From 9c0aeb3af489cf9c058df88367ad0cf676d3aa7e Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Thu, 12 Mar 2026 21:41:31 +0100 Subject: [PATCH] BUG/MEDIUM: stconn: Don't perform L7 retries with large buffer L7 retries are buggy when a large buffer is used on the request channel. A memcpy is used to copy data from the request buffer into the L7 buffer. The L7 buffer is for now always a standard buffer. So if a larger buffer is used, this leads to a buffer overflow and crash the process. The Best way to fix the issue is to disable L7 retries when a large buffer was allocated for the request channel. In that case, we don't want to allocate an extra large buffer. No backport needed. --- src/stconn.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/stconn.c b/src/stconn.c index 137d8646f..8d5dfeade 100644 --- a/src/stconn.c +++ b/src/stconn.c @@ -1493,7 +1493,7 @@ int sc_conn_send(struct stconn *sc) * disable the l7 retries by setting * l7_conn_retries to 0. */ - if (s->txn->req.msg_state != HTTP_MSG_DONE) + if (s->txn->req.msg_state != HTTP_MSG_DONE || b_is_large(&oc->buf)) s->txn->flags &= ~TX_L7_RETRY; else { if (b_alloc(&s->txn->l7_buffer, DB_UNLIKELY) == NULL)