Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / ef907fee12b086c8c95f726579b95f09af3b33c5
commitef907fee12b086c8c95f726579b95f09af3b33c5[log] [tgz]
authorWilly Tarreau <w@1wt.eu>Tue May 03 17:46:24 2016 +0200
committerWilly Tarreau <w@1wt.eu>Tue May 03 17:58:03 2016 +0200
tree32f7d04bba2ab4b38ca02054e3839a8ee844901a
parent3de5bd603c7d1e6af979c8067c313847262f6d78 [diff]
BUG/MAJOR: channel: fix miscalculation of available buffer space (4th try)

Unfortunately, commit 169c470 ("BUG/MEDIUM: channel: fix miscalculation of
available buffer space (3rd try)") was still not enough to completely
address the issue. It fell into an integer comparison trap. Contrary to
expectations, chn->to_forward may also have the sign bit set when
forwarding regular data having a large content-length, resulting in
an incomplete check of the result and of the reserve because the with
to_forward very large, to_forward+o could become very small and also
the reserve could become positive again and make channel_recv_limit()
return a negative value.

One way to reproduce this situation is to transfer a large file (> 2GB)
with http-keep-alive or http-server-close, without splicing, and ensure
that the server uses content-length instead of chunks. The transfer
should stall very early after the first buffer has been transferred
to the client.

This fix now properly checks 1) for an overflow caused by summing o and
to_forward, and 2) for o+to_forward being smaller or larger than maxrw
before performing the subtract, so that all sensitive operations are
properly performed on 33-bit arithmetics.

The code was subjected again to a series of tests using inject+httpterm
scanning a wide range of object sizes (+10MB after each new request) :

  $ printf "new page 1\nget 127.0.0.1:8002 / s=%%s0m\n" | \
      inject64 -o 1 -u 1 -f /dev/stdin

With previous fix, the transfer would suddenly stop when reaching 2GB :

   hits ^hits hits/s  ^h/s     bytes  kB/s  last  errs  tout htime  sdht ptime
    203     1      2     1 216816173354 2710202 3144892     0     0 685.0 0.0 685.0
    205     2      2     2 219257283186 2706880 2441109     0     0 679.5 6.5 679.5
    205     0      2     0 219257283186 2673836     0     0     0 0.0 0.0 0.0
    205     0      2     0 219257283186 2641622     0     0     0 0.0 0.0 0.0
    205     0      2     0 219257283186 2610174     0     0     0 0.0 0.0 0.0

Now it's fine even past 4 GB.

Many thanks to Vedran Furac for reporting this issue early with a common
access pattern helping to troubleshoot this.

This fix must be backported to 1.6 and 1.5 where the commit above was
already backported.
1 file changed
tree: 32f7d04bba2ab4b38ca02054e3839a8ee844901a
  1. contrib/
  2. doc/
  3. ebtree/
  4. examples/
  5. include/
  6. src/
  7. tests/
  8. .gitignore
  9. CHANGELOG
  10. CONTRIBUTING
  11. LICENSE
  12. MAINTAINERS
  13. Makefile
  14. README
  15. ROADMAP
  16. SUBVERS
  17. VERDATE
  18. VERSION