Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / ef9a169ed4845c70514ec12f262ea54641b020f8^! / . / src / proto_htx.c
commitef9a169ed4845c70514ec12f262ea54641b020f8[log] [tgz]
authorChristopher Faulet <cfaulet@haproxy.com>Fri Feb 21 10:20:46 2020 +0100
committerChristopher Faulet <cfaulet@haproxy.com>Fri Feb 21 15:07:46 2020 +0100
tree36b5aa22ffd88096b6b1efe00fa5030d9b7c2769
parent943ab4d62c48a8545b8b655c92d664c56ee6b19a [diff] [blame]
BUG/MAJOR: http-ana: Always abort the request when a tarpit is triggered

If an client error is reported on the request channel (CF_READ_ERROR) while a
session is tarpitted, no error is returned to the client. Concretly,
http_reply_and_close() function is not called. This function is reponsible to
forward the error to the client. But not only. It is also responsible to abort
the request. Because this function is not called when a read error is reported
on the request channel, and because the tarpit analyzer is the last one, there
is nothing preventing a connection attempt on a server while it is totally
unexpected.

So, a useless connexion on a backend server may be performed because of this
bug. If an HTTP load-balancing algorithm is used on the backend side, it leads
to a crash of HAProxy because the request was already erased.

If you have tarpit rules and if you use an HTTP load-balancing algorithm on your
backends, you must apply this patch. Otherwise a simple TCP reset on a tarpitted
connexion will most likely crash your HAProxy. A safe workaround is to use a
silent-drop rule or a deny rule instead of a tarpit.

This bug also affect the legacy code. It is in fact an very old hidden bug. But
the refactoring of process_stream() in the 1.9 makes it visible. And,
unfortunately, with the HTX, it is easier to hit it because many processing has
been moved in lower layers, in the muxes.

It must be backported as far as 1.9. For the 2.0 and the 1.9, the legacy HTTP
code must also be patched the same way. For older versions, it may be backported
but the bug seems to not impact them.

Thanks to Olivier D <webmaster@ajeux.com> to have reported the bug and provided
all the infos to analyze it.

(cherry picked from commit 9d9d645409e65069c5267422ac9d8d25ca96258d)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit ce757fa24f47852ccf0308193e546b585445f7e3)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
[Cf: Patch applied on proto_htx.c for the HTX and proto_http.c for the legacy
HTTP code]

diff --git a/src/proto_htx.c b/src/proto_htx.c
index 1b73fe4..1c82bcd 100644
--- a/src/proto_htx.c
+++ b/src/proto_htx.c

@@ -1010,8 +1010,7 @@
 	 */
 	s->logs.t_queue = tv_ms_elapsed(&s->logs.tv_accept, &now);
 
-	if (!(req->flags & CF_READ_ERROR))
-		htx_reply_and_close(s, txn->status, htx_error_message(s));
+	htx_reply_and_close(s, txn->status, (!(req->flags & CF_READ_ERROR) ? htx_error_message(s) : NULL));
 
 	req->analysers &= AN_REQ_FLT_END;
 	req->analyse_exp = TICK_ETERNITY;