Request Smuggling in HAProxy due to Integer Overflow in Header Parsing
The idea here is that by overflowing the value containing the size of a header name you can cause the header to be misinterpreted.
What happens is that in the first stage of processing by HAProxy the the headers are parsed into a structure that encodes the name length into 8 bits. So providing a header name more than 255 bytes will overflow into adjacent memory. The 1 bit resulting in also setting the size of the header’s value to 1.
For the request smuggling attack, you use this vulnerability to create a header that the first-stage parser will not recognize as being a “Content-Length” header. The second stage however will read the structure with corrupt values, and treat it and the value it reads as the legitimate Content-Length. Potentially resulting in a final proxied request with more data after the supposed end of the content that will be treated as a second request.