BUG/MEDIUM: htx: Be sure to have a buffer to perform a raw copy of a message
In htx_copy_msg(), if the destination buffer is empty, we perform a raw copy
of the message instead of a copy block per block. But we must be sure the
destianation buffer was really allocated. In other word, to perform a raw
copy, the HTX message must be empty _AND_ it must have some free space
available.
This function is only used to copy an HTTP reply (for instance, an error or
a redirect) in the buffer of the response channel. For now, we are sure the
buffer was allocated because it is a pre-requisite to call stream
analyzers. However, it may be a source of bug in future.
This patch may be backported as far as 2.3.
diff --git a/include/haproxy/htx.h b/include/haproxy/htx.h
index c7ae308..c74d0db 100644
--- a/include/haproxy/htx.h
+++ b/include/haproxy/htx.h
@@ -749,8 +749,8 @@
*/
static inline int htx_copy_msg(struct htx *htx, const struct buffer *msg)
{
- /* The destination HTX message is empty, we can do a raw copy */
- if (htx_is_empty(htx)) {
+ /* The destination HTX message is allocated and empty, we can do a raw copy */
+ if (htx_is_empty(htx) && htx_free_space(htx)) {
memcpy(htx, msg->area, msg->size);
return 1;
}