Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 467c14797f9b18ae07aafa391e467f245eca9716
commit467c14797f9b18ae07aafa391e467f245eca9716[log] [tgz]
authorWilly Tarreau <w@1wt.eu>Wed Apr 20 18:05:17 2016 +0200
committerWilly Tarreau <w@1wt.eu>Mon Apr 25 17:50:38 2016 +0200
treebafc6c1d50fe4260ac7ea366170590677a946376
parentfdc90ca66612c6070e108553bb53c992aab67f67 [diff]
BUG/MEDIUM: channel: fix miscalculation of available buffer space (3rd try)

Latest fix 8a32106 ("BUG/MEDIUM: channel: fix miscalculation of available
buffer space (2nd try)") did happen to fix some observable issues but not
all of them in fact, some corner cases still remained and at least one user
reported a busy loop that appeared possible, though not easily reproducible
under experimental conditions.

The remaining issue is that we still consider min(i, to_fwd) as the number
of bytes in transit, but in fact <i> is not relevant here. Indeed, what
matters is that we can read everything we want at once provided that at
the end, <i> cannot be larger than <size-maxrw> (if it was not already).

This is visible in two cases :
  - let's have i=o=max/2 and to_fwd=0. Then i+o >= max indicates that the
    buffer is already full, while it is not since once <o> is forwarded,
    some space remains.

  - when to_fwd is much larger than i, it's obvious that we can fill the
    buffer.

The only relevant part in fact is o + to_fwd. to_fwd will ensure that at
least this many bytes will be moved from <i> to <o> hence will leave the
buffer, whatever the number of rounds it takes.

Interestingly, the fix applied here ensures that channel_recv_max() will
now equal (size - maxrw - i + to_fwd), which is indeed what remains
available below maxrw after to_fwd bytes are forwarded from i to o and
leave the buffer.

Additionally, the latest fix made it possible to meet an integer overflow
that was not caught by the range test when forwarding in TCP or tunnel
mode due to to_forward being added to an existing value, causing the
buffer size to be limited when it should not have been, resulting in 2
to 3 recv() calls when a single one was enough. The first one was limited
to the unreserved buffer size, the second one to the size of the reserve
minus 1, and the last one to the last byte. Eg with a 2kB buffer :

recvfrom(22, "HTTP/1.1 200\r\nConnection: close\r"..., 1024, 0, NULL, NULL) = 1024
recvfrom(22, "23456789.123456789.123456789.123"..., 1023, 0, NULL, NULL) = 1023
recvfrom(22, "5", 1, 0, NULL, NULL)     = 1

This bug is still present in 1.6 and 1.5 so the fix should be backported
there.
(cherry picked from commit 169c47028a0e897fff12d7454d8254c17b68562e)
(cherry picked from commit ff9c7e24fbbc33074e5257297e38473a3411f407)
[wt: in 1.5 the function is called buffer_max_len and is identical]
1 file changed
tree: bafc6c1d50fe4260ac7ea366170590677a946376
  1. contrib/
  2. doc/
  3. ebtree/
  4. examples/
  5. include/
  6. src/
  7. tests/
  8. .gitignore
  9. CHANGELOG
  10. CONTRIBUTING
  11. LICENSE
  12. Makefile
  13. README
  14. ROADMAP
  15. SUBVERS
  16. VERDATE
  17. VERSION