git.kaiwu.me - haproxy.git/commit

]> git.kaiwu.me - haproxy.git/commit

projects / haproxy.git / commit

summary | shortlog | log | commit | commitdiff | tree
(parent: a46b0ee) | patch

author	Christopher Faulet <cfaulet@haproxy.com>
	Tue, 28 Apr 2026 16:15:15 +0000 (18:15 +0200)
committer	Christopher Faulet <cfaulet@haproxy.com>
	Wed, 29 Apr 2026 09:47:37 +0000 (11:47 +0200)
commit	f9c2d476777be2a1cd15658071fb237822bb1699
tree	f6c0179b7af5d28f7841cf6d27b7ed985beea325	tree \| snapshot
parent	a46b0eec72e01dbbf436c8bd6917d9e4097ba8c3	commit \| diff

BUG/MAJOR: mux-h1: Deal with true 64-bits integer to emit chunks size

Functions emitting chunks size are using size_t integer to do so. Depending
on the code path, these functions can be called using an unsigned long long
integer (h1m->curr_len for instance). On 64-bits architectures, there is no
issue. But on the 32-bits architecture, it is a problem. size_t are 32-bits
integer so the 64-bits parameter will be casted to a 32-bits integer. For
chunk size exceeding 4GB, the wrong size will be emitted.

To fix the issue, these functions are now using true 64-bits
integer. h1s_consume_kop() was also modified accordingly.

In addition, when a size_t is compared to a 64-bits integer, an explicit
cast is used to be sure the right type is used.

This patch must be backported as far as 3.0. It must be backported after
1ef74fc7c ("BUG/MEDIUM: mux_h1: fix stack buffer overflow in
h1_append_chunk_size()").

diff | blob | history

haproxy upstream