From dcb964f8db45d6bcd367ad6f587c49b9727cfa50 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Thu, 25 Jan 2024 14:57:17 +0100 Subject: [PATCH] MINOR: mux-h1: Stop zero-copy forwarding during nego for too big requested size Now, during the zero-copy forwarding negotiation, when the requested size is exact, we are now able to check if it is bigger than the expected one or not. If it is indeed bigger than expeceted, the zero-copy forwarding is disabled, the error will be triggered later on the normal sending path. --- src/mux_h1.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/src/mux_h1.c b/src/mux_h1.c index a08d08520..6f6b95e06 100644 --- a/src/mux_h1.c +++ b/src/mux_h1.c @@ -4460,13 +4460,24 @@ static size_t h1_nego_ff(struct stconn *sc, struct buffer *input, size_t count, goto out; } - /* TODO: add check on curr_len if CLEN */ - - if (h1m->flags & H1_MF_CHNK) { + if (h1m->flags & H1_MF_CLEN) { + if ((flags & NEGO_FF_FL_EXACT_SIZE) && count > h1m->curr_len) { + TRACE_ERROR("more payload than announced", H1_EV_STRM_SEND|H1_EV_STRM_ERR, h1c->conn, h1s); + h1s->sd->iobuf.flags |= IOBUF_FL_NO_FF; + goto out; + } + } + else if (h1m->flags & H1_MF_CHNK) { if (h1m->curr_len) { BUG_ON(h1m->state != H1_MSG_DATA); - if (count > h1m->curr_len) + if (count > h1m->curr_len) { + if ((flags & NEGO_FF_FL_EXACT_SIZE) && count > h1m->curr_len) { + TRACE_ERROR("chunk bigger than announced", H1_EV_STRM_SEND|H1_EV_STRM_ERR, h1c->conn, h1s); + h1s->sd->iobuf.flags |= IOBUF_FL_NO_FF; + goto out; + } count = h1m->curr_len; + } } else { BUG_ON(h1m->state != H1_MSG_CHUNK_CRLF && h1m->state != H1_MSG_CHUNK_SIZE);