From 61aded057dafc419f62b9534d03e6c99a3405f7a Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Thu, 5 Jan 2023 09:34:47 +0100 Subject: [PATCH] BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is realigned There is a bug in b_slow_realign() function when wrapping output data are copied in the swap buffer. block1 and block2 sizes are inverted. Thus blocks with a wrong size are copied. It leads to data mixin if the first block is in reality larger than the second one or to a copy of data outside the buffer is the first block is smaller than the second one. The bug was introduced when the buffer API was refactored in 1.9. It was found by a code review and seems never to have been triggered in almost 5 years. However, we cannot exclude it is responsible of some unresolved bugs. This patch should fix issue #1978. It must be backported as far as 2.0. --- include/haproxy/buf.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/haproxy/buf.h b/include/haproxy/buf.h index f2f003c..417ff9c 100644 --- a/include/haproxy/buf.h +++ b/include/haproxy/buf.h @@ -467,7 +467,7 @@ static inline void b_slow_realign(struct buffer *b, char *swap, size_t output) /* process output data in two steps to cover wrapping */ if (block1 > b_size(b) - b_head_ofs(b)) { - block2 = b_size(b) - b_head_ofs(b); + block2 = b_peek_ofs(b, block1); block1 -= block2; } memcpy(swap + b_size(b) - output, b_head(b), block1); -- 1.7.10.4