Bug ID 566630: Outbound ICAP request can double-chunk HTTP payload

Last Modified: Nov 07, 2022

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6

Fixed In:
13.0.0

Opened: Jan 09, 2016

Severity: 3-Major

Related Article: K17206132

Symptoms

An outbound ICAP request body is double-chunked (has extra chunk headers inserted within the body chunks).

Impact

The ICAP server receives corrupt payload and might malfunction and/or return corrupt payload to the receiving client or server.

Conditions

A primary virtual server has an HTTP profile and either request-adapt or response-adapt profiles, and a corresponding internal virtual server with an ICAP profile. Outbound ICAP request payload might be double-chunked if any of the following are true. Primary virtual server has a request-adapt profile and either: 1. HTTP client sends a POST request with chunked payload and the http profile has request chunking mode 'preserve' (default). 2. HTTP client sends POST request with chunked payload and the http profile has request chunking mode 'selective', unless certain other http related profiles are present on the http virtual server. Primary virtual server has a response-adapt profile and ICAP server responds with a body (200 ok), and: 3. HTTP server responds with chunked payload and the http profile has response chunking mode 'preserve'. If any of these conditions are true, the outbound ICAP request body might be double-chunked.

Workaround

None.

Fix Information

An outbound ICAP request body contains the original unchunked HTTP content with only valid chunk headers in a chain, which can be tracked and removed by the ICAP server to correctly recover the HTTP content.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips