Hi, HAProxy 1.9.11 was released on 2019/09/27. It added 33 new commits after version 1.9.10.
This release fixes several issues in the H2 multiplexer, among which 2 major bugs about the way received frames are handled on the error path. The first one comes from the first age of the H2 multiplexer. During frames demultiplexing, when an error is reported on a stream, payload of the current frame must be drained to allow parsing of the following frames. This part was buggy. All the announced frame length was systematically drained and not only the available part of it. For frames partially received, too many data were drained from the demux buffer, leaving it in a buggy state and thus corrupting the memory on the next receives. This old bug is certainly responsible of many hardly reproducible and unresolved issues and also crashes. The second major bug is about a desync of the HPACK decoder. HEADERS frames received for an unknown or already closed stream were simply ignored. As stated in RFC7540#5.1, those frames must be skipped. But because they carry a compression state they must still be processed before being dropped to keep the HPACK decoder synchronized. Because those HEADERS frame were not decoded, the HPACK decoder was able to be out of sync. It is a major bug because it led to a mix-up of headers for the following streams. An AB/BA locking issue was fixed about the listeners. The functions protocol_enable_all() and delete_listener() were using the same locks in a reverse order. The former being used during startup and the latter during stop, it was possible to have a deadlock during reload floods. Nathan Davison (@ndavison) reported that in legacy mode we didn't correctly rejected messages featuring a transfer-encoding header missing the "chunked" value. The impact was limited, but if combined with "http-reuse always", it could be used as an help to construct a content smuggling attack against a vulnerable component employing a lenient parser which would ignore the content-length header as soon as it sees a transfer-encoding one, without even parsing it. An improvement was made on the idle connections management. Now, we don't keep more idle connections than we've ever had outstanding requests on a server. This way the total number of idle connections will never exceed the sum of maximum connections. Thus highly loaded servers will be able to get many connections and slightly loaded servers will keep less. This address performance issues with the option "http-reuse safe" because of too many idle connections kept opened and never reused. An old bug on legacy HTTP analyzers was fixed. When HAProxy was waiting for a request or a response, the parsing was delayed if the buffer appeared as not rewritable (reserve not fully free), without any other criteria. It might blocked the message analysis for a while, sometime infinitely depending on circumstances. For instance, It was happening when the cache applet used the reserve to added the header "Age" on cached responses. This test was based an old implicit assumption that stated if a buffer was not rewritable, it meant some outgoing data were pending to be sent. On recent versions, this is not true anymore because all outgoing data are sent before starting the analysis of the next transaction. A bug in the SPOE was fixed by Kevin Zhu. The same engine-id was used when nbproc was more than 1. So, in async mode, an agent receiving a NOTIFY frame from a process was able to send the ACK to another process. So thanks to Kevin, now a different engine-id is generated for each process. In addition, a similar change was made when several threads are started, making the SPOE async mode compatible with multithreaded configuration. Krisztián Kovács fixed 2 issues about the namespaces. First, he fixed a FD leak in master-worker mode. The FDs opened during namespaces configuration parsing were not closed when the master process was re-executing itself, effectively leaking the fds and preventing destruction of namespaces no longer present in the configuration. Then, he fixed a bug during the soft shutdown, introducing a cleanup function that closes all namespace file descriptors by iterating over the namespace ebtree. A bug was fixed in the H1 multiplexer about trailers parsing. The trailers of chunked messages were sometimes truncated on buffer boundary because the parser systematically reported an error when the buffer was full during trailers parsing. Now, an error is only reported if the buffer is full because trailers are too huge. A bug was fixed in the cache of small objects. HTTP messages with an header part impinging upon the buffer's reserved were stored in the cache. Now these messages are not cached anymore. The reserve must remain available to handle the response processing when a cached object is served, just like any other response. Finally, the usual bunch of bug fixes here and there. An issue about the thread-safety of external checks was fixed. The sample fetch url32 was fixed to really take the path part into account. A memory leak during configuration parsing was fixed, when an ACL expression was parsed. Response flags are now correctly reset when 1xx messages are handled so it is possible to compress HTTP responses preceded by a 100-Continue. The server weights are now ignored for empty servers to not always pick the same server on low load (thanks to @malsumis and @jaroslawr for this fix). The H2 multiplexer was slightly improved, avoiding the wake up of streams before the mux is ready. The number of idle connections for each server is now reported on the stats page likewise the configuration limit. And so on. As said about the release 2.0.7, if you are using the HTTP/2, you must upgrade as soon as possible. For others, please give 1.9.11 a try as it fixes many issues. --- Complete changelog : Adis Nezirovic (1): BUG/MINOR: Missing stat_field_names (since f21d17bb) Christopher Faulet (14): BUG/MEDIUM: lua: Fix test on the direction to set the channel exp timeout BUG/MEDIUM: proto-http: Always start the parsing if there is no outgoing data BUG/MINOR: http-ana: Reset response flags when 1xx messages are handled BUG/MINOR: h1: Properly reset h1m when parsing is restarted BUG/MEDIUM: cache: Don't cache objects if the size of headers is too big BUG/MINOR: listener: Fix a possible null pointer dereference BUG/MINOR: filters: Properly set the HTTP status code on analysis error BUG/MINOR: acl: Fix memory leaks when an ACL expression is parsed BUG/MAJOR: mux-h2: Handle HEADERS frames received after a RST_STREAM frame BUG/MINOR: mux-h2: Use the dummy error when decoding headers for a closed stream BUG/MAJOR: mux_h2: Don't consume more payload than received for skipped frames MINOR: spoe: Improve generation of the engine-id MINOR: spoe: Support the async mode with several threads DOC: Fix documentation about the cli command to get resolver stats Jerome Magnin (1): BUG/MEDIUM: url32 does not take the path part into account in the returned hash. Kevin Zhu (1): BUG/MEDIUM: spoe: Use a different engine-id per process Krisztian Kovacs (1): BUG/MEDIUM: namespace: close open namespaces during soft shutdown Krisztián Kovács (kkovacs) (1): BUG/MEDIUM: namespace: fix fd leak in master-worker mode Lukas Tribus (1): BUG/MINOR: lua: fix setting netfilter mark Olivier Houchard (1): MEDIUM: checks: Make sure we unsubscribe before calling cs_destroy(). Willy Tarreau (11): BUG/MEDIUM: mux-h1: do not truncate trailing 0CRLF on buffer boundary BUG/MINOR: mworker: disable SIGPROF on re-exec BUG/MEDIUM: listener/threads: fix an AB/BA locking issue in delete_listener() BUG/MINOR: lb/leastconn: ignore the server weights for empty servers BUG/MEDIUM: connection: don't keep more idle connections than ever needed MINOR: stats: report the number of idle connections for each server BUG/MEDIUM: http: also reject messages where "chunked" is missing from transfer-enoding BUG/MEDIUM: check/threads: make external checks run exclusively on thread 1 BUG/MINOR: mux-h2: do not wake up blocked streams before the mux is ready BUG/MEDIUM: mux-h2: don't reject valid frames on closed streams MINOR: tools: implement my_flsl() n...@users.noreply.github.com (1): DOC: fixed typo in management.txt -- Christopher Faulet