BUG/MEDIUM: mux-h1: Report the right amount of data xferred in h1_rcv_buf()
h1_rcv_buf() must return the amount of data copied in the channel's buffer and
not the number of bytes parsed. Because this value is used during the fast
forwarding to decrement to_forward value, returning the wrong value leads to
undefined behaviours.
This patch must be backported to 1.9.
diff --git a/src/mux_h1.c b/src/mux_h1.c
index 1e4041b..a88722c 100644
--- a/src/mux_h1.c
+++ b/src/mux_h1.c
@@ -1316,12 +1316,14 @@
struct h1s *h1s = h1c->h1s;
struct h1m *h1m;
struct htx *htx;
+ size_t data = 0;
size_t total = 0;
size_t ret = 0;
size_t count, rsv;
int errflag;
htx = htx_from_buf(buf);
+ data = htx->data;
count = b_data(&h1c->ibuf);
if (!count)
goto end;
@@ -1373,7 +1375,7 @@
end:
htx_to_buf(htx, buf);
-
+ data = (htx->data - data);
if (h1c->flags & H1C_F_IN_FULL && buf_room_for_htx_data(&h1c->ibuf)) {
h1c->flags &= ~H1C_F_IN_FULL;
tasklet_wakeup(h1c->wait_event.task);
@@ -1390,9 +1392,11 @@
if ((h1s->cs->flags & CS_FL_REOS) && (!b_data(&h1c->ibuf) || htx_is_empty(htx))) {
h1s->cs->flags |= CS_FL_EOS;
+ if (h1m->state < H1_MSG_DONE)
+ h1s->cs->flags |= CS_FL_ERROR;
}
- return total;
+ return data;
parsing_err:
b_reset(&h1c->ibuf);