Le 18/04/2019 à 16:55, William Dauchy a écrit :
Hello,
We are triggering a segfault on the last HEAD of haproxy-1.9 tree, last
commit being
1e0fd266db3e503783ff623faabcb1dfe211cb89 BUG/MINOR: mworker: disable busy
polling in the master process
backtrace:
Thread 1 (Thread 0x7f73aeffd700 (LWP 13044)):
#0 h1_skip_chunk_crlf (stop=0, start=0, buf=0x7f739802b708) at
include/common/h1.h:208
208 if (*ptr == '\r') {
#1 h1_process_data (h1s=h1s@entry=0x7f739802a910,
h1m=h1m@entry=0x7f739802a998, htx=0x7f739803a0f0, buf=buf@entry=0x7f739802b708,
ofs=ofs@entry=0x7f73aefda9a8, max=max@entry=0,
htxbuf=htxbuf@entry=0x7f73980313e8, reserve=reserve@entry=1024) at
src/mux_h1.c:1204
#2 0x00005623b1086dc3 in h1_process_input (flags=<optimized out>,
buf=0x7f73980313e8, h1c=0x7f739802b6f0) at src/mux_h1.c:1391
#3 h1_rcv_buf (cs=<optimized out>, buf=0x7f73980313e8, count=<optimized out>,
flags=<optimized out>) at src/mux_h1.c:2289
#4 0x00005623b10b9c99 in si_cs_recv (cs=cs@entry=0x7f73980219f0) at
src/stream_interface.c:1258
#5 0x00005623b10ba160 in si_cs_io_cb (t=<optimized out>, ctx=<optimized out>,
state=<optimized out>) at src/stream_interface.c:739
#6 0x00005623b10ea30a in process_runnable_tasks () at src/task.c:390
#7 0x00005623b106336f in run_poll_loop () at src/haproxy.c:2648
#8 run_thread_poll_loop (data=<optimized out>) at src/haproxy.c:2713
#9 0x00007f73bbae6dd5 in start_thread () from /lib64/libpthread.so.0
#10 0x00007f73ba81fead in clone () from /lib64/libc.so.6
It seems related to the last commits from Christopher Faulet, maybe
around this commit:
http://git.haproxy.org/?p=haproxy-1.9.git;a=commit;h=0c2973662163ab2753a54e729ecdb09dd694c2dd
BUG/MINOR: mux-h1: Process input even if the input buffer is empty
Hi,
You're right there is a bug in this commit. Here is a patch that should
fix the issue.
Thanks,
--
Christopher
>From ee37367d428bdde70ce8d406b18a6701eafd535a Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfau...@haproxy.com>
Date: Thu, 18 Apr 2019 21:24:28 +0200
Subject: [PATCH] BUG/MEDIUM: mux-h1: Don't try to parse chunks if there is no
data to read
H1 function used to parse the chunks CRLF must not be called when there is no
data in the buffer. The bug was introduced by the commit 91f77d599 ("BUG/MINOR:
mux-h1: Process input even if the input buffer is empty"). But, in fact, there
is no reason to try to parse chunks metadata if there is no data.
This patch must be backported to 1.9.
---
src/mux_h1.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/mux_h1.c b/src/mux_h1.c
index 46bc33c90..529344805 100644
--- a/src/mux_h1.c
+++ b/src/mux_h1.c
@@ -1155,6 +1155,8 @@ static size_t h1_process_data(struct h1s *h1s, struct h1m *h1m, struct htx *htx,
new_chunk:
/* te:chunked : parse chunks */
if (h1m->state == H1_MSG_CHUNK_CRLF) {
+ if (!max)
+ goto end;
ret = h1_skip_chunk_crlf(buf, *ofs, *ofs + max);
if (ret <= 0)
goto end;
@@ -1168,6 +1170,8 @@ static size_t h1_process_data(struct h1s *h1s, struct h1m *h1m, struct htx *htx,
if (h1m->state == H1_MSG_CHUNK_SIZE) {
unsigned int chksz;
+ if (!max)
+ goto end;
ret = h1_parse_chunk_size(buf, *ofs, *ofs + max, &chksz);
if (ret <= 0)
goto end;
@@ -1220,6 +1224,8 @@ static size_t h1_process_data(struct h1s *h1s, struct h1m *h1m, struct htx *htx,
if (h1s->flags & H1S_F_HAVE_I_TLR)
goto skip_tlr_parsing;
+ if (!max)
+ goto end;
ret = h1_measure_trailers(buf, *ofs, *ofs + max);
if (ret > data_space)
ret = (htx_is_empty(htx) ? -1 : 0);
--
2.20.1
