From 0dc1b84839ef235a3153d1ef3e729fe1c89f2ea9 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Sun, 16 Dec 2018 09:38:30 +0100 Subject: [PATCH] BUG/MAJOR: hpack: fix length check for short names encoding Commit 19ed92b ("MINOR: hpack: optimize header encoding for short names") introduced an error in the space computation for short names, as it removed the length encoding from the count without replacing with 1 (the minimum byte). This results in the last byte of the area being occasionally overwritten, which is immediately detected with -DDEBUG_MEMORY_POOLS as the canary at the end gets overwritten. No backport is needed. --- src/hpack-enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/hpack-enc.c b/src/hpack-enc.c index 818a0abd7..1e57153f2 100644 --- a/src/hpack-enc.c +++ b/src/hpack-enc.c @@ -177,7 +177,7 @@ int hpack_encode_header(struct buffer *out, const struct ist n, } make_literal: - if (likely(n.len < 127 && len + 1 + n.len <= size)) { + if (likely(n.len < 127 && len + 2 + n.len <= size)) { out->area[len++] = 0x00; /* literal without indexing -- new name */ out->area[len++] = n.len; /* single-byte length encoding */ ist2bin(out->area + len, n);