|
|
@ -0,0 +1,140 @@ |
|
|
|
From 27187ab56a2f1104818c2f21c5139c1edd8b838f Mon Sep 17 00:00:00 2001 |
|
|
|
From: Willy Tarreau <w@1wt.eu> |
|
|
|
Date: Thu, 2 Jul 2015 12:50:23 +0200 |
|
|
|
Subject: BUG/MAJOR: buffers: make the buffer_slow_realign() function respect |
|
|
|
output data |
|
|
|
|
|
|
|
The function buffer_slow_realign() was initially designed for requests |
|
|
|
only and did not consider pending outgoing data. This causes a problem |
|
|
|
when called on responses where data remain in the buffer, which may |
|
|
|
happen with pipelined requests when the client is slow to read data. |
|
|
|
|
|
|
|
The user-visible effect is that if less than <maxrewrite> bytes are |
|
|
|
present in the buffer from a previous response and these bytes cross |
|
|
|
the <maxrewrite> boundary close to the end of the buffer, then a new |
|
|
|
response will cause a realign and will destroy these pending data and |
|
|
|
move the pointer to what's believed to contain pending output data. |
|
|
|
Thus the client receives the crap that lies in the buffer instead of |
|
|
|
the original output bytes. |
|
|
|
|
|
|
|
This new implementation now properly realigns everything including the |
|
|
|
outgoing data which are moved to the end of the buffer while the input |
|
|
|
data are moved to the beginning. |
|
|
|
|
|
|
|
This implementation still uses a buffer-to-buffer copy which is not |
|
|
|
optimal in terms of performance and which should be replaced by a |
|
|
|
buffer switch later. |
|
|
|
|
|
|
|
Prior to this patch, the following script would return different hashes |
|
|
|
on each round when run from a 100 Mbps-connected machine : |
|
|
|
|
|
|
|
i=0 |
|
|
|
while usleep 100000; do |
|
|
|
echo round $((i++)) |
|
|
|
set -- $(nc6 0 8001 < 1kreq5k.txt | grep -v '^[0-9A-Z]' | md5sum) |
|
|
|
if [ "$1" != "3861afbb6566cd48740ce01edc426020" ]; then echo $1;break;fi |
|
|
|
done |
|
|
|
|
|
|
|
The file contains 1000 times this request with "Connection: close" on the |
|
|
|
last one : |
|
|
|
|
|
|
|
GET /?s=5k&R=1 HTTP/1.1 |
|
|
|
|
|
|
|
The config is very simple : |
|
|
|
|
|
|
|
global |
|
|
|
tune.bufsize 16384 |
|
|
|
tune.maxrewrite 8192 |
|
|
|
|
|
|
|
defaults |
|
|
|
mode http |
|
|
|
timeout client 10s |
|
|
|
timeout server 5s |
|
|
|
timeout connect 3s |
|
|
|
|
|
|
|
listen px |
|
|
|
bind :8001 |
|
|
|
option http-server-close |
|
|
|
server s1 127.0.0.1:8000 |
|
|
|
|
|
|
|
And httpterm-1.7.2 is used as the server on port 8000. |
|
|
|
|
|
|
|
After the fix, 1 million requests were sent and all returned the same |
|
|
|
contents. |
|
|
|
|
|
|
|
Many thanks to Charlie Smurthwaite of atechmedia.com for his precious |
|
|
|
help on this issue, which would not have been diagnosed without his |
|
|
|
very detailed traces and numerous tests. |
|
|
|
|
|
|
|
The patch must be backported to 1.5 which is where the bug was introduced. |
|
|
|
---
|
|
|
|
src/buffer.c | 49 +++++++++++++++++++++++++++++-------------------- |
|
|
|
1 file changed, 29 insertions(+), 20 deletions(-) |
|
|
|
|
|
|
|
diff --git a/src/buffer.c b/src/buffer.c
|
|
|
|
index 3c7f6cc..b083768 100644
|
|
|
|
--- a/src/buffer.c
|
|
|
|
+++ b/src/buffer.c
|
|
|
|
@@ -136,30 +136,39 @@ int buffer_insert_line2(struct buffer *b, char *pos, const char *str, int len)
|
|
|
|
return delta; |
|
|
|
} |
|
|
|
|
|
|
|
-/* This function realigns input data in a possibly wrapping buffer so that it
|
|
|
|
- * becomes contiguous and starts at the beginning of the buffer area. The
|
|
|
|
- * function may only be used when the buffer's output is empty.
|
|
|
|
+/* This function realigns a possibly wrapping buffer so that the input part is
|
|
|
|
+ * contiguous and starts at the beginning of the buffer and the output part
|
|
|
|
+ * ends at the end of the buffer. This provides the best conditions since it
|
|
|
|
+ * allows the largest inputs to be processed at once and ensures that once the
|
|
|
|
+ * output data leaves, the whole buffer is available at once.
|
|
|
|
*/ |
|
|
|
void buffer_slow_realign(struct buffer *buf) |
|
|
|
{ |
|
|
|
- /* two possible cases :
|
|
|
|
- * - the buffer is in one contiguous block, we move it in-place
|
|
|
|
- * - the buffer is in two blocks, we move it via the swap_buffer
|
|
|
|
- */
|
|
|
|
- if (buf->i) {
|
|
|
|
- int block1 = buf->i;
|
|
|
|
- int block2 = 0;
|
|
|
|
- if (buf->p + buf->i > buf->data + buf->size) {
|
|
|
|
- /* non-contiguous block */
|
|
|
|
- block1 = buf->data + buf->size - buf->p;
|
|
|
|
- block2 = buf->p + buf->i - (buf->data + buf->size);
|
|
|
|
- }
|
|
|
|
- if (block2)
|
|
|
|
- memcpy(swap_buffer, buf->data, block2);
|
|
|
|
- memmove(buf->data, buf->p, block1);
|
|
|
|
- if (block2)
|
|
|
|
- memcpy(buf->data + block1, swap_buffer, block2);
|
|
|
|
+ int block1 = buf->o;
|
|
|
|
+ int block2 = 0;
|
|
|
|
+
|
|
|
|
+ /* process output data in two steps to cover wrapping */
|
|
|
|
+ if (block1 > buf->p - buf->data) {
|
|
|
|
+ block2 = buf->p - buf->data;
|
|
|
|
+ block1 -= block2;
|
|
|
|
} |
|
|
|
+ memcpy(swap_buffer + buf->size - buf->o, bo_ptr(buf), block1);
|
|
|
|
+ memcpy(swap_buffer + buf->size - block2, buf->data, block2);
|
|
|
|
+
|
|
|
|
+ /* process input data in two steps to cover wrapping */
|
|
|
|
+ block1 = buf->i;
|
|
|
|
+ block2 = 0;
|
|
|
|
+
|
|
|
|
+ if (block1 > buf->data + buf->size - buf->p) {
|
|
|
|
+ block1 = buf->data + buf->size - buf->p;
|
|
|
|
+ block2 = buf->i - block1;
|
|
|
|
+ }
|
|
|
|
+ memcpy(swap_buffer, bi_ptr(buf), block1);
|
|
|
|
+ memcpy(swap_buffer + block1, buf->data, block2);
|
|
|
|
+
|
|
|
|
+ /* reinject changes into the buffer */
|
|
|
|
+ memcpy(buf->data, swap_buffer, buf->i);
|
|
|
|
+ memcpy(buf->data + buf->size - buf->o, swap_buffer + buf->size - buf->o, buf->o);
|
|
|
|
|
|
|
|
buf->p = buf->data; |
|
|
|
} |
|
|
|
--
|
|
|
|
1.7.12.1 |
|
|
|
|