From 21990530188ca07e3d1fadda244314fb40b3f4d9 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Mon, 1 Jun 2026 09:45:32 +0200 Subject: [PATCH] BUG/MEDIUM: htx: Fix headers rollback on partial copy in htx_xfer() In htx_xfer() function, when headers are partially copied, depending on the flags, a rollback may be performed to remove all copied headers from the destination message. However, there was an issue in the loop performing the rollback. Instead of decrementing the returned value using the size of the HTX block from the destination message, the one from the source message was used. So the wrong value was be returned and in worst case, it could overflow. In addition, the BUG_ON() in the loop was removed because test condition was wrong. It is a 3.4-specific issue. No backport needed. --- src/htx.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/htx.c b/src/htx.c index 5e2a8ba04..cc0b6d1d4 100644 --- a/src/htx.c +++ b/src/htx.c @@ -831,8 +831,7 @@ size_t htx_xfer(struct htx *dst, struct htx *src, size_t count, unsigned int fla /* Remove partial headers/trailers from and rollback on to not remove them later */ while (type == HTX_BLK_REQ_SL || type == HTX_BLK_RES_SL || type == HTX_BLK_HDR || type == HTX_BLK_TLR) { - BUG_ON(type != htx_get_blk_type(blk)); - ret -= meta_sz + htx_get_blksz(blk); + ret -= meta_sz + htx_get_blksz(dstblk); htx_remove_blk(dst, dstblk); dstblk = htx_get_tail_blk(dst); blk = htx_get_prev_blk(src, blk);