Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / c9ec9bc8346783417fe732cc4d22a074dca263f1^! / . / src / h1_htx.c
commitc9ec9bc8346783417fe732cc4d22a074dca263f1[log] [tgz]
authorChristopher Faulet <cfaulet@haproxy.com>Fri Feb 24 16:49:06 2023 +0100
committerChristopher Faulet <cfaulet@haproxy.com>Mon Feb 27 17:45:45 2023 +0100
treecf20166a84b0d4082e0d01cebe945a67ec6a1b1e
parente51891a01d1ca7ecbd45ccb7db18826f15d9c0fa [diff] [blame]
BUG/MEDIUM: h1-htx: Never copy more than the max data allowed during parsing

A bug during H1 data parsing may lead to copy more data than the maximum
allowed. The bug is an overflow on this max threshold when it is lower than
the size of an htx_blk structure.

At first glance, it means it is possible to not respsect the buffer's
reserve. So it may lead to rewrite errors but it may also block any progress
on the stream if the compression is enabled. In this case, the channel
buffer appears as full and the compression must wait for space to
proceed. Outside of any bug, it is only possible when there are outgoing
data to forward, so the compression filter just waits. Because of this bug,
there is nothing to forward. The buffer is just full of input data. Thus
nothing move and the stream is infinitly blocked.

To fix the bug, we must be sure to be able to create an HTX block of 1 byte
without exceeding the maximum allowed.

This patch should fix the issue #2053. It must be backported as far as 2.5.

diff --git a/src/h1_htx.c b/src/h1_htx.c
index 5e7f1ad..81977e8 100644
--- a/src/h1_htx.c
+++ b/src/h1_htx.c

@@ -417,6 +417,8 @@
 	/* Be prepared to create at least one HTX block by reserving its size
 	 * and adjust <count> accordingly.
 	 */
+	if (max <= sizeof(struct htx_blk))
+		goto end;
 	max -= sizeof(struct htx_blk);
 	if (count > max)
 		count = max;
@@ -507,8 +509,7 @@
 	case H1_MSG_DATA:
 	  new_chunk:
 		used = htx_used_space(*dsthtx);
-
-		if (b_data(srcbuf) == ofs || !lmax)
+		if (b_data(srcbuf) == ofs || lmax <= sizeof(struct htx_blk))
 			break;
 
 		sz =  b_data(srcbuf) - ofs;
@@ -588,6 +589,10 @@
 	uint64_t chksz;
 	struct htx_ret htxret;
 
+	lmax = *max;
+	if (lmax <= sizeof(struct htx_blk))
+		goto out;
+
 	/* source info :
 	 *  start : pointer at <ofs> position
 	 *  end   : pointer marking the end of data to parse
@@ -616,7 +621,6 @@
 	 * from <max>. Then we must adjust it if it exceeds the free size in the
 	 * block.
 	 */
-	lmax = *max;
 	if (!dpos)
 		lmax -= sizeof(struct htx_blk);
 	if (lmax > htx_get_blksz(htxret.blk) - dpos)
@@ -829,7 +833,7 @@
 {
 	size_t sz, total = 0;
 
-	if (b_data(srcbuf) == ofs || !max)
+	if (b_data(srcbuf) == ofs || max <= sizeof(struct htx_blk))
 		return 0;
 
 	if (h1m->flags & H1_MF_CLEN) {