Welcome! Log In Create A New Profile

Advanced

[nginx] Fixed socket leak with "return 444" in error_page (ticket #274).

Maxim Dounin
September 21, 2018 10:36AM
details: http://hg.nginx.org/nginx/rev/1812f1d79d84
branches:
changeset: 7354:1812f1d79d84
user: Maxim Dounin <mdounin@mdounin.ru>
date: Fri Sep 21 15:59:30 2018 +0300
description:
Fixed socket leak with "return 444" in error_page (ticket #274).

Socket leak was observed in the following configuration:

error_page 400 = /close;

location = /close {
return 444;
}

The problem is that "return 444" triggers termination of the request,
and due to error_page termination thinks that it needs to use a posted
request to clear stack. But at the early request processing where 400
errors are generated there are no ngx_http_run_posted_requests() calls,
so the request is only terminated after an external event.

Variants of the problem include "error_page 497" instead (ticket #695)
and various other errors generated during early request processing
(405, 414, 421, 494, 495, 496, 501, 505).

The same problem can be also triggered with "return 499" and "return 408"
as both codes trigger ngx_http_terminate_request(), much like "return 444".

To fix this, the patch adds ngx_http_run_posted_requests() calls to
ngx_http_process_request_line() and ngx_http_process_request_headers()
functions, and to ngx_http_v2_run_request() and ngx_http_v2_push_stream()
functions in HTTP/2.

Since the ngx_http_process_request() function is now only called via
other functions which call ngx_http_run_posted_requests(), the call
there is no longer needed and was removed.

diffstat:

src/http/ngx_http_request.c | 50 +++++++++++++++++++++++---------------------
src/http/v2/ngx_http_v2.c | 18 ++++++++++++---
2 files changed, 40 insertions(+), 28 deletions(-)

diffs (266 lines):

diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -959,7 +959,7 @@ ngx_http_process_request_line(ngx_event_
n = ngx_http_read_request_header(r);

if (n == NGX_AGAIN || n == NGX_ERROR) {
- return;
+ break;
}
}

@@ -984,7 +984,7 @@ ngx_http_process_request_line(ngx_event_
}

if (ngx_http_process_request_uri(r) != NGX_OK) {
- return;
+ break;
}

if (r->schema_end) {
@@ -1003,16 +1003,16 @@ ngx_http_process_request_line(ngx_event_
ngx_log_error(NGX_LOG_INFO, c->log, 0,
"client sent invalid host in request line");
ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
- return;
+ break;
}

if (rc == NGX_ERROR) {
ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
- return;
+ break;
}

if (ngx_http_set_virtual_server(r, &host) == NGX_ERROR) {
- return;
+ break;
}

r->headers_in.server = host;
@@ -1024,11 +1024,11 @@ ngx_http_process_request_line(ngx_event_
&& ngx_http_set_virtual_server(r, &r->headers_in.server)
== NGX_ERROR)
{
- return;
+ break;
}

ngx_http_process_request(r);
- return;
+ break;
}


@@ -1037,7 +1037,7 @@ ngx_http_process_request_line(ngx_event_
!= NGX_OK)
{
ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
- return;
+ break;
}

c->log->action = "reading client request headers";
@@ -1045,7 +1045,7 @@ ngx_http_process_request_line(ngx_event_
rev->handler = ngx_http_process_request_headers;
ngx_http_process_request_headers(rev);

- return;
+ break;
}

if (rc != NGX_AGAIN) {
@@ -1062,7 +1062,7 @@ ngx_http_process_request_line(ngx_event_
ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
}

- return;
+ break;
}

/* NGX_AGAIN: a request line parsing is still incomplete */
@@ -1073,7 +1073,7 @@ ngx_http_process_request_line(ngx_event_

if (rv == NGX_ERROR) {
ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
- return;
+ break;
}

if (rv == NGX_DECLINED) {
@@ -1083,10 +1083,12 @@ ngx_http_process_request_line(ngx_event_
ngx_log_error(NGX_LOG_INFO, c->log, 0,
"client sent too long URI");
ngx_http_finalize_request(r, NGX_HTTP_REQUEST_URI_TOO_LARGE);
- return;
+ break;
}
}
}
+
+ ngx_http_run_posted_requests(c);
}


@@ -1248,7 +1250,7 @@ ngx_http_process_request_headers(ngx_eve

if (rv == NGX_ERROR) {
ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
- return;
+ break;
}

if (rv == NGX_DECLINED) {
@@ -1261,7 +1263,7 @@ ngx_http_process_request_headers(ngx_eve
"client sent too large request");
ngx_http_finalize_request(r,
NGX_HTTP_REQUEST_HEADER_TOO_LARGE);
- return;
+ break;
}

len = r->header_in->end - p;
@@ -1276,14 +1278,14 @@ ngx_http_process_request_headers(ngx_eve

ngx_http_finalize_request(r,
NGX_HTTP_REQUEST_HEADER_TOO_LARGE);
- return;
+ break;
}
}

n = ngx_http_read_request_header(r);

if (n == NGX_AGAIN || n == NGX_ERROR) {
- return;
+ break;
}
}

@@ -1313,7 +1315,7 @@ ngx_http_process_request_headers(ngx_eve
h = ngx_list_push(&r->headers_in.headers);
if (h == NULL) {
ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
- return;
+ break;
}

h->hash = r->header_hash;
@@ -1329,7 +1331,7 @@ ngx_http_process_request_headers(ngx_eve
h->lowcase_key = ngx_pnalloc(r->pool, h->key.len);
if (h->lowcase_key == NULL) {
ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
- return;
+ break;
}

if (h->key.len == r->lowcase_index) {
@@ -1343,7 +1345,7 @@ ngx_http_process_request_headers(ngx_eve
h->lowcase_key, h->key.len);

if (hh && hh->handler(r, h, hh->offset) != NGX_OK) {
- return;
+ break;
}

ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
@@ -1367,12 +1369,12 @@ ngx_http_process_request_headers(ngx_eve
rc = ngx_http_process_request_header(r);

if (rc != NGX_OK) {
- return;
+ break;
}

ngx_http_process_request(r);

- return;
+ break;
}

if (rc == NGX_AGAIN) {
@@ -1388,8 +1390,10 @@ ngx_http_process_request_headers(ngx_eve
"client sent invalid header line");

ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
- return;
+ break;
}
+
+ ngx_http_run_posted_requests(c);
}


@@ -1944,8 +1948,6 @@ ngx_http_process_request(ngx_http_reques
r->read_event_handler = ngx_http_block_reading;

ngx_http_handler(r);
-
- ngx_http_run_posted_requests(c);
}


diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
--- a/src/http/v2/ngx_http_v2.c
+++ b/src/http/v2/ngx_http_v2.c
@@ -2673,11 +2673,13 @@ error:

if (rc == NGX_ABORT) {
/* header handler has already finalized request */
+ ngx_http_run_posted_requests(fc);
return NULL;
}

if (rc == NGX_DECLINED) {
ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
+ ngx_http_run_posted_requests(fc);
return NULL;
}

@@ -3742,18 +3744,22 @@ ngx_http_v2_construct_cookie_header(ngx_
static void
ngx_http_v2_run_request(ngx_http_request_t *r)
{
+ ngx_connection_t *fc;
+
+ fc = r->connection;
+
if (ngx_http_v2_construct_request_line(r) != NGX_OK) {
- return;
+ goto failed;
}

if (ngx_http_v2_construct_cookie_header(r) != NGX_OK) {
- return;
+ goto failed;
}

r->http_state = NGX_HTTP_PROCESS_REQUEST_STATE;

if (ngx_http_process_request_header(r) != NGX_OK) {
- return;
+ goto failed;
}

if (r->headers_in.content_length_n > 0 && r->stream->in_closed) {
@@ -3763,7 +3769,7 @@ ngx_http_v2_run_request(ngx_http_request
r->stream->skip_data = 1;

ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
- return;
+ goto failed;
}

if (r->headers_in.content_length_n == -1 && !r->stream->in_closed) {
@@ -3771,6 +3777,10 @@ ngx_http_v2_run_request(ngx_http_request
}

ngx_http_process_request(r);
+
+failed:
+
+ ngx_http_run_posted_requests(fc);
}


_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[nginx] Fixed socket leak with "return 444" in error_page (ticket #274).

Maxim Dounin 374 September 21, 2018 10:36AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 72
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready