BUG/MINOR: hpack: fix off-by-one in header name encoding length calculation In hpack_encode_header() there is a length check to verify that a literal header name fits in the buffer, but there it an off-by-one in this length check, which forgets the byte required to mark the encoding type (literal without indexing). It should be harmless though as it cannot be triggered since response headers passing through haproxy are limited by the reserve, which is not the case of the output buffer. This fix should be backported to 1.8.

commit: 7571015939eb0ab560df0fefc434e273ec9d93ff [log] [tgz]
author: Willy Tarreau <w@1wt.eu> Tue Dec 11 06:46:03 2018 +0100
committer: Willy Tarreau <w@1wt.eu> Tue Dec 11 06:46:03 2018 +0100
tree: 0482d912cdb65f81fde3a2966797b90af4aee3ba
parent: 56b0348ea7a31792ade70c4759889895b6d24d38 [diff]
diff --git a/src/hpack-enc.c b/src/hpack-enc.c
index c4c8ea2..836584a 100644
--- a/src/hpack-enc.c
+++ b/src/hpack-enc.c

@@ -109,7 +109,7 @@
 		out->area[len++] = 0x58; // literal with indexing -- name="cache-control" (idx 24)
 	else if (isteq(n, ist("content-length")))
 		out->area[len++] = 0x5c; // literal with indexing -- name="content-length" (idx 28)
-	else if (len_to_bytes(n.len) && len + len_to_bytes(n.len) + n.len <= size) {
+	else if (len_to_bytes(n.len) && len + 1 + len_to_bytes(n.len) + n.len <= size) {
 		out->area[len++] = 0x00;      /* literal without indexing -- new name */
 
 		len = hpack_encode_len(out->area, len, n.len);
commit	7571015939eb0ab560df0fefc434e273ec9d93ff	[log] [tgz]
author	Willy Tarreau <w@1wt.eu>	Tue Dec 11 06:46:03 2018 +0100
committer	Willy Tarreau <w@1wt.eu>	Tue Dec 11 06:46:03 2018 +0100
tree	0482d912cdb65f81fde3a2966797b90af4aee3ba
parent	56b0348ea7a31792ade70c4759889895b6d24d38 [diff]