upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-06-11 01:41:49 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 16

BUG/MEDIUM: htx: Alloc a chunk of right size in htx_replace_blk_value()

Browse source 
Since support for large buffers was added, we must be careful when chunks
are allocated. Indeed, depending on the context a large chunks may be
required if data are copied from a large buffer.

In htx_replace_blk_value() function, when a defragmentation is necessary,
the data to be replaced are copied to a chunk before the
defragmentation. However, I forgot to get large chunk when necessary by
calling alloc_trash_chunk_sz() instead of alloc_trash_chunk(). Because of
this issue, it is possible to copy data to a too small chunk, leading to a
crash.

So let's fix the issue.

Thanks to Vincent55 for finding and reporting this.

No backport needed.
This commit is contained in:
Christopher Faulet 2026-05-20 16:13:25 +02:00
parent 2a87629052
commit 482b6763a3
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/htx.c
View file

@ -681,7 +681,7 @@ struct htx_blk *htx_replace_blk_value(struct htx *htx, struct htx_blk *blk,
}
else { /* Do a defrag first (it is always an expansion) */
struct htx_blk tmpblk;
struct buffer *chunk = alloc_trash_chunk();
struct buffer *chunk = alloc_trash_chunk_sz(n.len + v.len + delta);
void *ptr;
if (!chunk)