From eeb4d850eac9ac05c1500444dc5dd506e4a07b22 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Fri, 18 Feb 2022 17:28:25 +0100 Subject: [PATCH] BUG/MEDIUM: httpclient: limit transfers to the maximum available room A bug was uncovered by commit fc5912914 ("MINOR: httpclient: Don't limit data transfer to 1024 bytes"), it happens that callers of b_xfer() and b_force_xfer() are expected to check for available room in the target buffer. Previously it was unlikely to be full but now with full buffer- sized transfers, it happens more often and in practice it is possible to crash the process with the debug command "httpclient" on the CLI by going beyond a the max buffer size. Other call places ought to be rechecked by now and it might be time to rethink this API if it tends to generalize. This must be backported to 2.5. (cherry picked from commit 11adb1d8fcab29ef8b12c93e3b036bb3dcf1607b) Signed-off-by: Willy Tarreau --- src/http_client.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/http_client.c b/src/http_client.c index af1ba90..47e5cad 100644 --- a/src/http_client.c +++ b/src/http_client.c @@ -352,9 +352,10 @@ error: */ int httpclient_res_xfer(struct httpclient *hc, struct buffer *dst) { + size_t room = b_room(dst); int ret; - ret = b_force_xfer(dst, &hc->res.buf, b_data(&hc->res.buf)); + ret = b_force_xfer(dst, &hc->res.buf, MIN(room, b_data(&hc->res.buf))); /* call the client once we consumed all data */ if (!b_data(&hc->res.buf)) { b_free(&hc->res.buf); -- 1.7.10.4