BUG/MINOR: haterm: Fix a possible integer overflow on the request body length

When request data were received, the request body length was decremented
accordingly with no check on it to be sure it was set. However, it remains
equal to 0 for chunked requests or H2/H3 requests with no content-length.

So now, it is only decremented when it is greater than 0.

diff --git a/src/haterm.c b/src/haterm.c
index e5a74e32a3d01533e0238ee5930ee216f3960190..bab6d810f214ed13155fc604ce76555716c476bc 100644 (file)
--- a/src/haterm.c
+++ b/src/haterm.c
@@ -281,7 +281,9 @@ static int hstream_htx_buf_rcv(struct connection *conn, struct hstream *hs)
        }
 
  end_recv:
-       hs->req_body -= cur_read;
+       if (cur_read) {
+               hs->req_body = ((hs->req_body < cur_read) ? 0 : hs->req_body - cur_read);
+       }
 
        if (((conn->flags & CO_FL_ERROR) || sc_ep_test(hs->sc, SE_FL_ERROR))) {
                hs->flags |= HS_ST_CONN_ERROR;