From e5438b749c6381f7cb7c63155669f375b51943ff Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Wed, 26 Jun 2019 14:56:27 +0200 Subject: [PATCH] BUG/MEDIUM: mux-h1: Use buf_room_for_htx_data() to detect too large messages During headers parsing, an error is returned if the message is too large and does not fit in the input buffer. The mux h1 used the function b_full() to do so. But to allow zero copy transfers, in h1_recv(), the input buffer is pre-aligned and thus few bytes remains always free. To fix the bug, as during the trailers parsing, the function buf_room_for_htx_data() should be used instead. This patch must be backported to 2.0 and 1.9. --- src/mux_h1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mux_h1.c b/src/mux_h1.c index 4594a62b4..78145df5c 100644 --- a/src/mux_h1.c +++ b/src/mux_h1.c @@ -984,7 +984,7 @@ static size_t h1_process_headers(struct h1s *h1s, struct h1m *h1m, struct htx *h /* Incomplete or invalid message. If the buffer is full, it's an * error because headers are too large to be handled by the * parser. */ - if (ret < 0 || (!ret && b_full(buf))) + if (ret < 0 || (!ret && !buf_room_for_htx_data(buf))) goto error; goto end; }