aclkw->match_type was compared twice to PAT_MATCH_DOM in parse_acl_expr().
After auditing the involved types, it's only a copy-paste mistake, as no
other matching method is missing, so let's drop it to avoid the confusion.
Also drop variable ckw which is assigned NULL and passed to free(), and is
clearly a leftover from a previous version.
No backport needed.
In pattern_read_from_file(), in case of failure to load from the file,
the newly allocated reference remains attached to the list and is never
freed. Let's just do it.
This can be backported to all versions since it arrived in 1.5 with
commit 1e00d3853b ("MAJOR: pattern/map: Extends the map edition system
in the patterns").
Maps can leak a map descriptor in sample_load_map() on error. This is
harmless since the process won't start after this, and this cannot be
used at run time. but it's cleaner to fix it. This can be backported.
smp_fetch_acl_parse() first places the newly allocated ACL sample into
the first argument to be parsed, *before* parsing it. The type is not
changed so the first argument remains of type string. In case of error,
the allocated sample is released and release_sample_expr() will call
release_sample_arg() to release the argument, possibly freeing the
string present there. And here's the catch: by overwriting the first
arguments's ->ptr entry, it happens to be located over the ->str.size
location, to not be null and to still be freed, but by pure chance
thanks to aliasing. A slight reorder of the args or buffer fields
could place it in the ->area and provoke a double-free, or even always
make the first argument's parsing fail.
Let's move the assignment after the loop has succeeded instead, and
properly set type=ARGT_PTR so that we never try to free it. The bug
appeared with the "acl()" sample fetch in 2.9 with commit 7fccccccea
("MINOR: acl: add acl() sample fetch") so it can be backported to 3.0.
Adjust QUIC mux stream shut procedure when abort or kill-conn is
performed. Changes are implemented directly into lclose callback for
h3/h09 protocols.
On abort, the stream is resetted as previously. The only change is that
now a proper error code can be used, with REQUEST_CANCELLED specified
for HTTP/3 protocol.
Kill-conn is requested when a tcp-requect connection reject rule has
been executed. In this case the stream is resetted, and the connection
is also closed. This is identical to the H2 multiplexer. HTTP/3 protocol
uses EXCESSIVE_LOAD as error code in this case.
Previously, shut callback was entirely implemented in QUIC mux layer.
However, this operation depends on the above application protocol, as it
may define its own closure procedure and error codes. This is the case
notably with HTTP/3 specification.
This patch defines a stream shut API between QUIC mux and application
protocol layers via the new qcc_app_ops callback lclose(). The closure
reason is specified via an enum argument. Application protcol can then
perform the stream closure as intended.
This patch is only an architecture adjustment but should not have any
functional impact. Stream closure logic was moved identically from QUIC
mux into h3 and h09 lclose callback.
In master-worker mode the master CLI proxy (mworker_proxy) has a
hardcoded maxconn of 10. When a client connects to the master CLI
socket and issues a command that gets forwarded to an unresponsive
worker (e.g. one that is stuck or very slow), the connection hangs
waiting for the worker's response. If the client then disconnects
(timeout, Ctrl-C, etc.), the connection slot is never released because
the client-side FIN is never acknowledged by the unresponsive worker.
After 10 such leaked slots the master CLI socket becomes completely
unreachable, returning "Resource temporarily unavailable" to any new
connection attempt. In containerized deployments this means readiness
probes start failing and the pod gets restarted.
The fix adds a timeout server-fin of 1s to the mworker_proxy. When
the client disconnects while waiting for a worker response, this
timeout ensures the dangling backend connection is cleaned up after
1s, freeing the connection slot. This does not affect normal CLI
operations since the timeout only starts after the client has already
closed its side of the connection.
A regression test is included that blocks the worker CLI thread using
"debug dev delay" with nbthread 1, fills all 10 master CLI slots,
waits for client-side timeouts, then verifies a new connection still
succeeds.
This fixes GH issue #3351.
This should be backported to all stable branches.
Co-authored-by: Martin Strenge <github@trixer.net>
Co-authored-by: William Lallemand <wlallemand@haproxy.com>
It is possible to not have addresses in certain conditions, so we now
also allow the address family to be AF_UNSPEC in quic_dgram_init().
No backport necessary since this code is not yet in a release.
The QUIC code can only handle IPv4 or IPv6 addresses, so using two
sockaddr_storage structs wastes a lot of space in the quic_dgram struct.
This is a very large overhead since this structure is written in the MPSC
ring buffers before every datagram, while many of those datagrams are only
50 bytes or less. Using an union instead saves 200 bytes per datagram,
increasing the capacity of the buffers significantly.
Using an offset instead of a pointer into the datagram buffer is less
error-prone as we do not have to manually fixup that pointer when the
datagram is moved somewhere else in memory.
Use an MPSC ring buffer to hold data for each datagram handler. Holding
this data in a per-handler buffer avoids the HoL blocking we experienced
when we had per-listener buffers with data from all threads mixed up
in them.
This also gets rid of the mt_list contention we were suffering before,
that was causing some threads to be stuck for a significant amount of
time, causing warnings and even crashes in some cases.
This is to be used in the QUIC code, where the multiple producers are
the listener threads, and the single consumer is the datagram handler
thread. Entries are variable-length with a size header, and are kept
contiguous in the buffer, so padding is inserted at the end when an
entry would otherwise wrap around. The size field is overloaded to also
mark padding (-1) and entries that are still free or not yet ready for
reads (0).
Headers and payloads are aligned on 8 bytes. Aligning on 16 bytes might
be beneficial on some architectures to let memcpy() use 128-bit SIMD
instructions.
The head and tail offsets are 64-bit unsigned integers, making ABA
issues from integer overflow impossible on current or near-future
hardware. Reservation uses a CAS rather than FAA because of the need to
insert padding to keep entries contiguous.
HPACK indices start at 1, so idx=0 is invalid. The function only checked
the upper bound before, allowing idx=0 to pass as valid. This is harmless
as the code properly checks for existing name and values everywhere, but
then due to the call to hpack_idx_to_phdr(), index 0 will be taken for
:authority. Let's just make sure it's never zero.
This can be backported.
The variable name is passed as (ptr,len) suggesting that certain callers
might not always have 0-terminated strings (e.g. when used in arguments
where closing parenthesis or commas might follow), the error message
carefully tries to designate the first invalid character, yet by mistake
it prints the whole string. This mistake has been there since commit
4834bc773c ("MEDIUM: vars: adds support of variables") in 1.6. Let's
properly report the char as promised instead. This could be backported
but is totally unimportant.
In 2.5, commit 9a621ae76d ("MEDIUM: vars: add a new "set-var-fmt" action")
introduced the set-var-fmt action. However the storage (by then
sample_store_stream() now var_set()) was added for this specific
branch without any return, leaving the sample copied again over the
variable via the final call, meaning that the variable name is looked
up twice and for proc scope, the lock is taken twice for each call to
set-var-fmt.
This patch removes the first call. Tests show that proc operations
now jump from 1.1M to 1.67M/s on a 64-core CPU (lower lock contention),
while other scopes only observe a modest improvement with few vars
(10 goes from 43.3M to 44M/s). This could be backported.
In 2.5, variables in the scope "proc" were pre-created with commit
df8eeb1619 ("MEDIUM: vars: pre-create parsed SCOPE_PROC variables as
permanent ones"). However one test on var_set() was copy-pasted from
vars_check_args() into parse_store(), and the former returns 0 on
error while for the latter it's a success. This means that some errors
on variables of scope "proc" (typically alloc failure) can be missed
at boot time, probably either making that variable invisible or causing
a crash during boot.
Let's return ACT_RET_PRS_ERR instead. This can be backported.
It's interesting to see that output pointers p1 and p2 were declared
as const, and that thisremained unnoticed due to the explicit casts
to u8 when writing to them. The function is currently not used, but
better clean it up to avoid surprises.
In 3.1 with commit 1bdf6e884a ("MEDIUM: sink: implement sink_find_early()")
sink creation started to support plugging to an existing sink and only
updating the description. However if the strdup() for the new description
failed, it would go down the error path releasing everything, while leaving
the released entry in the sink list and leaving other users still attached
to it.
Here we take a different approach, we first allocate the new description,
and release the old one on success, otherwise we leave the entry unchanged.
And we only release new sinks, not old ones. This way allocation errors
just do not change what is already referenced elsewhere, so that error
unrolling remains clean.
This remains of low importance anyway since it's only a case of boot
error aggravation. Not really needed to be backported.
When an ACME server returns a certificate URL directly in the newOrder
response (order already validated), parse it and transition straight to
ACME_CERTIFICATE, bypassing the auth/challenge steps.
This needs to be backported to 3.2.
When an ACME server returns a newOrder response with an empty
authorizations array (certificate already validated), ctx->auths
remains NULL. The state machine then transitions to ACME_AUTH which
immediately dereferences ctx->next_auth, causing a segfault.
Return an error from acme_res_neworder() so the caller retries.
This needs to be backported to 3.2.
Released version 3.4-dev10 with the following main changes :
- DOC: config: fix spelling of "max-threads-per-group" in the index
- MEDIUM: threads: change the default max-threads-per-group value to 16
- BUG/MEDIUM: mux-h2: ignore conn->owner when deciding if a connection is dead
- BUG/MINOR: task: fix uninitialised read in run_tasks_from_lists()
- MINOR: compression: prefix compression oriented functions with "comp_"
- BUG/MINOR: mux_quic: limit avail_streams() to 2^62
- MINOR: h3: simplify GOAWAY local emission
- MEDIUM: h3: prevent new streams on GOAWAY reception
- MINOR: mux-quic: release BE idle conn after GOAWAY reception
- MINOR: otel: added debug thread ID support for the OTel C wrapper library
- MINOR: otel: test: added option parsing to the speed test script
- MINOR: otel: test: replaced argument variables with positional parameters in run scripts
- CLEANUP: otel: removed insecure-fork-wanted requirement
- MINOR: otel: test: unified run scripts into a single symlinked script
- BUILD: haterm: don't pass size_t to %lu in error messages
- CI: github: merge Test and Test-musl in VTest.yml
- CI: Build halog as part of contrib.yml
- BUG/MINOR: xprt_qstrm: read record length in 64bits
- BUG/MINOR: mux_quic: convert QCC rx.rlen to 64bits
- CI: github: revert quictls version on cross-zoo.yml
- BUG/MINOR: xprt_qstrm: reduce max record length check
- CI: github: use quictls-3.1.7 for cross-zoo.yml
- BUILD: ssl/sample: potential null pointer dereference in sample_conv_aes
- CI: github: add an i686 job in cross-zoo.yml
- CI: github: run cross-zoo.yml weekly
- CI: github: add cross-zoo.yml in README.md
- BUG/MEDIUM: checks: Don't forget to set the "alt_proto" field
- CI: github: do not install pcre-devel on Fedora Rawhide build
- CI: github: fix sysctl in fedora-rawhide
- CI: github: switch to USE_PCRE2 in Fedora Rawhide build
- MINOR: acme: implement draft-ietf-acme-profiles
- MINOR: acme: allow IP SAN in certificate request
- BUG/MINOR: log: consider format expression dependencies to decide when to log
- MINOR: sample: make RQ/RS stats available everywhere
- BUG/MINOR: sample: adjust dependencies for channel output bytes counters
- MEDIUM: muxes: always set conn->owner to the session that owns the connection
- MEDIUM: session: always reset the conn->owner on backend when installing mux
- CLEANUP: mux-h1: avoid using conn->owner in uncertain areas
- CLEANUP: mux-h1: remove the unneeded test on conn->owner in h1s_finish_detach()
- BUG/MAJOR: sched: protect task->expire on 32-bit platforms
- CI: github: add an i686 job to the push job
- BUILD: config: also set DEF_MAX_THREADS_PER_GROUP when not using threads
- reg-tests/ssl/ssl_dh.vtc: fix syntax error
- ci: modernize actions/upload-artifact@v4
- BUG/MINOR: reg-tests: make shell syntax errors fatal
- MINOR: cli: Handle the paylod pattern as a pointer in the cmdline buffer
- MEDIUM: cli: Make a buffer for the command payload
- MEDIUM: cli: Add support for dynamically allocated payloads
- MEDIUM: cli: increase the payload pattern up to 64 bytes
- MINOR: stream: Move the HTTP txn in an union
- MINOR: stream: Add flags to identify the stream tansaction when allocated
- MINOR: stream: Use a pcli transaction to replace pcli_* members
- CLEANUP: applet: Remove useless shadow pointer from appctx
- REGTESTS: ssl: mark ssl_dh.vtc as broken
- BUG/MINOR: mux-h2: count a protocol error when failing to parse a trailer
- BUG/MINOR: mux-h2: count a proto error when rejecting a stream on parsing error
- BUG/MEDIUM: tasks: Make sure we don't schedule a task already running
- BUG/MAJOR: net_helper: ip.fp infinite loop on malformed tcp options
- BUG/MINOR: h2: make tune.h2.log-errors actually work
- BUG/MINOR: h2: Don't look at the exclusive bit for PRIORITY frame
- BUG/MINOR: H2: Don't forget to free shared_rx_bufs on failure
- BUG/MINOR: log: also wait for the response when logging response headers
- BUG/MINOR: mux-h1: Fix condition to send null-chunk for bodyless message
- BUG/MINOR: mux-h1: Fix test to skip trailers from chunked messages
- BUG/MINOR: http-act: fix a typo in a "del-heeaders-bin" error message
- CLEANUP: tcpcheck: Fix some typos in comments
- MINOR: tcpcheck: Rely on free_tcpcheck_ruleset() to deinit tcpchecks
- BUG/MINOR: tcpcheck: Don't release ruleset when parsing 'spop-check' ruleset
- BUG/MINOR: tcpcheck: Fix a leak on deinit by releasing ruleset's conf.file
- CLEANUP: haterm: Fix typos in comments
- CLEANUP: config: Fix warning about invalid small buffer size
- CLEANUP: htx: Fix typos in comments
- CLEANUP: chunk: Fix a typo in a comment
- CLEANUP: http-client: Fix typos in comments
- BUG/MEDIUM: tcpcheck: Release temporary small chunk when retrying on http-check
- CLEANUP: proxy: Fix typos in comments
- DOC: config: Fix a typo for "external-check" directive
- CLEANUP: cli: Fix typos in comments
- BUG/MINOR: stream: Add SF_TXN_HTTP/SF_TXN_PCLI flags in strm_show_flags()
- REGTESTS: Never reuse server connection in jwt/jws_verify.vtc
- REGTESTS: Never reuse server connection in server/cli_delete_dynamic_server.vtc
- BUG/MINOR: compression: properly disable request when setting response
- BUG/MINOR: servers: fix last_sess date calculation
- DOC: config: fix typo introduce in max-threads-per-group documentation
- BUG/MINOR: stream: add the newly added SF_TXN_* flags to strm_show_flags()
- BUG/MINOR: debug: properly mark the entire libs archive read-only
- Revert "BUG/MINOR: stream: add the newly added SF_TXN_* flags to strm_show_flags()"
- BUG/MINOR: server: fix a possible leak of an error message in dynamic servers
- BUG/MAJOR: mux-h2: detect incomplete transfers on HEADERS frames as well
- BUG/MEDIUM: mux-h1: Force close mode for bodyless message announcing a C-L
- BUG/MINOR: mux_quic: prevent crash on qc_frm_free() with QMux
- BUG/MINOR: xprt_qstrm: ensure all local TPs are allocated
- BUG/MINOR: xprt_qstrm: prevent crash if conn release on MUX wake
- BUG/MINOR: mux_quic: do not release conn on qcc_recv() for QMux
- MINOR: xprt_qstrm: remove unused subs
- MINOR: connection: document conn_create_mux()
- MINOR: xprt_qstrm: implement close callback
- MINOR: mux_quic: refactor QMux send frames function
- MINOR: mux_quic: use dynamic Tx streams buffers for QMux
- MINOR: mux_quic: use dynamic conn buffers for QMux
- MINOR: mux_quic/xprt_qstrm: simplify Rx buffer transfer
- MINOR: mux_quic: receive MAX_STREAMS_BIDI frames in QMux
- MINOR: mux_quic: handle conn errors on QMux without crash
- MINOR: mux_quic: handle incomplete QMux record read
- BUG/MINOR: tcpcheck: Allow connection reuse without prior traffic
- MINOR: sample: converter for frontend existence check
- BUG/MEDIUM: stats: fix crash on 'dump stats-file'
- BUG/MINOR: ssl: fix memory leaks on realloc failure in ssl_ckch.c
- BUG/MINOR: ssl: fix memory leaks on realloc failure in ssl_sock.c
- BUG/MINOR: ssl: fix memory leak on realloc failure in acme.ips
- DOC: config: Fix log-format example with last rule expressions
- DOC: config: Fix typo in tune.bufsize.large description
- MEDIUM: ot: emitted deprecation warning at filter init
- BUILD: ot: emitted deprecation warning at build time
- BUG/MINOR: ssl: fix double-free on failed realloc in ssl_sock.c
- BUG/MINOR: tree-wide: fix a few user-visible spelling mistakes from dev7
- CLEANUP: tree-wide: address various spelling mistakes in comments from -dev7
- BUG/MINOR: tools: my_memspn/my_memcspn wrong cast causing incorrect byte reading
- BUG/MINOR: tools: fix memory leak in indent_msg() on out of memory
- BUG/MINOR: tools: free previously allocated strings on strdup failure in backup_env()
- BUG/MINOR: sample: fix memory leak in check_when_cond() when ACL is not found
- BUG/MINOR: sample: fix memory leak in smp_resolve_args error paths
- BUG/MINOR: sample: fix NULL strm dereference in sample_conv_when
- BUG/MINOR: peers: fix logical "and" when checking for local in PEER_APP_ST_STARTING
- BUG/MINOR: peers: fix wrong flag reported twice for dump_flags
- CLEANUP: peers: fix a few user-visible spelling mistakes
- CLEANUP: tools: drop upper case check after tolower()
- CLEANUP: mux-h2: remove duplicate forward declaration of h2s_rxbuf_{head,tail}()
- CLEANUP: tree-wide: fix around 20 mistakes in comments in h2,tools,peers
- MINOR: mux_quic: return conn error code in debug string
- MINOR: mux_quic: display QCS sd on traces
- MINOR: mux_quic/h3: report termination events at connection level
- MINOR: mux_quic/h3: report termination events at stream layer
- BUG/MEDIUM: mux_h1: fix stack buffer overflow in h1_append_chunk_size()
- BUG/MINOR: http_ana: use scf to report term_evts in http_wait_for_request()
- MINOR: lb: infrastructure for declarative initialization
- MEDIUM: lb: use the LB ops tables
- MINOR: lb: cleanups
- MINOR: mux_quic: remove superfluous b_size() before b_alloc()
- BUG/MINOR: mux_quic: free frames emitted with QMux
- BUILD: 51d: fix bool definition on dummy lib v4
- CLEANUP: Reapply ist.cocci (4)
- CLEANUP: Reapply strcmp.cocci (3)
- CLEANUP: Reapply ha_free.cocci (2)
- BUG/MAJOR: http-htx: Store new host in a chunk for scheme-based normalization
- BUG/MEDIUM: http-htx: Don't use data from HTX message to update authority
- BUG/MEDIUM: http-htx: Loop on full host value during scheme based normalization
- MEDIUM: http-htx: Make authority update optional when replacing a header value
- MEDIUM: http-htx: Make authority update optional when adding a header
- BUG/MAJOR: http: forbid comma character in authority value
- BUG/MEDIUM: h1: Enforce the authority validation during H1 request parsing
- BUG/MAJOR: mux-h1: Deal with true 64-bits integer to emit chunks size
- BUG/MEDIUM: tasks: Do not loop in task_schedule() if a task is running
- BUG/MINOR: fix various typos and spelling mistakes in user-visible messages
- CLEANUP: tree-wide: fix comment typos all over the tree (~68)
- BUG/MINOR: payload: validate minimum keyshare_len in smp_fetch_ssl_keyshare_groups
- BUG/MINOR: payload: prevent integer overflow in distcc token parsing
- BUG/MINOR: net_helper: fix out-of-bounds read in tcp_fullhdr_find_opt
- BUG/MINOR: net_helper: fix out-of-bounds read in sample_conv_tcp_options_list
- BUG/MINOR: net_helper: fix incomplete decoding in sample_conv_eth_vlan
- BUG/MEDIUM: mux-fcgi: Properly handle full buffer for FCGI_PARAM record
- BUG/MINOR: http-htx: Don't normalize emtpy path for OPTIONS requests
When the scheme-based normalization is performed, an empty path is
normalized to "/". But as stated in RFC9110#4.2.3, this must not be applied
on OPTIONS requests.
So let's fix the issue by adding a test on the method.
Thanks to @zhanhb for the bug report and the analysis.
This patch should fix the issue #3352. It must be backported as far as 3.0.
The function encoding and sending FCGI_PARAM records was reworked to
properly deal with full buffer. An error must be triggered only when the
parameters cannot be encoded while the mbuf is empty (or the free space is
greater than the max record size). Otherwise we must wait and retry later.
Before, an error was triggered on encoding error if any HTX block was
consumed, regarless the mbuf state. Now, blocks are removed on success
only. So we can wait for more space.
This patch should fix the issue #3346. It should be backported to all stable
versions.
sample_conv_eth_vlan() reads the VLAN TCI at area[idx + 2] without
ensuring there are enough bytes. The original condition 'idx + 4 < data'
breaks when there IS room for more data, leading to an incomplete read
when trying to decode a VLAN ID.
This can be backported where this converter was backported.
sample_conv_tcp_options_list() uses 'ofs + 1 <= len' to check bounds
before reading the option length field at area[ofs + 1]. When ofs + 1
equals len, this reads one byte past the valid buffer (valid indices are
0 to len-1).
This is the same bug pattern as tcp_fullhdr_find_opt() fixed previously,
and the impact is also almost inexistent.
tcp_fullhdr_find_opt() reads smp->data.u.str.area[next + 1] without
checking that next + 1 < len. When the last byte of a TCP header's
options section (at index len - 1) contains an option type that is not
0 (EOL) and not 1 (NOP), the code reads one byte past the valid buffer,
which is an out-of-bounds read, which in practice is totally harmless
but should be fixed.
This can be backported where tcp_fullhdr_find_opt() was backported.
In both smp_fetch_distcc_param() and smp_fetch_distcc_body(), the code
does "ofs += body" without checking if body is larger than the remaining
data. If a malicious distcc packet contains a token with a very large
body length (param value up to 0xFFFFFFFF), ofs could overflow and wrap
around to a small value, causing the next iteration's bounds check
"ofs + 12 > ci_data(chn)" to pass incorrectly.
This could lead to out-of-bounds reads or an infinite loop.
Given that this is only used in trusted environments, this is mostly
harmless. It can be backported to all stable versions.
The keyshare extension parsing loop reads dataPointer[readPosition+2]
and dataPointer[readPosition+3] inside the loop body, requiring at least
4 bytes to be safe. However, keyshare_len was only validated as >= 2.
With keyshare_len == 2 or 3, the first loop iteration would read past
the end of the extension data, causing an out-of-bounds read which is
harmless in practice. We also need to make sure that the read position
stops 4 bytes before the end in order to read the 4 next bytes.
This can be backported to stable versions.
A few typos like "not unhandled" in error messages, and some spelling
mistakes mostly in cfgparse error messages were fixed. One spelling
mistake in a function name was fixed as well (ssl_sock_chose_sni_ctx
renamed to ssl_sock_choose_sni_ctx). Those which apply may be worth
being backported.
Commit 7e1cc0fcdbcace75a957a69fc8a4d991f7b30fdb made it so we'd loop in
task_schedule() if the task is currently running, so that we'd be sure
that the task would not overwrite the expire field. However,
task_schedule() may be called while a lock is held, and if the running
task attempts to acquire that lock, it will lead to a deadlock.
So instead, if the task is running, just wake it up, so that we're sure
that it will reschedule itself correctly, as it should do anyway. We
already do nothing if the task is in a run queue, so it is expected that
tasks do that, and if they do not, then it is a bug.
This should fix github issue #3350
This should be backported where 7e1cc0fcdbcace75a957a69fc8a4d991f7b30fdb
has been backported, which should be up to 2.8.
Functions emitting chunks size are using size_t integer to do so. Depending
on the code path, these functions can be called using an unsigned long long
integer (h1m->curr_len for instance). On 64-bits architectures, there is no
issue. But on the 32-bits architecture, it is a problem. size_t are 32-bits
integer so the 64-bits parameter will be casted to a 32-bits integer. For
chunk size exceeding 4GB, the wrong size will be emitted.
To fix the issue, these functions are now using true 64-bits
integer. h1s_consume_kop() was also modified accordingly.
In addition, when a size_t is compared to a 64-bits integer, an explicit
cast is used to be sure the right type is used.
This patch must be backported as far as 3.0. It must be backported after
1ef74fc7c ("BUG/MEDIUM: mux_h1: fix stack buffer overflow in
h1_append_chunk_size()").
When a H1 request was parsed, only a light validation was performed on the
URI, mainly because there was no distinction between the different parts of
the URI. So only characters in the range [0x21, 0x7e], excluding the "#" was
allowed.
To be consistant with the H2 and H3 parser, the authority is now validated,
using http_authority_has_forbidden_char() function.
This patch should be backported as far as 2.8. For previous verions,
http_authority_has_forbidden_char() function does not exist.
Strictly speaking, the comma character in authority is allowed by RFC3986.
However, it is pretty ambiguous for Host header value because comma is also
the value separator for headers supporting multiple value. It is also very
unlikely to have comma in host header value or authority. So instead of
dealing with this case with all the risks of bugs that this entails, we've
decided to forbid the comma in authority and host header value during the
parsing. Concretely, only http_authority_has_forbidden_char() was updated.
The internal API was not updated to prevent comma to be inserted when the
host header value is updated for instance. But this should be so uncommon
that it is not really a concern.
This patch should be backported as far as 2.8. For previous verions,
http_authority_has_forbidden_char() function does not exist.
This patch is similar to the previous one but for header addtion. It is now
possible to skip the authority updated. An extra argument was added to
http_add_header() function for this purpose.
When a header value is replaced, a test is performed to verify if the
authority must be updated or not. But there are some places where we know it
is useless. First, when the caller know the header is not the host
header. Then when the host header value is updated because the authority was
changed.
So now, an extra argument was added to http_replace_header() and
http_replace_header_value() functions to specify if the authority update
must be performed or not.
During scheme based normalization, when the authority is normalized, the
host headers are updated accordingly. Only full host header values must be
updated. Comma-separated list are not expected here.
It is important to do so to be consistant with other places where the host
header is updated (when the request URI is changed for instance).
When a host header value is updated, the authority can also be updated
accordingly. When it is performed, we must not use the new host header value
from the HTX message. Instead we must use the data passed as argument. It is
unexpected but the host header can have several comma-separated values.
Using the full header value can lead to unexpected result.
Note: having multiple comma-separated values for the host header should not
be supported. The comma should be part of the host value. But it is
quite ambiguous. This will be fixed in another commit.
This patch must be backported to all stable versions.
During the scheme based normalization, The original authority value is used
to replace every host headers. It is an issue, because when the HTX message
is modified the blocks may be reorganised to find free space. For instance a
defragmentation can be performed. So the address of the authority can
change. To perform such rewrite, the new value must be stored in a temporary
buffer. It is especially important because the start-line is also updated,
so the original authority could be moved, making it invalid.
Because of this bug, it is possible to mix HTX block values. There is no
overflow but the start-line can be crushed with data from the host header
value, making it invalid for the server.
So, to fix the issue, the new host header value is now the one in the trash
chunk used to rewrite the start line. But in that case, the trash chunk must
be allocated to be sure it remains valid when replacing all host headers
values.
This patch must be backported as far as 2.6.
Modern compiler breaks when defining bool, false and true.
Include <stdbool.h> instead.
$ make -j$(nproc) TARGET=linux-glibc USE_51DEGREES=1 \
51DEGREES_VER=4 51DEGREES_SRC=addons/51degrees/dummy/v4hash/
When using QUIC, mux instantiates quic_frame objects but does not free
them. This is performed only when acknowledgment are received.
This is not the case for QMux protocol, as the transport layer is much
simpler in this case. As such, mux is responsible to free up the frames
after emission.
This patch fixes qcc_qstrm_send_frames() by adding the necessary
qc_frm_free() calls as soon as a frame is emitted. This fixes a memory
leak. This function ensures that the freed object is removed from its
parent list, so LIST_DEL_INIT() is not necessary anymore.
No need to backport.
b_alloc() does nothing if a buffer is already allocated. As such, it is
not necessary to call b_size() as a check prior to it. Removes its usage
in qcc_qstrm_recv() so that the code is similar to other b_alloc()
usages.
Remove exports for functions that are not called directly anymore, and
make them static. This involves some reordering to avoid the need for a
forward static declaration.
Also remove the old callback fields from the lbprm struct.
This creates an ops structure for the various callbacks into the LB
algorithms, and defines those ops structure for each algorithm. A new
proxy_init callback is added for the initialization functions called
from proxy_finalize(). Since one of them needs to return an int in case
of an error, we change all the others to also return an int so we have a
uniform type.
No functional changes.
