BUG/MAJOR: h2: correctly check the request length when building an H1 request
Due to a typo in the request maximum length calculation, we count the
request path twice instead of counting it added to the method's length.
This has two effects, the first one being that a path cannot be larger
than half a buffer, and the second being that the method's length isn't
properly checked. Due to the way the temporary buffers are used internally,
it is quite difficult to meet this condition. In practice, the only
situation where this can cause a problem is when exactly one of either
the method or the path are compressed and the other ones is sent as a
literal.
Thanks to Yves Lafon for providing useful traces exhibiting this issue.
To be backported to 1.8.
diff --git a/src/h2.c b/src/h2.c
index 3d03b12..183b7c3 100644
--- a/src/h2.c
+++ b/src/h2.c
@@ -83,7 +83,7 @@
}
}
- if (out + phdr[uri_idx].len + 1 + phdr[uri_idx].len + 11 > end) {
+ if (out + phdr[H2_PHDR_IDX_METH].len + 1 + phdr[uri_idx].len + 11 > end) {
/* too large */
goto fail;
}