Commit Graph

6614 Commits

Author SHA1 Message Date
Ruslan Ermilov
6052881a98 HTTP/2: fixed worker_shutdown_timeout. 2019-09-23 15:45:36 +03:00
Ruslan Ermilov
f878492af3 HTTP/2: fixed possible alert about left open socket on shutdown.
This could happen when graceful shutdown configured by worker_shutdown_timeout
times out and is then followed by another timeout such as proxy_read_timeout.
In this case, the HEADERS frame is added to the output queue, but attempt to
send it fails (due to c->error forcibly set during graceful shutdown timeout).
This triggers request finalization which attempts to close the stream.  But the
stream cannot be closed because there is a frame in the output queue, and the
connection cannot be finalized.  This leaves the connection open without any
timer events leading to alert.

The fix is to post write event when sending output queue fails on c->error.
That will finalize the connection.
2019-09-23 15:45:32 +03:00
Maxim Dounin
af0e284b96 HTTP/2: traffic-based flood detection.
With this patch, all traffic over an HTTP/2 connection is counted in
the h2c->total_bytes field, and payload traffic is counted in
the h2c->payload_bytes field.  As long as total traffic is many times
larger than payload traffic, we consider this to be a flood.
2019-09-18 20:28:12 +03:00
Maxim Dounin
4d4201fafd HTTP/2: switched back to RST_STREAM with NO_ERROR.
In 8df664ebe037, we've switched to maximizing stream window instead
of sending RST_STREAM.  Since then handling of RST_STREAM with NO_ERROR
was fixed at least in Chrome, hence we switch back to using RST_STREAM.

This allows more effective rejecting of large bodies, and also minimizes
non-payload traffic to be accounted in the next patch.
2019-09-18 20:28:09 +03:00
Sergey Kandaurov
555dc61b54 SSL: fixed ssl_verify_client error message. 2019-09-16 19:26:42 +03:00
Sergey Kandaurov
4cd1dd28dd Resolver: fixed possible use-after-free while resolving PTR.
Previously, if a response to the PTR request was cached, and ngx_resolver_dup()
failed to allocate memory for the resulting name, then the original node was
freed but left in expire_queue.  A subsequent address resolving would end up
in a use-after-free memory access of the node either in ngx_resolver_expire()
or ngx_resolver_process_ptr(), when accessing it through expire_queue.

The fix is to leave the resolver node intact.
2019-09-10 15:42:34 +03:00
Ruslan Ermilov
c3f8098712 HTTP/2: close connection on zero WINDOW_UPDATE.
Don't waste server resources by sending RST_STREAM frames.  Instead,
reject WINDOW_UPDATE frames with invalid zero increment by closing
connection with PROTOCOL_ERROR.
2019-09-10 15:33:38 +03:00
Ruslan Ermilov
456e213904 HTTP/2: close connection on frames with self-dependency.
Don't waste server resources by sending RST_STREAM frames.  Instead,
reject HEADERS and PRIORITY frames with self-dependency by closing
connection with PROTOCOL_ERROR.
2019-09-10 15:33:37 +03:00
Sergey Kandaurov
5a2ce3f4ee Fixed "return" with discarding invalid chunked body.
When ngx_http_discard_request_body() call was added to ngx_http_send_response(),
there were no return codes other than NGX_OK and NGX_HTTP_INTERNAL_SERVER_ERROR.
Now it can also return NGX_HTTP_BAD_REQUEST, but ngx_http_send_response() still
incorrectly transforms it to NGX_HTTP_INTERNAL_SERVER_ERROR.

The fix is to propagate ngx_http_discard_request_body() errors.
2019-09-04 13:33:51 +03:00
Sergey Kandaurov
77c01f10a1 Detect runaway chunks in ngx_http_parse_chunked().
As defined in HTTP/1.1, body chunks have the following ABNF:

   chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF

where chunk-data is a sequence of chunk-size octets.

With this change, chunk-data that doesn't end up with CRLF at chunk-size
offset will be treated as invalid, such as in the example provided below:

4
SEE-THIS-AND-
4
THAT
0
2019-09-03 17:26:56 +03:00
Sergey Kandaurov
9cb22efa3f HTTP/2: discard remaining request body after redirect.
Previously, if unbuffered request body reading wasn't finished before
the request was redirected to a different location using error_page
or X-Accel-Redirect, and the request body is read again, this could
lead to disastrous effects, such as a duplicate post_handler call or
"http request count is zero" alert followed by a segmentation fault.

This happened in the following configuration (ticket #1819):

    location / {
        proxy_request_buffering off;
        proxy_pass http://bad;
        proxy_intercept_errors on;
        error_page 502 = /error;
    }

    location /error {
        proxy_pass http://backend;
    }
2019-08-19 15:16:06 +03:00
Maxim Dounin
1f960ed92a SSL: lowered log level for WSAECONNABORTED errors on Windows.
Winsock uses ECONNABORTED instead of ECONNRESET in some cases.
For non-SSL connections this is already handled since baad3036086e.

Reported at
http://mailman.nginx.org/pipermail/nginx-ru/2019-August/062363.html.
2019-08-16 18:16:21 +03:00
Maxim Dounin
e77ec60db1 Version bump. 2019-08-16 18:16:14 +03:00
Maxim Dounin
a43974f3f2 release-1.17.3 tag 2019-08-13 15:45:57 +03:00
Maxim Dounin
88216c6b63 nginx-1.17.3-RELEASE 2019-08-13 15:45:56 +03:00
Ruslan Ermilov
5ae7269126 HTTP/2: limited number of PRIORITY frames.
Fixed excessive CPU usage caused by a peer that continuously shuffles
priority of streams.  Fix is to limit the number of PRIORITY frames.
2019-08-13 15:43:40 +03:00
Ruslan Ermilov
a987f81dd1 HTTP/2: limited number of DATA frames.
Fixed excessive memory growth and CPU usage if stream windows are
manipulated in a way that results in generating many small DATA frames.
Fix is to limit the number of simultaneously allocated DATA frames.
2019-08-13 15:43:36 +03:00
Sergey Kandaurov
6dfbc8b1c2 HTTP/2: reject zero length headers with PROTOCOL_ERROR.
Fixed uncontrolled memory growth if peer sends a stream of
headers with a 0-length header name and 0-length header value.
Fix is to reject headers with zero name length.
2019-08-13 15:43:32 +03:00
Maxim Dounin
abe660636c Mail: fixed duplicate resolving.
When using SMTP with SSL and resolver, read events might be enabled
during address resolving, leading to duplicate ngx_mail_ssl_handshake_handler()
calls if something arrives from the client, and duplicate session
initialization - including starting another resolving.  This can lead
to a segmentation fault if the session is closed after first resolving
finished.  Fix is to block read events while resolving.

Reported by Robert Norris,
http://mailman.nginx.org/pipermail/nginx/2019-July/058204.html.
2019-08-01 13:50:07 +03:00
Maxim Dounin
39c40428f9 Gzip: fixed "zero size buf" alerts after ac5a741d39cf.
After ac5a741d39cf it is now possible that after zstream.avail_out
reaches 0 and we allocate additional buffer, there will be no more data
to put into this buffer, triggering "zero size buf" alert.  Fix is to
reset b->temporary flag in this case.

Additionally, an optimization added to avoid allocating additional buffer
in this case, by checking if last deflate() call returned Z_STREAM_END.
Note that checking for Z_STREAM_END by itself is not enough to fix alerts,
as deflate() can return Z_STREAM_END without producing any output if the
buffer is smaller than gzip trailer.

Reported by Witold Filipczyk,
http://mailman.nginx.org/pipermail/nginx-devel/2019-July/012469.html.
2019-07-31 17:29:00 +03:00
Maxim Dounin
6179b98ed5 Version bump. 2019-07-31 17:28:41 +03:00
Maxim Dounin
e957ae888a release-1.17.2 tag 2019-07-23 15:01:47 +03:00
Maxim Dounin
3eb7ef4e20 nginx-1.17.2-RELEASE 2019-07-23 15:01:47 +03:00
Maxim Dounin
c3fd5f7e76 Core: fixed memory leak on error, missed in c3f60d618c17.
Found by Coverity (CID 1451664).
2019-07-19 17:50:00 +03:00
Maxim Dounin
2187586207 Xslt: fixed potential buffer overflow with null character.
Due to shortcomings of the ccv->zero flag implementation in complex value
interface, length of the resulting string from ngx_http_complex_value()
might either not include terminating null character or include it,
so the only safe way to work with the result is to use it as a
null-terminated string.

Reported by Patrick Wollgast.
2019-07-18 18:27:54 +03:00
Maxim Dounin
ad42d70fed SSI: avoid potential buffer overflow.
When "-" follows a parameter of maximum length, a single byte buffer
overflow happens, since the error branch does not check parameter length.
Fix is to avoid saving "-" to the parameter key, and instead use an error
message with "-" explicitly written.  The message is mostly identical to
one used in similar cases in the preequal state.

Reported by Patrick Wollgast.
2019-07-18 18:27:53 +03:00
Maxim Dounin
20c8c4fe35 Upstream: fixed EOF handling in unbuffered and upgraded modes.
With level-triggered event methods it is important to specify
the NGX_CLOSE_EVENT flag to ngx_handle_read_event(), otherwise
the event won't be removed, resulting in CPU hog.

Reported by Patrick Wollgast.
2019-07-18 18:27:52 +03:00
Maxim Dounin
36dfa020f2 HTTP/2: return error on output on closed stream.
Without this, an (incorrect) output on a closed stream could result in
a socket leak.
2019-07-18 18:27:50 +03:00
Maxim Dounin
551640703a Core: fixed segfault with too large bucket sizes (ticket #1806).
To save memory hash code uses u_short to store resulting bucket sizes,
so maximum bucket size is limited to 65536 minus ngx_cacheline_size (larger
values will be aligned to 65536 which will overflow u_short).  However,
there were no checks to enforce this, and using larger bucket sizes
resulted in overflows and segmentation faults.

Appropriate safety checks to enforce this added to ngx_hash_init().
2019-07-18 18:27:44 +03:00
Maxim Dounin
676d1a0e94 Perl: removed unused variable, forgotten in 975d7ab37b39. 2019-07-17 17:00:57 +03:00
Ilya Leoshkevich
cfa1316368 Gzip: use zlib to write header and trailer.
When nginx is used with zlib patched with [1], which provides
integration with the future IBM Z hardware deflate acceleration, it ends
up computing CRC32 twice: one time in hardware, which always does this,
and one time in software by explicitly calling crc32().

crc32() calls were added in changesets 133:b27548f540ad ("nginx-0.0.1-
2003-09-24-23:51:12 import") and 134:d57c6835225c ("nginx-0.0.1-
2003-09-26-09:45:21 import") as part of gzip wrapping feature - back
then zlib did not support it.

However, since then gzip wrapping was implemented in zlib v1.2.0.4,
and it's already being used by nginx for log compression.

This patch replaces hand-written gzip wrapping with the one provided by
zlib. It simplifies the code, and makes it avoid computing CRC32 twice
when using hardware acceleration.

[1] https://github.com/madler/zlib/pull/410
2019-07-12 12:43:08 +02:00
Maxim Dounin
29fea7d9ec Perl: named locations in $r->internal_redirect(). 2019-07-12 15:39:28 +03:00
Maxim Dounin
8df08b02b8 Perl: expect escaped URIs in $r->internal_redirect().
Similarly to the change in 5491:74bfa803a5aa (1.5.9), we should accept
properly escaped URIs and unescape them as needed, else it is not possible
to handle URIs with question marks.
2019-07-12 15:39:26 +03:00
Maxim Dounin
9e883a2e48 Perl: additional ctx->header_sent checks.
As we now have ctx->header_sent flag, it is further used to prevent
duplicate $r->send_http_header() calls, prevent output before sending
header, and $r->internal_redirect() after sending header.

Further, $r->send_http_header() protected from calls after
$r->internal_redirect().
2019-07-12 15:39:25 +03:00
Maxim Dounin
78b39bd631 Perl: avoid returning 500 if header was already sent.
Returning NGX_HTTP_INTERNAL_SERVER_ERROR if a perl code died after
sending header will lead to a "header already sent" alert.  To avoid
it, we now check if header was already sent, and return NGX_ERROR
instead if it was.
2019-07-12 15:39:25 +03:00
Maxim Dounin
12d6b3b4a1 Perl: avoid redirects on errors.
Previously, redirects scheduled with $r->internal_redirect() were followed
even if the code then died.  Now these are ignored and nginx will return
an error instead.
2019-07-12 15:38:27 +03:00
Maxim Dounin
cae2e68908 Perl: disabled unrelated calls from variable handlers.
Variable handlers are not expected to send anything to the client, cannot
sleep or read body, and are not expected to modify the request.  Added
appropriate protection to prevent accidental foot shooting.
2019-07-12 15:35:31 +03:00
Maxim Dounin
1988783169 Perl: protection against duplicate $r->sleep() calls.
Duplicate $r->sleep() and/or $r->has_request_body() calls result
in undefined behaviour (in practice, connection leaks were observed).
To prevent this, croak() added in appropriate places.
2019-07-12 15:34:37 +03:00
Maxim Dounin
9d266efbc0 Perl: handling of allocation errors.
Previously, allocation errors in nginx.xs were more or less ignored,
potentially resulting in incorrect code execution in specific low-memory
conditions.  This is changed to use ctx->error bit and croak(), similarly
to how output errors are now handled.

Note that this is mostly a cosmetic change, as Perl itself exits on memory
allocation errors, and hence nginx with Perl is hardly usable in low-memory
conditions.
2019-07-12 13:56:23 +03:00
Maxim Dounin
4a0771f9a6 Perl: propagate errors.
When an error happens, the ctx->error bit is now set, and croak()
is called to terminate further processing.  The ctx->error bit is
checked in ngx_http_perl_call_handler() to cancel further processing,
and is also checked in various output functions - to make sure these won't
be called if croak() was handled by an eval{} in perl code.

In particular, this ensures that output chain won't be called after
errors, as filters might not expect this to happen.  This fixes some
segmentation faults under low memory conditions.  Also this stops
request processing after filter finalization or request body reading
errors.

For cases where an HTTP error status can be additionally returned (for
example, 416 (Requested Range Not Satisfiable) from the range filter),
the ctx->status field is also added.
2019-07-12 13:56:21 +03:00
Maxim Dounin
eae5e4dd01 Perl: reworked perl module to pass ctx instead of request.
This ensures that correct ctx is always available, including after
filter finalization.  In particular, this fixes a segmentation fault
with the following configuration:

    location / {
        image_filter test;

        perl 'sub {
            my $r = shift;
            $r->send_http_header();
            $r->print("foo\n");
            $r->print("bar\n");
        }';
    }

This also seems to be the only way to correctly handle filter finalization
in various complex cases, for example, when embedded perl is used both
in the original handler and in an error page called after filter
finalization.
2019-07-12 11:29:22 +03:00
Maxim Dounin
60e7480533 Perl: removed unneeded NGX_DONE test.
The NGX_DONE test in ngx_http_perl_handle_request() was introduced
in 1702:86bb52e28ce0, which also modified ngx_http_perl_call_handler()
to return NGX_DONE with c->destroyed.  The latter part was then
removed in 3050:f54b02dbb12b, so NGX_DONE test is no longer needed.
2019-07-11 23:20:08 +03:00
Gena Makhomed
1e673c72dd Contrib: vim syntax, update core and 3rd party module directives. 2019-06-30 10:39:01 +03:00
Maxim Dounin
18e063129a Typo. 2019-07-09 16:03:25 +03:00
Maxim Dounin
66e95b50e7 Version bump. 2019-07-09 16:01:32 +03:00
Maxim Dounin
4722452e9c release-1.17.1 tag 2019-06-25 15:19:45 +03:00
Maxim Dounin
c4613796af nginx-1.17.1-RELEASE 2019-06-25 15:19:45 +03:00
Maxim Dounin
32adc8534c Updated OpenSSL used for win32 builds. 2019-06-25 04:47:43 +03:00
Maxim Dounin
d9887ee2ae Perl: disabled not_modified filter (ticket #1786).
Embedded perl does not set any request fields needed for conditional
requests processing.  Further, filter finalization in the not_modified
filter can cause segmentation faults due to cleared ctx as in
ticket #1786.

Before 5fb1e57c758a (1.7.3) the not_modified filter was implicitly disabled
for perl responses, as r->headers_out.last_modified_time was -1.  This
change restores this behaviour by using the explicit r->disable_not_modified
flag.

Note that this patch doesn't try to address perl module robustness against
filter finalization and other errors returned from filter chains.  It should
be eventually reworked to handle errors instead of ignoring them.
2019-06-17 19:48:56 +03:00
Roman Arutyunyan
dda58fc63b Limit req: limit_req_dry_run directive.
A new directive limit_req_dry_run allows enabling the dry run mode.  In this
mode requests are neither rejected nor delayed, but reject/delay status is
logged as usual.
2019-06-05 19:55:27 +03:00