reaching trailers. Let's fix this point first, otherwise fixing the second issue would break trailers. Many thanks to Pratham Gupta / alchemy1729 for spotting and analyzing this problem, and for providing a lightweight reproducer to illustrate the problem! This fix must be backported to all versions where the fix above was backported (i.e. all). --- src/mux_h2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mux_h2.c b/src/mux_h2.c index 00c3fe3c4..06326397a 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -3543,7 +3543,7 @@ static struct h2s *h2c_frt_handle_headers(struct h2c *h2c, struct h2s *h2s) goto out; } - error = h2c_dec_hdrs(h2c, h2s_rxbuf_tail(h2s), &h2s->flags, &body_len, NULL); + error = h2c_dec_hdrs(h2c, h2s_rxbuf_tail(h2s), &h2s->flags, &h2s->body_len, NULL); /* unrecoverable error ? */ if (h2c->st0 >= H2_CS_ERROR) { TRACE_USER("Unrecoverable error decoding H2 trailers", H2_EV_RX_FRAME|H2_EV_RX_HDR|H2_EV_STRM_NEW|H2_EV_STRM_END, h2c->conn, 0, h2s_rxbuf_tail(h2s));