Hi,
HAProxy 1.9.11 was released on 2019/09/27. It added 33 new commits
after version 1.9.10.
This release fixes several issues in the H2 multiplexer, among which 2 major
bugs about the way received frames are handled on the error path. The first one
comes from the first age of the H2 multiplexer. During frames demultiplexing,
when an error is reported on a stream, payload of the current frame must be
drained to allow parsing of the following frames. This part was buggy. All the
announced frame length was systematically drained and not only the available
part of it. For frames partially received, too many data were drained from the
demux buffer, leaving it in a buggy state and thus corrupting the memory on the
next receives. This old bug is certainly responsible of many hardly reproducible
and unresolved issues and also crashes. The second major bug is about a desync
of the HPACK decoder. HEADERS frames received for an unknown or already closed
stream were simply ignored. As stated in RFC7540#5.1, those frames must be
skipped. But because they carry a compression state they must still be processed
before being dropped to keep the HPACK decoder synchronized. Because those
HEADERS frame were not decoded, the HPACK decoder was able to be out of sync. It
is a major bug because it led to a mix-up of headers for the following streams.
An AB/BA locking issue was fixed about the listeners. The functions
protocol_enable_all() and delete_listener() were using the same locks in a
reverse order. The former being used during startup and the latter during stop,
it was possible to have a deadlock during reload floods.
Nathan Davison (@ndavison) reported that in legacy mode we didn't correctly
rejected messages featuring a transfer-encoding header missing the "chunked"
value. The impact was limited, but if combined with "http-reuse always", it
could be used as an help to construct a content smuggling attack against a
vulnerable component employing a lenient parser which would ignore the
content-length header as soon as it sees a transfer-encoding one, without even
parsing it.
An improvement was made on the idle connections management. Now, we don't keep
more idle connections than we've ever had outstanding requests on a server. This
way the total number of idle connections will never exceed the sum of maximum
connections. Thus highly loaded servers will be able to get many connections and
slightly loaded servers will keep less. This address performance issues with the
option "http-reuse safe" because of too many idle connections kept opened and
never reused.
An old bug on legacy HTTP analyzers was fixed. When HAProxy was waiting for a
request or a response, the parsing was delayed if the buffer appeared as not
rewritable (reserve not fully free), without any other criteria. It might
blocked
the message analysis for a while, sometime infinitely depending on
circumstances. For instance, It was happening when the cache applet used the
reserve to added the header "Age" on cached responses. This test was based an
old
implicit assumption that stated if a buffer was not rewritable, it meant some
outgoing data were pending to be sent. On recent versions, this is not true
anymore because all outgoing data are sent before starting the analysis of the
next transaction.
A bug in the SPOE was fixed by Kevin Zhu. The same engine-id was used when
nbproc was more than 1. So, in async mode, an agent receiving a NOTIFY frame
from a process was able to send the ACK to another process. So thanks to Kevin,
now a different engine-id is generated for each process. In addition, a similar
change was made when several threads are started, making the SPOE async mode
compatible with multithreaded configuration.
Krisztián Kovács fixed 2 issues about the namespaces. First, he fixed a FD leak
in master-worker mode. The FDs opened during namespaces configuration parsing
were not closed when the master process was re-executing itself, effectively
leaking the fds and preventing destruction of namespaces no longer present in
the configuration. Then, he fixed a bug during the soft shutdown, introducing a
cleanup function that closes all namespace file descriptors by iterating over
the namespace ebtree.
A bug was fixed in the H1 multiplexer about trailers parsing. The trailers of
chunked messages were sometimes truncated on buffer boundary because the parser
systematically reported an error when the buffer was full during trailers
parsing. Now, an error is only reported if the buffer is full because trailers
are too huge.
A bug was fixed in the cache of small objects. HTTP messages with an header part
impinging upon the buffer's reserved were stored in the cache. Now these
messages are not cached anymore. The reserve must remain available to handle the
response processing when a cached object is served, just like any other
response.
Finally, the usual bunch of bug fixes here and there. An issue about the
thread-safety of external checks was fixed. The sample fetch url32 was fixed to
really take the path part into account. A memory leak during configuration
parsing was fixed, when an ACL expression was parsed. Response flags are now
correctly reset when 1xx messages are handled so it is possible to compress HTTP
responses preceded by a 100-Continue. The server weights are now ignored for
empty servers to not always pick the same server on low load (thanks to
@malsumis and @jaroslawr for this fix). The H2 multiplexer was slightly
improved, avoiding the wake up of streams before the mux is ready. The number of
idle connections for each server is now reported on the stats page likewise the
configuration limit. And so on.
As said about the release 2.0.7, if you are using the HTTP/2, you must upgrade
as soon as possible. For others, please give 1.9.11 a try as it fixes many
issues.
---
Complete changelog :
Adis Nezirovic (1):
BUG/MINOR: Missing stat_field_names (since f21d17bb)
Christopher Faulet (14):
BUG/MEDIUM: lua: Fix test on the direction to set the channel exp timeout
BUG/MEDIUM: proto-http: Always start the parsing if there is no outgoing
data
BUG/MINOR: http-ana: Reset response flags when 1xx messages are handled
BUG/MINOR: h1: Properly reset h1m when parsing is restarted
BUG/MEDIUM: cache: Don't cache objects if the size of headers is too big
BUG/MINOR: listener: Fix a possible null pointer dereference
BUG/MINOR: filters: Properly set the HTTP status code on analysis error
BUG/MINOR: acl: Fix memory leaks when an ACL expression is parsed
BUG/MAJOR: mux-h2: Handle HEADERS frames received after a RST_STREAM frame
BUG/MINOR: mux-h2: Use the dummy error when decoding headers for a closed
stream
BUG/MAJOR: mux_h2: Don't consume more payload than received for skipped
frames
MINOR: spoe: Improve generation of the engine-id
MINOR: spoe: Support the async mode with several threads
DOC: Fix documentation about the cli command to get resolver stats
Jerome Magnin (1):
BUG/MEDIUM: url32 does not take the path part into account in the
returned hash.
Kevin Zhu (1):
BUG/MEDIUM: spoe: Use a different engine-id per process
Krisztian Kovacs (1):
BUG/MEDIUM: namespace: close open namespaces during soft shutdown
Krisztián Kovács (kkovacs) (1):
BUG/MEDIUM: namespace: fix fd leak in master-worker mode
Lukas Tribus (1):
BUG/MINOR: lua: fix setting netfilter mark
Olivier Houchard (1):
MEDIUM: checks: Make sure we unsubscribe before calling cs_destroy().
Willy Tarreau (11):
BUG/MEDIUM: mux-h1: do not truncate trailing 0CRLF on buffer boundary
BUG/MINOR: mworker: disable SIGPROF on re-exec
BUG/MEDIUM: listener/threads: fix an AB/BA locking issue in
delete_listener()
BUG/MINOR: lb/leastconn: ignore the server weights for empty servers
BUG/MEDIUM: connection: don't keep more idle connections than ever needed
MINOR: stats: report the number of idle connections for each server
BUG/MEDIUM: http: also reject messages where "chunked" is missing from
transfer-enoding
BUG/MEDIUM: check/threads: make external checks run exclusively on thread
1
BUG/MINOR: mux-h2: do not wake up blocked streams before the mux is ready
BUG/MEDIUM: mux-h2: don't reject valid frames on closed streams
MINOR: tools: implement my_flsl()
n...@users.noreply.github.com (1):
DOC: fixed typo in management.txt
--
Christopher Faulet
