From: Christopher Faulet Date: Tue, 8 Jul 2025 06:04:01 +0000 (+0200) Subject: BUG/MEDIUM: http-client: Properly inc input data when HTX blocks are xferred X-Git-Tag: v3.0.12~86 X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=55b5cad454d66f09833a30f2531d8bb9e175dc48;p=haproxy-3.0.git BUG/MEDIUM: http-client: Properly inc input data when HTX blocks are xferred When HTX blocks from the requests are transferred into the channel buffer, the return value of htx_xfer_blks() function must not be used to increment the channel input value because meta data are counted here while they are not part of input data. Because of this bug, it is possible to forward more data than these present in the channel buffer. Instead, we look at the input data before and after the transfer and the difference is added. It is only an issue with large POSTs, when the payload is streamed. This patch must be backported as far as 2.6. (cherry picked from commit d9ca8f6b71cd17bae0718f0b1e9da919fc00264d) Signed-off-by: Amaury Denoyelle (cherry picked from commit 208ef1d7aebc11133e8c64966be475a521da5409) Signed-off-by: Christopher Faulet (cherry picked from commit 90167928a38f05680852fd0943b86ef66496ee18) Signed-off-by: Christopher Faulet --- diff --git a/src/http_client.c b/src/http_client.c index 0591404..7d0481d 100644 --- a/src/http_client.c +++ b/src/http_client.c @@ -785,9 +785,11 @@ void httpclient_applet_io_handler(struct appctx *appctx) channel_add_input(req, data); } else { struct htx_ret ret; + size_t data = htx->data; ret = htx_xfer_blks(htx, hc_htx, htx_used_space(hc_htx), HTX_BLK_UNUSED); - channel_add_input(req, ret.ret); + data = htx->data - data; + channel_add_input(req, data); /* we must copy the EOM if we empty the buffer */ if (htx_is_empty(hc_htx)) {