haproxy: Update all patches for HAProxy v1.8.14lilik-openwrt-22.03
@ -0,0 +1,43 @@ | |||
commit c990c7fe448248c4e2a34b84b593cc1b3536b328 | |||
Author: Willy Tarreau <w@1wt.eu> | |||
Date: Sun Nov 11 10:36:25 2018 +0100 | |||
BUG/MINOR: config: better detect the presence of the h2 pattern in npn/alpn | |||
In 1.8, commit 45a66cc ("MEDIUM: config: ensure that tune.bufsize is at | |||
least 16384 when using HTTP/2") tried to avoid an annoying issue making | |||
H2 fail when haproxy is built with default buffer sizes smaller than 16kB, | |||
which used to be the case for a very long time. Sadly, the test only sees | |||
when NPN/ALPN exactly match "h2" and not when it's combined like | |||
"h2,http/1.1" nor "http/1.1,h2". We can safely use strstr() there because | |||
the string is prefixed by the token's length (0x02) which is unambiguous | |||
as it cannot be part of any other token. | |||
This fix should be backported to 1.8 as a safety guard against bad | |||
configurations. | |||
(cherry picked from commit 4db49c0704898e51892a176505299de3e022c5ea) | |||
Signed-off-by: William Lallemand <wlallemand@haproxy.org> | |||
diff --git a/src/cfgparse.c b/src/cfgparse.c | |||
index 87a4d803..618ffd39 100644 | |||
--- a/src/cfgparse.c | |||
+++ b/src/cfgparse.c | |||
@@ -7629,7 +7629,7 @@ int check_config_validity() | |||
if (curproxy->mode == PR_MODE_HTTP && global.tune.bufsize < 16384) { | |||
#ifdef OPENSSL_NPN_NEGOTIATED | |||
/* check NPN */ | |||
- if (bind_conf->ssl_conf.npn_str && strcmp(bind_conf->ssl_conf.npn_str, "\002h2") == 0) { | |||
+ if (bind_conf->ssl_conf.npn_str && strstr(bind_conf->ssl_conf.npn_str, "\002h2")) { | |||
ha_alert("config : HTTP frontend '%s' enables HTTP/2 via NPN at [%s:%d], so global.tune.bufsize must be at least 16384 bytes (%d now).\n", | |||
curproxy->id, bind_conf->file, bind_conf->line, global.tune.bufsize); | |||
cfgerr++; | |||
@@ -7637,7 +7637,7 @@ int check_config_validity() | |||
#endif | |||
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation | |||
/* check ALPN */ | |||
- if (bind_conf->ssl_conf.alpn_str && strcmp(bind_conf->ssl_conf.alpn_str, "\002h2") == 0) { | |||
+ if (bind_conf->ssl_conf.alpn_str && strstr(bind_conf->ssl_conf.alpn_str, "\002h2")) { | |||
ha_alert("config : HTTP frontend '%s' enables HTTP/2 via ALPN at [%s:%d], so global.tune.bufsize must be at least 16384 bytes (%d now).\n", | |||
curproxy->id, bind_conf->file, bind_conf->line, global.tune.bufsize); | |||
cfgerr++; |
@ -0,0 +1,61 @@ | |||
commit 5b259db1160fa12820cc5ba6399e4dbcefa6ab22 | |||
Author: Olivier Houchard <ohouchard@haproxy.com> | |||
Date: Wed Nov 14 17:54:36 2018 +0100 | |||
BUG/MEDIUM: Make sure stksess is properly aligned. | |||
When we allocate struct stksess, we also allocate memory to store the | |||
associated data before the struct itself. | |||
As the data can be of different types, they can have different size. However, | |||
we need the struct stksess to be properly aligned, as it can do 64bits | |||
load/store (including atomic load/stores) on 64bits platforms, and some of | |||
them doesn't support unaligned access. | |||
So, when allocating the struct stksess, round the size up to the next | |||
multiple of sizeof(void *), and make sure the struct stksess itself is | |||
properly aligned. | |||
Many thanks to Paul Martin for investigating and reporting that bug. | |||
This should be backported to earlier releases. | |||
(cherry picked from commit 52dabbc4fad338233c7f0c96f977a43f8f81452a) | |||
Signed-off-by: William Lallemand <wlallemand@haproxy.org> | |||
diff --git a/src/stick_table.c b/src/stick_table.c | |||
index f1442603..0a238378 100644 | |||
--- a/src/stick_table.c | |||
+++ b/src/stick_table.c | |||
@@ -44,6 +44,7 @@ | |||
/* structure used to return a table key built from a sample */ | |||
static THREAD_LOCAL struct stktable_key static_table_key; | |||
+#define round_ptr_size(i) (((i) + (sizeof(void *) - 1)) &~ (sizeof(void *) - 1)) | |||
/* | |||
* Free an allocated sticky session <ts>, and decrease sticky sessions counter | |||
* in table <t>. | |||
@@ -51,7 +52,7 @@ static THREAD_LOCAL struct stktable_key static_table_key; | |||
void __stksess_free(struct stktable *t, struct stksess *ts) | |||
{ | |||
t->current--; | |||
- pool_free(t->pool, (void *)ts - t->data_size); | |||
+ pool_free(t->pool, (void *)ts - round_ptr_size(t->data_size)); | |||
} | |||
/* | |||
@@ -229,7 +230,7 @@ struct stksess *__stksess_new(struct stktable *t, struct stktable_key *key) | |||
ts = pool_alloc(t->pool); | |||
if (ts) { | |||
t->current++; | |||
- ts = (void *)ts + t->data_size; | |||
+ ts = (void *)ts + round_ptr_size(t->data_size); | |||
__stksess_init(t, ts); | |||
if (key) | |||
stksess_setkey(t, ts, key); | |||
@@ -597,7 +598,7 @@ int stktable_init(struct stktable *t) | |||
t->updates = EB_ROOT_UNIQUE; | |||
HA_SPIN_INIT(&t->lock); | |||
- t->pool = create_pool("sticktables", sizeof(struct stksess) + t->data_size + t->key_size, MEM_F_SHARED); | |||
+ t->pool = create_pool("sticktables", sizeof(struct stksess) + round_ptr_size(t->data_size) + t->key_size, MEM_F_SHARED); | |||
t->exp_next = TICK_ETERNITY; | |||
if ( t->expire ) { |
@ -0,0 +1,38 @@ | |||
commit 54824cf35520b11ff97e0937beeb429dcdc55fd0 | |||
Author: Christopher Faulet <cfaulet@haproxy.com> | |||
Date: Mon Nov 12 11:57:31 2018 +0100 | |||
BUG/MINOR: config: Copy default error messages when parsing of a backend starts | |||
To be used, error messages declared in a default section must be copied when the | |||
parsing of a proxy section starts. But this was only done for frontends. | |||
This patch may be backported to older versions. | |||
(cherry picked from commit 6b44975fbd2f7d81074e20bc07fc0e01466cc9c9) | |||
Signed-off-by: William Lallemand <wlallemand@haproxy.org> | |||
diff --git a/src/cfgparse.c b/src/cfgparse.c | |||
index 618ffd39..6bc6b259 100644 | |||
--- a/src/cfgparse.c | |||
+++ b/src/cfgparse.c | |||
@@ -2787,15 +2787,15 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) | |||
curproxy->server_id_hdr_name = strdup(defproxy.server_id_hdr_name); | |||
} | |||
+ /* initialize error relocations */ | |||
+ for (rc = 0; rc < HTTP_ERR_SIZE; rc++) | |||
+ chunk_dup(&curproxy->errmsg[rc], &defproxy.errmsg[rc]); | |||
+ | |||
if (curproxy->cap & PR_CAP_FE) { | |||
curproxy->maxconn = defproxy.maxconn; | |||
curproxy->backlog = defproxy.backlog; | |||
curproxy->fe_sps_lim = defproxy.fe_sps_lim; | |||
- /* initialize error relocations */ | |||
- for (rc = 0; rc < HTTP_ERR_SIZE; rc++) | |||
- chunk_dup(&curproxy->errmsg[rc], &defproxy.errmsg[rc]); | |||
- | |||
curproxy->to_log = defproxy.to_log & ~LW_COOKIE & ~LW_REQHDR & ~ LW_RSPHDR; | |||
} | |||
@ -0,0 +1,32 @@ | |||
commit 64a7cbf4ea3276b72ffb121acab676542cebde1b | |||
Author: Willy Tarreau <w@1wt.eu> | |||
Date: Tue Nov 20 04:47:38 2018 +0100 | |||
BUG/MEDIUM: hpack: fix encoding of "accept-ranges" field | |||
James Brown reported that when an "accept-ranges" header field is sent | |||
through haproxy and converted from HTTP/1.1 to H2, it's mis-encoded as | |||
"accept-language". It happens that it's one of the few very common header | |||
fields encoded using its index value and that this index value was misread | |||
in the spec as 17 instead of 18, resulting in the wrong name being sent. | |||
Thanks to Lukas for spotting the issue in the HPACK encoder itself. | |||
This fix must be backported to 1.8. | |||
(cherry picked from commit 4bf194cbdbcda8ec4ce83d7f12d2fe9b08483c94) | |||
[wla: buffer API edit] | |||
Signed-off-by: William Lallemand <wlallemand@haproxy.org> | |||
diff --git a/src/hpack-enc.c b/src/hpack-enc.c | |||
index d1f68c58..99c73103 100644 | |||
--- a/src/hpack-enc.c | |||
+++ b/src/hpack-enc.c | |||
@@ -101,7 +101,7 @@ int hpack_encode_header(struct chunk *out, const struct ist n, const struct ist | |||
else if (isteq(n, ist("last-modified"))) | |||
out->str[len++] = 0x6c; // literal with indexing -- name="last-modified" (idx 44) | |||
else if (isteq(n, ist("accept-ranges"))) | |||
- out->str[len++] = 0x51; // literal with indexing -- name="accept-ranges" (idx 17) | |||
+ out->str[len++] = 0x52; // literal with indexing -- name="accept-ranges" (idx 18) | |||
else if (isteq(n, ist("cache-control"))) | |||
out->str[len++] = 0x58; // literal with indexing -- name="cache-control" (idx 24) | |||
else if (isteq(n, ist("content-length"))) |