From: Christopher Faulet <cfaulet@haproxy.com>
Date: Tue, 5 May 2026 13:54:21 +0000 (+0200)
Subject: BUG/MINOR: haterm: Fix a possible integer overflow on the request body length
X-Git-Tag: v3.4-dev11~39
X-Git-Url: http://www.kaiwu.me/postgresql/commit/static/gitweb.js?a=commitdiff_plain;h=999d71560d9487d8b5782b5c4ec8d6cd56e97935;p=haproxy.git

BUG/MINOR: haterm: Fix a possible integer overflow on the request body length

When request data were received, the request body length was decremented
accordingly with no check on it to be sure it was set. However, it remains
equal to 0 for chunked requests or H2/H3 requests with no content-length.

So now, it is only decremented when it is greater than 0.
---

diff --git a/src/haterm.c b/src/haterm.c
index e5a74e32a..bab6d810f 100644
--- a/src/haterm.c
+++ b/src/haterm.c
@@ -281,7 +281,9 @@ static int hstream_htx_buf_rcv(struct connection *conn, struct hstream *hs)
 	}
 
  end_recv:
-	hs->req_body -= cur_read;
+	if (cur_read) {
+		hs->req_body = ((hs->req_body < cur_read) ? 0 : hs->req_body - cur_read);
+	}
 
 	if (((conn->flags & CO_FL_ERROR) || sc_ep_test(hs->sc, SE_FL_ERROR))) {
 		hs->flags |= HS_ST_CONN_ERROR;