BUG/MEDIUM: htx: wrong count computation in htx_xfer_blks()

When transfering blocks from an src to another dst htx representation, htx_xfer_blks() decreases the size of each block removed from the <count> value passed in parameter, so it can't transfer more than <count>. The size must also contains the metadata, represented by a simple sizeof(struct htk_blk). However, the code was doing a sizeof(dstblk) instead of a sizeof(*dstblk) which as the consequence of removing only a size_t from count. Fortunately htx_blk size is 64bits, so that does not provoke any problem in 64bits. But on 32bits architecture, the count value is not decreased correctly and the function could try to transfer more blocks than allowed by the count parameter. Must be backported in every stable release.
2025-01-31 14:41:28 +01:00 · 2025-01-31 14:41:28 +01:00 · c6390cdf9c
commit c6390cdf9c
parent 956cb5d554
1 changed files with 1 additions and 1 deletions
--- a/src/htx.c
+++ b/src/htx.c
@ -722,7 +722,7 @@ struct htx_ret htx_xfer_blks(struct htx *dst, struct htx *src, uint32_t count,
 		dstblk->info = info;
 		htx_memcpy(htx_get_blk_ptr(dst, dstblk), htx_get_blk_ptr(src, blk), sz);

-		count -= sizeof(dstblk) + sz;
+		count -= sizeof(*dstblk) + sz;
 		if (blk->info != info) {
 			/* Partial xfer: don't remove <blk> from <src> but
 			 * resize its content */