From c2b54462929845274cad7251ddc8c909187ce0c4 Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfaulet@haproxy.com>
Date: Mon, 23 Feb 2026 14:31:17 +0100
Subject: [PATCH] BUG/MEDIUM: spoe: Acquire context buffer in applet before
 consuming a frame

Changes brought to support large buffers revealed a bug in the SPOE applet
when a frame is copied in the SPOE context buffer. A b_xfer() was performed
without allocating the SPOE context buffer. It is not expected. As stated in
the function documentation, the caller is responsible for ensuring there is
enough space in the destination buffer. So first of all, it must ensure this
buffer was allocated.

With recent changes, we are able to hit a BUG_ON() because the swap is no
longer possible if source and destination buffers size are not the same.

This patch should fix the issue #3286. It could be backported as far as 3.1.
---
 src/flt_spoe.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/flt_spoe.c b/src/flt_spoe.c
index a1147665a..46a46cb3b 100644
--- a/src/flt_spoe.c
+++ b/src/flt_spoe.c
@@ -467,6 +467,9 @@ static int spoe_handle_receiving_frame_appctx(struct appctx *appctx)
 		goto end;
 	}
 
+	if (!spoe_acquire_buffer(&spoe_ctx->buffer, &spoe_ctx->buffer_wait))
+		goto end;
+
 	if (b_data(&appctx->inbuf) > spoe_appctx->agent->max_frame_size) {
 		spoe_ctx->state = SPOE_CTX_ST_ERROR;
 		spoe_ctx->status_code = (spoe_appctx->status_code + 0x100);