mirror of
https://github.com/haproxy/haproxy.git
synced 2026-07-05 23:39:16 -04:00
Recent fix of some HTX muxes to drain remaining data when the stream is in closed state revealed a bug, mainly due to a corner case of the HTX API. It is possible to have an empty HTX message with a parsing/internal error. In that case, the underlying buffer remains full. It is mandatory to prevent any buffer release and be sure the error will be handeled. On the other end, at several places, when data must be transfer from an HTX message to another one, we try to swap underlying buffers instead of performing a bloc-per-bloc copy. To do so, we rely on b_xfer() function. One condition is that the destination message must be empty. And here is the issue. The HTX message can be empty but the buffer can also be full because an HTX error was triggered earlier and not handled yet. In that case, attempting to call b_xfer() leads to a crash because the destination buffer is full. It is not expected to call b_xfer() if there is not enough space in the destination buffer. So, it appears the HTX API should be improved/fixed but first of all, the bug must be fixed. Especially because stable versions are also affected. The htx_is_empty_noerr() function was added to know if a HTX message is empty and no error was reported on it. And this function is now used, instead of htx_is_empty(), to know if we can safely swap the underlying buffers or not. the FCGI, H2 and QUIC multiplexers are concerned. The HTTP client and the applet API were also fixed while it seems harder to trigger the bug at these places. The fix must be backported to all supported versions. |
||
|---|---|---|
| .. | ||
| haproxy | ||
| import | ||
| make | ||