From 3a28e6193add3dc6156efb4b8a1160116fce3326 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Mon, 20 Sep 2021 07:47:27 +0200 Subject: [PATCH] BUG/MEDIUM: mux-h1: Adjust conditions to ask more space in the channel buffer When a message is parsed and copied into the channel buffer, in h1_process_demux(), more space is requested if some pending data remain after the parsing while the channel buffer is not empty. To do so, CS_FL_WANT_ROOM flag is set. It means the H1 parser needs more space in the channel buffer to continue. In the stream-interface, when this flag is set, the SI is considered as blocked on the RX path. It is only unblocked when some data are sent. However, it is not accurrate because the parsing may be stopped because there is not enough data to continue. For instance in the middle of a chunk size. In this case, some data may have been already copied but the parser is blocked because it must receive more data to continue. If the calling SI is blocked on RX at this stage when the stream is waiting for the payload (because http-buffer-request is set for instance), the stream remains stuck infinitely. To fix the bug, we must request more space to the app layer only when it is not possible to copied more data. Actually, this happens when data remain in the input buffer while the H1 parser is in states MSG_DATA or MSG_TUNNEL, or when we are unable to copy headers or trailers into a non-empty buffer. The first condition is quite easy to handle. The second one requires an API refactoring. h1_parse_msg_hdrs() and h1_parse_msg_tlrs() fnuctions have been updated. Now it is possible to know when we need more space in the buffer to copy headers or trailers (-2 is returned). In the H1 mux, a new H1S flag (H1S_F_RX_CONGESTED) is used to track this state inside h1_process_demux(). This patch is part of a series related to the issue #1362. It should be backported as far as 2.0, probably with some adaptations. So be careful during backports. (cherry picked from commit 46e058dda51cf09ae0a734ce0931be53dcc179a0) Signed-off-by: Christopher Faulet (cherry picked from commit 58f21dae3d82a928ae76a15634c45c8db9bf0aca) [cf: value of H1S_F_RX_CONGESTED flag was changed] Signed-off-by: Christopher Faulet --- reg-tests/http-messaging/http_request_buffer.vtc | 36 ++++++++++- src/h1_htx.c | 71 +++++++++++++--------- src/mux_h1.c | 51 +++++++++++++--- 3 files changed, 118 insertions(+), 40 deletions(-) diff --git a/reg-tests/http-messaging/http_request_buffer.vtc b/reg-tests/http-messaging/http_request_buffer.vtc index 5542e26..4fd7bb2 100644 --- a/reg-tests/http-messaging/http_request_buffer.vtc +++ b/reg-tests/http-messaging/http_request_buffer.vtc @@ -13,6 +13,12 @@ server s1 { rxreq expect req.bodylen == 257 txresp + + accept + + rxreq + expect req.bodylen == 2 + txresp } -start syslog S -level info { @@ -20,6 +26,10 @@ syslog S -level info { expect ~ "[^:\\[ ]*\\[[0-9]*\\]: .* .* fe1 fe1/ .* 408 .* - - cD-- .* .* \"GET /this-is-a-long-url-this-is-a-long-url-this-is-a-long-url-this-is-a-long-url-this-is-a-long-url-this-is-a-long-url-this-is-a-long-url HTTP/1\\.1\"" recv expect ~ "[^:\\[ ]*\\[[0-9]*\\]: .* .* fe1 be1/srv1 [0-9]*/[0-9]*/[0-9]*/[0-9]*/[0-9]* 200 .* - - ---- .* .* \"GET / HTTP/1\\.1\"" + recv + expect ~ "[^:\\[ ]*\\[[0-9]*\\]: .* .* fe1 be1/srv1 [0-9]*/[0-9]*/[0-9]*/[0-9]*/[0-9]* 200 .* - - ---- .* .* \"POST /1 HTTP/1\\.1\"" + recv + expect ~ "[^:\\[ ]*\\[[0-9]*\\]: .* .* fe1 be1/ [0-9]*/-1/-1/-1/[0-9]* -1 .* - - CR-- .* .* \"POST /2 HTTP/1\\.1\"" } -start haproxy h1 -conf { @@ -41,6 +51,8 @@ haproxy h1 -conf { use_backend be1 } -start +# 1 byte of the payload is missing. +# ==> The request must timed out with a 408 response client c1 -connect ${h1_fe1_sock} { send "GET" send " " @@ -68,11 +80,33 @@ client c1 -connect ${h1_fe1_sock} { expect resp.status == 408 } -run +# Payload is fully sent +# ==> Request must be sent to the server. A 200 must be received client c2 -connect ${h1_fe1_sock} { txreq -bodylen 257 rxresp expect resp.status == 200 } -run -syslog S -wait +# Payload is fully sent in 2 steps (with a small delay, smaller than the client +# timeout) and splitted on a chunk size. +# ==> Request must be sent to the server. A 200 must be received +client c3 -connect ${h1_fe1_sock} { + send "POST /1 HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n1\r\n1\r\n1" + delay 0.01 + send "\r\n1\r\n0\r\n\r\n" + rxresp + expect resp.status == 200 +} -run +# Last CRLF of the request payload is missing but payload is sent in 2 steps +# (with a small delay, smaller than the client timeout) and splitted on a chunk +# size. The client aborts before sending the last CRLF. +# ==> Request must be handled as an error with 'CR--' termination state. +client c4 -connect ${h1_fe1_sock} { + send "POST /2 HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n1\r\n1\r\n1" + delay 0.01 + send "\r\n1\r\n0\r\n" +} -run + +syslog S -wait diff --git a/src/h1_htx.c b/src/h1_htx.c index 0236b3c..9e34076 100644 --- a/src/h1_htx.c +++ b/src/h1_htx.c @@ -173,9 +173,7 @@ static int h1_postparse_req_hdrs(struct h1m *h1m, union h1_sl *h1sl, struct htx if (h1_eval_htx_size(meth, uri, vsn, hdrs) > max) { if (htx_is_empty(htx)) goto error; - h1m_init_req(h1m); - h1m->flags |= (H1_MF_NO_PHDR|H1_MF_CLEAN_CONN_HDR); - return 0; + goto output_full; } /* By default, request have always a known length */ @@ -212,11 +210,15 @@ static int h1_postparse_req_hdrs(struct h1m *h1m, union h1_sl *h1sl, struct htx end: return 1; + output_full: + h1m_init_req(h1m); + h1m->flags |= (H1_MF_NO_PHDR|H1_MF_CLEAN_CONN_HDR); + return -2; error: h1m->err_pos = h1m->next; h1m->err_state = h1m->state; htx->flags |= HTX_FL_PARSING_ERROR; - return 0; + return -1; } /* Postprocess the parsed headers for a response and convert them into an htx @@ -271,9 +273,7 @@ static int h1_postparse_res_hdrs(struct h1m *h1m, union h1_sl *h1sl, struct htx if (h1_eval_htx_size(vsn, status, reason, hdrs) > max) { if (htx_is_empty(htx)) goto error; - h1m_init_res(h1m); - h1m->flags |= (H1_MF_NO_PHDR|H1_MF_CLEAN_CONN_HDR); - return 0; + goto output_full; } if (((h1m->flags & H1_MF_METH_CONNECT) && code == 200) || code == 101) { @@ -314,26 +314,31 @@ static int h1_postparse_res_hdrs(struct h1m *h1m, union h1_sl *h1sl, struct htx end: return 1; + output_full: + h1m_init_res(h1m); + h1m->flags |= (H1_MF_NO_PHDR|H1_MF_CLEAN_CONN_HDR); + return -2; error: h1m->err_pos = h1m->next; h1m->err_state = h1m->state; htx->flags |= HTX_FL_PARSING_ERROR; - return 0; + return -1; } -/* Parse HTTP/1 headers. It returns the number of bytes parsed if > 0, or 0 if - * it couldn't proceed. Parsing errors are reported by setting the htx flag - * HTX_FL_PARSING_ERROR and filling h1m->err_pos and h1m->err_state fields. This - * functions is responsible to update the parser state and the start-line - * if not NULL. - * For the requests, must always be provided. For responses, may - * be NULL and flags HTTP_METH_CONNECT of HTTP_METH_HEAD may be set. +/* Parse HTTP/1 headers. It returns the number of bytes parsed on success, 0 if + * headers are incomplete, -1 if an error occurred or -2 if it needs more space + * to proceed while the output buffer is not empty. Parsing errors are reported + * by setting the htx flag HTX_FL_PARSING_ERROR and filling h1m->err_pos and + * h1m->err_state fields. This functions is responsible to update the parser + * state and the start-line if not NULL. For the requests, + * must always be provided. For responses, may be NULL and flags + * HTTP_METH_CONNECT of HTTP_METH_HEAD may be set. */ int h1_parse_msg_hdrs(struct h1m *h1m, union h1_sl *h1sl, struct htx *dsthtx, - struct buffer *srcbuf, size_t ofs, size_t max) + struct buffer *srcbuf, size_t ofs, size_t max) { struct http_hdr hdrs[global.tune.max_http_hdr]; - int ret = 0; + int total = 0, ret = 0; if (!max || !b_data(srcbuf)) goto end; @@ -357,6 +362,7 @@ int h1_parse_msg_hdrs(struct h1m *h1m, union h1_sl *h1sl, struct htx *dsthtx, goto error; goto end; } + total = ret; /* messages headers fully parsed, do some checks to prepare the body * parsing. @@ -368,8 +374,9 @@ int h1_parse_msg_hdrs(struct h1m *h1m, union h1_sl *h1sl, struct htx *dsthtx, h1m->err_state = h1m->state; goto vsn_error; } - if (!h1_postparse_req_hdrs(h1m, h1sl, dsthtx, hdrs, max)) - ret = 0; + ret = h1_postparse_req_hdrs(h1m, h1sl, dsthtx, hdrs, max); + if (ret < 0) + return ret; } else { if (h1sl && !h1_process_res_vsn(h1m, h1sl)) { @@ -377,8 +384,9 @@ int h1_parse_msg_hdrs(struct h1m *h1m, union h1_sl *h1sl, struct htx *dsthtx, h1m->err_state = h1m->state; goto vsn_error; } - if (!h1_postparse_res_hdrs(h1m, h1sl, dsthtx, hdrs, max)) - ret = 0; + ret = h1_postparse_res_hdrs(h1m, h1sl, dsthtx, hdrs, max); + if (ret < 0) + return ret; } /* Switch messages without any payload to DONE state */ @@ -387,13 +395,13 @@ int h1_parse_msg_hdrs(struct h1m *h1m, union h1_sl *h1sl, struct htx *dsthtx, h1m->state = H1_MSG_DONE; end: - return ret; + return total; error: h1m->err_pos = h1m->next; h1m->err_state = h1m->state; vsn_error: dsthtx->flags |= HTX_FL_PARSING_ERROR; - return 0; + return -1; } @@ -551,10 +559,12 @@ int h1_parse_msg_data(struct h1m *h1m, struct htx **dsthtx, return total; } -/* Parse HTTP/1 trailers. It returns the number of bytes parsed if > 0, or 0 if - * it couldn't proceed. Parsing errors are reported by setting the htx flags - * HTX_FL_PARSING_ERROR and filling h1m->err_pos and h1m->err_state fields. This - * functions is responsible to update the parser state . +/* Parse HTTP/1 trailers. It returns the number of bytes parsed on success, 0 if + * trailers are incomplete, -1 if an error occurred or -2 if it needs more space + * to proceed while the output buffer is not empty. Parsing errors are reported + * by setting the htx flags HTX_FL_PARSING_ERROR and filling h1m->err_pos and + * h1m->err_state fields. This functions is responsible to update the parser + * state . */ int h1_parse_msg_tlrs(struct h1m *h1m, struct htx *dsthtx, struct buffer *srcbuf, size_t ofs, size_t max) @@ -587,8 +597,7 @@ int h1_parse_msg_tlrs(struct h1m *h1m, struct htx *dsthtx, if (h1_eval_htx_hdrs_size(hdrs) > max) { if (htx_is_empty(dsthtx)) goto error; - ret = 0; - goto end; + goto output_full; } if (!htx_add_all_trailers(dsthtx, hdrs)) @@ -598,11 +607,13 @@ int h1_parse_msg_tlrs(struct h1m *h1m, struct htx *dsthtx, end: return ret; + output_full: + return -2; error: h1m->err_state = h1m->state; h1m->err_pos = h1m->next; dsthtx->flags |= HTX_FL_PARSING_ERROR; - return 0; + return -1; } /* Finish HTTP/1 parsing by adding the HTX EOM block. It returns 1 on success or diff --git a/src/mux_h1.c b/src/mux_h1.c index afef0bc..09d6ebc 100644 --- a/src/mux_h1.c +++ b/src/mux_h1.c @@ -64,6 +64,7 @@ #define H1S_F_ERROR 0x00000001 /* An error occurred on the H1 stream */ #define H1S_F_REQ_ERROR 0x00000002 /* An error occurred during the request parsing/xfer */ #define H1S_F_RES_ERROR 0x00000004 /* An error occurred during the response parsing/xfer */ + #define H1S_F_REOS 0x00000008 /* End of input stream seen even if not delivered yet */ #define H1S_F_WANT_KAL 0x00000010 #define H1S_F_WANT_TUN 0x00000020 @@ -73,7 +74,8 @@ #define H1S_F_BUF_FLUSH 0x00000100 /* Flush input buffer and don't read more data */ #define H1S_F_SPLICED_DATA 0x00000200 /* Set when the kernel splicing is in used */ #define H1S_F_PARSING_DONE 0x00000400 /* Set when incoming message parsing is finished (EOM added) */ -/* 0x00000800 .. 0x00001000 unused */ +/* 0x00000800 unused */ +#define H1S_F_RX_CONGESTED 0x00001000 /* Cannot process input data RX path is congested (waiting for more space in channel's buffer) */ #define H1S_F_HAVE_SRV_NAME 0x00002000 /* Set during output process if the server name header was added to the request */ #define H1S_F_HAVE_O_CONN 0x00004000 /* Set during output process to know connection mode was processed */ @@ -1214,7 +1216,8 @@ static void h1_set_res_tunnel_mode(struct h1s *h1s) /* * Parse HTTP/1 headers. It returns the number of bytes parsed if > 0, or 0 if * it couldn't proceed. Parsing errors are reported by setting H1S_F_*_ERROR - * flag. If relies on the function http_parse_msg_hdrs() to do the parsing. + * flag. If more room is requested, H1S_F_RX_CONGESTED flag is set. If relies on + * the function http_parse_msg_hdrs() to do the parsing. */ static size_t h1_process_headers(struct h1s *h1s, struct h1m *h1m, struct htx *htx, struct buffer *buf, size_t *ofs, size_t max) @@ -1241,9 +1244,9 @@ static size_t h1_process_headers(struct h1s *h1s, struct h1m *h1m, struct htx *h } ret = h1_parse_msg_hdrs(h1m, &h1sl, htx, buf, *ofs, max); - if (!ret) { + if (ret <= 0) { TRACE_DEVEL("leaving on missing data or error", H1_EV_RX_DATA|H1_EV_RX_HDRS, h1s->h1c->conn, h1s); - if (htx->flags & HTX_FL_PARSING_ERROR) { + if (ret == -1) { if (!(h1m->flags & H1_MF_RESP)) { h1s->flags |= H1S_F_REQ_ERROR; TRACE_USER("rejected H1 request", H1_EV_RX_DATA|H1_EV_RX_HDRS|H1_EV_H1S_ERR, h1s->h1c->conn, h1s); @@ -1256,6 +1259,11 @@ static size_t h1_process_headers(struct h1s *h1s, struct h1m *h1m, struct htx *h TRACE_STATE("parsing error", H1_EV_RX_DATA|H1_EV_RX_HDRS|H1_EV_H1S_ERR, h1s->h1c->conn, h1s); h1_capture_bad_message(h1s->h1c, h1s, h1m, buf); } + else if (ret == -2) { + TRACE_STATE("RX path congested, waiting for more space", H1_EV_RX_DATA|H1_EV_RX_HDRS|H1_EV_H1S_BLK, h1s->h1c->conn, h1s); + h1s->flags |= H1S_F_RX_CONGESTED; + } + ret = 0; goto end; } @@ -1337,6 +1345,11 @@ static size_t h1_process_data(struct h1s *h1s, struct h1m *h1m, struct htx **htx *ofs += ret; end: + if (b_data(buf) != *ofs && (h1m->state == H1_MSG_DATA || h1m->state == H1_MSG_TUNNEL)) { + TRACE_STATE("RX path congested, waiting for more space", H1_EV_RX_DATA|H1_EV_RX_BODY|H1_EV_H1S_BLK, h1s->h1c->conn, h1s); + h1s->flags |= H1S_F_RX_CONGESTED; + } + TRACE_LEAVE(H1_EV_RX_DATA|H1_EV_RX_BODY, h1s->h1c->conn, h1s, 0, (size_t[]){ret}); return ret; } @@ -1345,7 +1358,8 @@ static size_t h1_process_data(struct h1s *h1s, struct h1m *h1m, struct htx **htx * Parse HTTP/1 trailers. It returns the number of bytes parsed if > 0, or 0 if * it couldn't proceed. Parsing errors are reported by setting H1S_F_*_ERROR * flag and filling h1s->err_pos and h1s->err_state fields. This functions is - * responsible to update the parser state . + * responsible to update the parser state . If more room is requested, + * H1S_F_RX_CONGESTED flag is set. */ static size_t h1_process_trailers(struct h1s *h1s, struct h1m *h1m, struct htx *htx, struct buffer *buf, size_t *ofs, size_t max) @@ -1354,9 +1368,9 @@ static size_t h1_process_trailers(struct h1s *h1s, struct h1m *h1m, struct htx * TRACE_ENTER(H1_EV_RX_DATA|H1_EV_RX_TLRS, h1s->h1c->conn, h1s, 0, (size_t[]){max}); ret = h1_parse_msg_tlrs(h1m, htx, buf, *ofs, max); - if (!ret) { + if (ret <= 0) { TRACE_DEVEL("leaving on missing data or error", H1_EV_RX_DATA|H1_EV_RX_BODY, h1s->h1c->conn, h1s); - if (htx->flags & HTX_FL_PARSING_ERROR) { + if (ret == -1) { if (!(h1m->flags & H1_MF_RESP)) { h1s->flags |= H1S_F_REQ_ERROR; TRACE_USER("rejected H1 request", H1_EV_RX_DATA|H1_EV_RX_TLRS|H1_EV_H1S_ERR, h1s->h1c->conn, h1s); @@ -1369,6 +1383,11 @@ static size_t h1_process_trailers(struct h1s *h1s, struct h1m *h1m, struct htx * TRACE_STATE("parsing error", H1_EV_RX_DATA|H1_EV_RX_TLRS|H1_EV_H1S_ERR, h1s->h1c->conn, h1s); h1_capture_bad_message(h1s->h1c, h1s, h1m, buf); } + else if (ret == -2) { + TRACE_STATE("RX path congested, waiting for more space", H1_EV_RX_DATA|H1_EV_RX_TLRS|H1_EV_H1S_BLK, h1s->h1c->conn, h1s); + h1s->flags |= H1S_F_RX_CONGESTED; + } + ret = 0; goto end; } @@ -1428,6 +1447,8 @@ static size_t h1_process_eom(struct h1s *h1s, struct h1m *h1m, struct htx *htx, * Process incoming data. It parses data and transfer them from h1c->ibuf into * . It returns the number of bytes parsed and transferred if > 0, or 0 if * it couldn't proceed. + * + * WARNING: H1S_F_RX_CONGESTED flag must be removed before processing input data. */ static size_t h1_process_input(struct h1c *h1c, struct buffer *buf, size_t count) { @@ -1457,6 +1478,9 @@ static size_t h1_process_input(struct h1c *h1c, struct buffer *buf, size_t count if (h1c->flags & H1C_F_IN_BUSY) goto end; + /* Always remove congestion flags and try to process more input data */ + h1s->flags &= ~H1S_F_RX_CONGESTED; + do { size_t used = htx_used_space(htx); @@ -1532,7 +1556,7 @@ static size_t h1_process_input(struct h1c *h1c, struct buffer *buf, size_t count } count -= htx_used_space(htx) - used; - } while (!(h1s->flags & errflag)); + } while (!(h1s->flags & (errflag|H1S_F_RX_CONGESTED))); if (h1s->flags & errflag) { TRACE_PROTO("parsing error", H1_EV_RX_DATA, h1c->conn, h1s); @@ -1554,8 +1578,17 @@ static size_t h1_process_input(struct h1c *h1c, struct buffer *buf, size_t count if (!b_data(&h1c->ibuf)) h1_release_buf(h1c, &h1c->ibuf); - if (h1s_data_pending(h1s) && !htx_is_empty(htx)) + + /* When Input data are pending for this message, notify upper layer that + * the mux need more space in the HTX buffer to continue if : + * + * - The parser is blocked in MSG_DATA or MSG_TUNNEL state + * - Headers or trailers are pending to be copied. + */ + if (h1s->flags & (H1S_F_RX_CONGESTED)) { h1s->cs->flags |= CS_FL_RCV_MORE | CS_FL_WANT_ROOM; + TRACE_STATE("waiting for more room", H1_EV_RX_DATA|H1_EV_H1S_BLK, h1c->conn, h1s); + } else if (h1s->flags & H1S_F_REOS) { h1s->cs->flags |= CS_FL_EOS; if (h1m->state >= H1_MSG_DONE) -- 1.7.10.4