mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2026-01-19 17:11:22 +01:00
Code Issues Projects Releases Wiki Activity

BUG/MAJOR: http: chunk parser was broken with buffer changes

Browse Source 
Since at least commit a458b679, msg->sov could become negative in
http_parse_chunk_size() if a chunk size wrapped around the buffer.
The effect is that at some point channel_forward() was called with
a negative size, causing all data to be transferred without being
analyzed anymore.

Since haproxy does not support keep-alive with the server yet, this
issue is not really noticeable, as the server closes the connection
in response. Still, when tunnel mode is used or when pretent-keepalive
is used, it is possible to see the problem.

This issue was reported and diagnosed by William Lallemand at
Exceliance.
This commit is contained in:
Willy Tarreau 2012-09-27 15:08:56 +02:00
parent 3c7a79dbb1
commit b8ffd378f0
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/proto_http.c
View File

@ -1826,6 +1826,8 @@ int http_parse_chunk_size(struct http_msg *msg)
* which may or may not be present. We save that into ->next and
* ->sov.
*/
if (ptr < ptr_old)
msg->sov += buf->buf.size;
msg->sov += ptr - ptr_old;
msg->next = buffer_count(&buf->buf, buf->buf.p, ptr);
msg->chunk_len = chunk;