I've attached a patch to fix a bug in http sampling on raw connections. This 
fixes crashes experienced with a frontend configuration similar to:

frontend haproxy_v4_http_0
  mode tcp
  bind ipv4@:80
  default_backend chat
  tcp-request inspect-delay 60s
  tcp-request content reject unless { req_len gt 0 }
  acl example_com req.hdr(host) -m str example.com
  acl example_org req.hdr(host) -m str example.org
  acl example_net req.hdr(host) -m str example.net
  acl chat path -m str /chat
  acl post method -m str POST
  use_backend chat if chat post # explicitly send chunked transfer encoded chat 
to chatd
  use_backend cdn if example_com
  use_backend cdn if example_org
  use_backend cdn if example_net

If the host header in inbound requests is not example.com, the check for 
example.org will use the wrong trash buffer, and sometimes results in crashes. 
I wasn't able to get a clear crash reproduction, but the call to 
htx_get_next_blk() in src/http_htx.c:http_find_header would be called with blk 
way out of range, and the loop will walk memory until it happens to find an 
exit condition, or it reads unmapped memory and segfaults. Most often, it seems 
the wrong trash buffer still has the old htx buffer, so it usually doesn't 

I found the blk pointer was out of range in my core dumps, and added logging in 
htx_get_next when pos > htx->tail; from there it was pretty easy to figure out 
what happened.

I solved this by using a thread local static buffer for the raw buffer to htx 
conversion, but there's probably other ways to fix it.

This should be backported to 2.0, and possible 1.9 if htx processing is used 
for mode tcp with http header processing in 1.9, which I'm not sure about.

  Richard Russo

Attachment: 0001-BUG-MAJOR-http-sample-use-a-static-buffer-for-raw-ht.patch
Description: Binary data

Reply via email to