From e8cc8a60be614c1cf978233b0b97771c9cc8fa20 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Mon, 10 Jun 2024 11:33:08 +0200 Subject: [PATCH] BUG/MAJOR: mux-h1: Properly copy chunked input data during zero-copy nego When data are transfered via zero-copy data forwarding, if some data were already received, we try to immediately tranfer it during the negociation step. If data are chunked and the chunk size is unknown, 10 bytes are reserved to write the chunk size during the done step. However, when input data are finally transferred, the offset is ignored. Data are copied into the output buffer. But the first 10 bytes are then crushed by the chunk size. Thus the chunk is truncated leading to a malformed message. This patch should fix the issue #2598. It must be backported to 3.0. --- src/mux_h1.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/mux_h1.c b/src/mux_h1.c index 2928751a5..4973527a9 100644 --- a/src/mux_h1.c +++ b/src/mux_h1.c @@ -4724,7 +4724,9 @@ static size_t h1_nego_ff(struct stconn *sc, struct buffer *input, size_t count, if (xfer > b_data(input)) xfer = b_data(input); + h1c->obuf.head += offset; h1s->sd->iobuf.data = b_xfer(&h1c->obuf, input, xfer); + h1c->obuf.head -= offset; /* Cannot forward more data, wait for room */ if (b_data(input))