diff options
| author | Christopher Faulet <cfaulet@haproxy.com> | 2023-02-24 16:49:06 +0100 |
|---|---|---|
| committer | Christopher Faulet <cfaulet@haproxy.com> | 2023-02-27 17:45:45 +0100 |
| commit | c9ec9bc8346783417fe732cc4d22a074dca263f1 (patch) | |
| tree | cf20166a84b0d4082e0d01cebe945a67ec6a1b1e | |
| parent | e51891a01d1ca7ecbd45ccb7db18826f15d9c0fa (diff) | |
| download | haproxy-c9ec9bc8346783417fe732cc4d22a074dca263f1.tar.gz | |
BUG/MEDIUM: h1-htx: Never copy more than the max data allowed during parsing
A bug during H1 data parsing may lead to copy more data than the maximum
allowed. The bug is an overflow on this max threshold when it is lower than
the size of an htx_blk structure.
At first glance, it means it is possible to not respsect the buffer's
reserve. So it may lead to rewrite errors but it may also block any progress
on the stream if the compression is enabled. In this case, the channel
buffer appears as full and the compression must wait for space to
proceed. Outside of any bug, it is only possible when there are outgoing
data to forward, so the compression filter just waits. Because of this bug,
there is nothing to forward. The buffer is just full of input data. Thus
nothing move and the stream is infinitly blocked.
To fix the bug, we must be sure to be able to create an HTX block of 1 byte
without exceeding the maximum allowed.
This patch should fix the issue #2053. It must be backported as far as 2.5.
| -rw-r--r-- | src/h1_htx.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/src/h1_htx.c b/src/h1_htx.c index 5e7f1ad5e..81977e8ad 100644 --- a/src/h1_htx.c +++ b/src/h1_htx.c @@ -417,6 +417,8 @@ static size_t h1_copy_msg_data(struct htx **dsthtx, struct buffer *srcbuf, size_ /* Be prepared to create at least one HTX block by reserving its size * and adjust <count> accordingly. */ + if (max <= sizeof(struct htx_blk)) + goto end; max -= sizeof(struct htx_blk); if (count > max) count = max; @@ -507,8 +509,7 @@ static size_t h1_parse_chunk(struct h1m *h1m, struct htx **dsthtx, case H1_MSG_DATA: new_chunk: used = htx_used_space(*dsthtx); - - if (b_data(srcbuf) == ofs || !lmax) + if (b_data(srcbuf) == ofs || lmax <= sizeof(struct htx_blk)) break; sz = b_data(srcbuf) - ofs; @@ -588,6 +589,10 @@ static size_t h1_parse_full_contig_chunks(struct h1m *h1m, struct htx **dsthtx, uint64_t chksz; struct htx_ret htxret; + lmax = *max; + if (lmax <= sizeof(struct htx_blk)) + goto out; + /* source info : * start : pointer at <ofs> position * end : pointer marking the end of data to parse @@ -616,7 +621,6 @@ static size_t h1_parse_full_contig_chunks(struct h1m *h1m, struct htx **dsthtx, * from <max>. Then we must adjust it if it exceeds the free size in the * block. */ - lmax = *max; if (!dpos) lmax -= sizeof(struct htx_blk); if (lmax > htx_get_blksz(htxret.blk) - dpos) @@ -829,7 +833,7 @@ size_t h1_parse_msg_data(struct h1m *h1m, struct htx **dsthtx, { size_t sz, total = 0; - if (b_data(srcbuf) == ofs || !max) + if (b_data(srcbuf) == ofs || max <= sizeof(struct htx_blk)) return 0; if (h1m->flags & H1_MF_CLEN) { |