From d0f97040a33c31f7d4b839ced4f5aa598f76bcdd Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Thu, 27 Feb 2025 18:07:17 +0100 Subject: [PATCH] BUG/MINOR: hq-interop: fix leak in case of rcv_buf early return HTTP/0.9 parser was recently updated to support truncated requests in rcv_buf operation. However, this caused a leak as input buffer is allocated early. In fact, the leak was already present in case of fatal errors. Fix this by first delaying buffer allocation, so that initial checks are performed before. Then, ensure that buffer is released in case of a latter error. This is considered as minor, as HTTP/0.9 is reserved for experiment and QUIC interop usages. This should be backported up to 2.6. --- src/hq_interop.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/src/hq_interop.c b/src/hq_interop.c index caf45656b..55cccf134 100644 --- a/src/hq_interop.c +++ b/src/hq_interop.c @@ -23,9 +23,6 @@ static ssize_t hq_interop_rcv_buf(struct qcs *qcs, struct buffer *b, int fin) /* hq-interop parser does not support buffer wrapping. */ BUG_ON(b_data(b) != b_contig_data(b, 0)); - b_alloc(&htx_buf, DB_MUX_RX); - htx = htx_from_buf(&htx_buf); - /* skip method */ while (data && HTTP_IS_TOKEN(*ptr)) { ptr++; @@ -62,9 +59,14 @@ static ssize_t hq_interop_rcv_buf(struct qcs *qcs, struct buffer *b, int fin) path.len = ptr - path.ptr; + b_alloc(&htx_buf, DB_MUX_RX); + htx = htx_from_buf(&htx_buf); + sl = htx_add_stline(htx, HTX_BLK_REQ_SL, 0, ist("GET"), path, ist("HTTP/1.0")); - if (!sl) + if (!sl) { + b_free(&htx_buf); return -1; + } sl->flags |= HTX_SL_F_BODYLESS; sl->info.req.meth = find_http_meth("GET", 3); @@ -73,8 +75,10 @@ static ssize_t hq_interop_rcv_buf(struct qcs *qcs, struct buffer *b, int fin) htx->flags |= HTX_FL_EOM; htx_to_buf(htx, &htx_buf); - if (qcs_attach_sc(qcs, &htx_buf, fin)) + if (qcs_attach_sc(qcs, &htx_buf, fin)) { + b_free(&htx_buf); return -1; + } b_free(&htx_buf);