From 60de35cef643ed8eb42dce5f7948231d847ec24e Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfaulet@haproxy.com>
Date: Mon, 11 Dec 2023 21:55:32 +0100
Subject: [PATCH] BUG/MEDIUM: mux-h1: Cound data from input buf during
 zero-copy forwarding

During zero-copy forwarding, we first try to forward data found in the input
buffer before trying to receive more data. These data must be removed from
the amount of data to forward (the cound variable).

Otherwise, on an internal retry, in h1_fastfwd(), we can be lead to read
more data than expected. It is especially a problem on the end of a
chunk. An error is erroneously reported because more data than announced are
received.

This patch should fix the issue #2382. It must be backported to 2.9.

(cherry picked from commit eed1e8733c279cda0b6a2db574ead4e0238177f6)
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
 src/mux_h1.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/src/mux_h1.c b/src/mux_h1.c
index d2acee6..cb70b84 100644
--- a/src/mux_h1.c
+++ b/src/mux_h1.c
@@ -4633,6 +4633,7 @@ static int h1_fastfwd(struct stconn *sc, unsigned int count, unsigned int flags)
 	}
 
 	total += sdo->iobuf.data;
+	count -= sdo->iobuf.data;
 #if defined(USE_LINUX_SPLICE)
 	if (sdo->iobuf.pipe) {
 		/* Here, not data was xferred */
-- 
1.7.10.4