From c6390cdf9ce4e74540544207d6e3cfb31581eaea Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Fri, 31 Jan 2025 14:41:28 +0100 Subject: [PATCH] BUG/MEDIUM: htx: wrong count computation in htx_xfer_blks() When transfering blocks from an src to another dst htx representation, htx_xfer_blks() decreases the size of each block removed from the value passed in parameter, so it can't transfer more than . The size must also contains the metadata, represented by a simple sizeof(struct htk_blk). However, the code was doing a sizeof(dstblk) instead of a sizeof(*dstblk) which as the consequence of removing only a size_t from count. Fortunately htx_blk size is 64bits, so that does not provoke any problem in 64bits. But on 32bits architecture, the count value is not decreased correctly and the function could try to transfer more blocks than allowed by the count parameter. Must be backported in every stable release. --- src/htx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/htx.c b/src/htx.c index feb7eec87..a438d7ff5 100644 --- a/src/htx.c +++ b/src/htx.c @@ -722,7 +722,7 @@ struct htx_ret htx_xfer_blks(struct htx *dst, struct htx *src, uint32_t count, dstblk->info = info; htx_memcpy(htx_get_blk_ptr(dst, dstblk), htx_get_blk_ptr(src, blk), sz); - count -= sizeof(dstblk) + sz; + count -= sizeof(*dstblk) + sz; if (blk->info != info) { /* Partial xfer: don't remove from but * resize its content */