From 482b6763a32c37a42ace8f1ede959cba1942afa9 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Wed, 20 May 2026 16:13:25 +0200 Subject: [PATCH] BUG/MEDIUM: htx: Alloc a chunk of right size in htx_replace_blk_value() Since support for large buffers was added, we must be careful when chunks are allocated. Indeed, depending on the context a large chunks may be required if data are copied from a large buffer. In htx_replace_blk_value() function, when a defragmentation is necessary, the data to be replaced are copied to a chunk before the defragmentation. However, I forgot to get large chunk when necessary by calling alloc_trash_chunk_sz() instead of alloc_trash_chunk(). Because of this issue, it is possible to copy data to a too small chunk, leading to a crash. So let's fix the issue. Thanks to Vincent55 for finding and reporting this. No backport needed. --- src/htx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/htx.c b/src/htx.c index f502da4f0..5e2a8ba04 100644 --- a/src/htx.c +++ b/src/htx.c @@ -681,7 +681,7 @@ struct htx_blk *htx_replace_blk_value(struct htx *htx, struct htx_blk *blk, } else { /* Do a defrag first (it is always an expansion) */ struct htx_blk tmpblk; - struct buffer *chunk = alloc_trash_chunk(); + struct buffer *chunk = alloc_trash_chunk_sz(n.len + v.len + delta); void *ptr; if (!chunk)