BUG/MINOR: hq-interop: fix leak in case of rcv_buf early return

HTTP/0.9 parser was recently updated to support truncated requests in rcv_buf operation. However, this caused a leak as input buffer is allocated early. In fact, the leak was already present in case of fatal errors. Fix this by first delaying buffer allocation, so that initial checks are performed before. Then, ensure that buffer is released in case of a latter error. This is considered as minor, as HTTP/0.9 is reserved for experiment and QUIC interop usages. This should be backported up to 2.6.
makesoftwaresafe · Feb 28, 2025 · d0f9704 · d0f9704
1 parent fd5d599
commit d0f9704
Showing 1 changed file with 9 additions and 5 deletions.
diff --git a/src/hq_interop.c b/src/hq_interop.c
@@ -23,9 +23,6 @@ static ssize_t hq_interop_rcv_buf(struct qcs *qcs, struct buffer *b, int fin)
 	/* hq-interop parser does not support buffer wrapping. */
 	BUG_ON(b_data(b) != b_contig_data(b, 0));
 
-	b_alloc(&htx_buf, DB_MUX_RX);
-	htx = htx_from_buf(&htx_buf);
-
 	/* skip method */
 	while (data && HTTP_IS_TOKEN(*ptr)) {
 		ptr++;
@@ -62,9 +59,14 @@ static ssize_t hq_interop_rcv_buf(struct qcs *qcs, struct buffer *b, int fin)
 
 	path.len = ptr - path.ptr;
 
+	b_alloc(&htx_buf, DB_MUX_RX);
+	htx = htx_from_buf(&htx_buf);
+
 	sl = htx_add_stline(htx, HTX_BLK_REQ_SL, 0, ist("GET"), path, ist("HTTP/1.0"));
-	if (!sl)
+	if (!sl) {
+		b_free(&htx_buf);
 		return -1;
+	}
 
 	sl->flags |= HTX_SL_F_BODYLESS;
 	sl->info.req.meth = find_http_meth("GET", 3);
@@ -73,8 +75,10 @@ static ssize_t hq_interop_rcv_buf(struct qcs *qcs, struct buffer *b, int fin)
 	htx->flags |= HTX_FL_EOM;
 	htx_to_buf(htx, &htx_buf);
 
-	if (qcs_attach_sc(qcs, &htx_buf, fin))
+	if (qcs_attach_sc(qcs, &htx_buf, fin)) {
+		b_free(&htx_buf);
 		return -1;
+	}
 
 	b_free(&htx_buf);