[master] 66e2ea313 http1: Missing workspace release
Dridi Boukelmoune
dridi.boukelmoune at gmail.com
Mon Aug 30 05:43:07 UTC 2021
commit 66e2ea313e7d75530d90d5bd0df78f9609169c6e
Author: Dridi Boukelmoune <dridi.boukelmoune at gmail.com>
Date: Mon Aug 30 07:38:00 2021 +0200
http1: Missing workspace release
Working on the workspace sanitizer (ancestor of the workspace emulator)
final rollbacks were needed to unwind allocations. There was however a
branch where error handling was missing a workspace release, and it was
fine before the introduction of the final rollbacks.
To avoid turning the workspace emulator into a DoS vector the rollbacks
are now only enforced for emulator builds. The specific "insufficient
workspace" log is amended to ensure future changes to the session
workspace footprint don't accidentally remove test coverage for that
branch. The same could be done for other "insufficient workspace" logs
in the PROXY protocol parsing.
Refs 0632b84693f3 (req: Prevent early rollback)
Refs ce71896ae353 (sess: Plug conceptual leak)
Refs 246b1eb1e888 (busyobj: Plug conceptual leak)
Refs 5b4f0f1addaa (htc: Defer workspace rollbacks for request tasks)
Refs #3644
Spotted by Alf's single process fuzzing setup that we should eventually
revisit.
Refs #3152
diff --git a/bin/varnishd/cache/cache_busyobj.c b/bin/varnishd/cache/cache_busyobj.c
index 139112854..f3e41716f 100644
--- a/bin/varnishd/cache/cache_busyobj.c
+++ b/bin/varnishd/cache/cache_busyobj.c
@@ -181,7 +181,9 @@ VBO_ReleaseBusyObj(struct worker *wrk, struct busyobj **pbo)
}
VCL_Rel(&bo->vcl);
+#ifdef ENABLE_WORKSPACE_EMULATOR
WS_Rollback(bo->ws, 0);
+#endif
memset(&bo->retries, 0,
sizeof *bo - offsetof(struct busyobj, retries));
diff --git a/bin/varnishd/cache/cache_req.c b/bin/varnishd/cache/cache_req.c
index cff1d0470..09addfde4 100644
--- a/bin/varnishd/cache/cache_req.c
+++ b/bin/varnishd/cache/cache_req.c
@@ -172,7 +172,9 @@ Req_Release(struct req *req)
AZ(req->vcl);
if (req->vsl->wid)
VSL_End(req->vsl);
+#ifdef ENABLE_WORKSPACE_EMULATOR
WS_Rollback(req->ws, 0);
+#endif
TAKE_OBJ_NOTNULL(sp, &req->sp, SESS_MAGIC);
pp = sp->pool;
CHECK_OBJ_NOTNULL(pp, POOL_MAGIC);
diff --git a/bin/varnishd/cache/cache_session.c b/bin/varnishd/cache/cache_session.c
index f3bb4da15..f3a9619c0 100644
--- a/bin/varnishd/cache/cache_session.c
+++ b/bin/varnishd/cache/cache_session.c
@@ -646,7 +646,9 @@ SES_Rel(struct sess *sp)
if (i)
return;
Lck_Delete(&sp->mtx);
+#ifdef ENABLE_WORKSPACE_EMULATOR
WS_Rollback(sp->ws, 0);
+#endif
MPL_Free(sp->pool->mpl_sess, sp);
}
diff --git a/bin/varnishd/http1/cache_http1_fsm.c b/bin/varnishd/http1/cache_http1_fsm.c
index 393088520..da8c5fea6 100644
--- a/bin/varnishd/http1/cache_http1_fsm.c
+++ b/bin/varnishd/http1/cache_http1_fsm.c
@@ -119,7 +119,9 @@ http1_new_session(struct worker *wrk, void *arg)
/* Out of session workspace. Free the req, close the sess,
* and do not set a new task func, which will exit the
* worker thread. */
- VSL(SLT_Error, req->sp->vxid, "insufficient workspace");
+ VSL(SLT_Error, req->sp->vxid,
+ "insufficient workspace (proto_priv)");
+ WS_Release(req->ws, 0);
Req_Release(req);
SES_Delete(sp, SC_RX_JUNK, NAN);
return;
diff --git a/bin/varnishtest/tests/o00006.vtc b/bin/varnishtest/tests/o00006.vtc
new file mode 100644
index 000000000..5a6b4e357
--- /dev/null
+++ b/bin/varnishtest/tests/o00006.vtc
@@ -0,0 +1,46 @@
+varnishtest "SES_Reserve_proto_priv() overflow"
+
+feature ipv4
+
+server s1 {
+ rxreq
+ txresp
+} -start
+
+varnish v1 -arg "-p pool_sess=0,0,0" -proto "PROXY" -vcl+backend {} -start
+
+logexpect l1 -v v1 -g raw {
+ expect 0 1000 Begin "sess 0 PROXY"
+ expect 0 = SessOpen
+ expect 0 = Proxy "2 217.70.181.33 60822 95.142.168.34 443"
+ expect 0 = Error {\Qinsufficient workspace (proto_priv)\E}
+ expect 0 = SessClose "RX_JUNK"
+} -start
+
+varnish v1 -cliok "param.set workspace_session 480"
+
+client c1 {
+ # PROXY2 with CRC32C TLV
+ sendhex {
+ 0d 0a 0d 0a 00 0d 0a 51 55 49 54 0a
+ 21 11 00 65
+ d9 46 b5 21
+ 5f 8e a8 22
+ ed 96
+ 01 bb
+ 03 00 04 95 03 ee 75
+ 01 00 02 68 32
+ 02 00 0a 68 6f 63 64 65 74 2e 6e 65 74
+ 20 00 3d
+ 01 00 00 00 00
+ 21 00 07 54 4c 53 76 31 2e 33
+ 25 00 05 45 43 32 35 36
+ 24 00 0a 52 53 41 2d 53 48 41 32 35 36
+ 23 00 16 41 45 41 44 2d 41 45 53 31 32 38
+ 2d 47 43 4d 2d 53 48 41 32 35 36
+ }
+ txreq
+ expect_close
+} -run
+
+logexpect l1 -wait
More information about the varnish-commit
mailing list