Browse Source

haproxy: patches from upstream

- [PATCH 1/6] BUILD: fix "make install" to support spaces in the
 - [PATCH 2/6] BUG/MEDIUM: ssl: fix bad ssl context init can cause
 - [PATCH 3/6] BUG/MEDIUM: ssl: force a full GC in case of memory
 - [PATCH 4/6] BUG/MEDIUM: checks: fix conflicts between agent checks
 - [PATCH 5/6] BUG/MINOR: config: don't inherit the default balance
 - [PATCH 6/6] BUG/MAJOR: frontend: initialize capture pointers earlier

Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
lilik-openwrt-22.03
Thomas Heil 10 years ago
parent
commit
c950f48e7a
7 changed files with 441 additions and 1 deletions
  1. +1
    -1
      net/haproxy/Makefile
  2. +46
    -0
      net/haproxy/patches/0001-BUILD-fix-make-install-to-support-spaces-in-the-inst.patch
  3. +87
    -0
      net/haproxy/patches/0002-BUG-MEDIUM-ssl-fix-bad-ssl-context-init-can-cause-se.patch
  4. +104
    -0
      net/haproxy/patches/0003-BUG-MEDIUM-ssl-force-a-full-GC-in-case-of-memory-sho.patch
  5. +102
    -0
      net/haproxy/patches/0004-BUG-MEDIUM-checks-fix-conflicts-between-agent-checks.patch
  6. +42
    -0
      net/haproxy/patches/0005-BUG-MINOR-config-don-t-inherit-the-default-balance-a.patch
  7. +59
    -0
      net/haproxy/patches/0006-BUG-MAJOR-frontend-initialize-capture-pointers-earli.patch

+ 1
- 1
net/haproxy/Makefile View File

@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=haproxy PKG_NAME:=haproxy
PKG_VERSION:=1.5.8 PKG_VERSION:=1.5.8
PKG_RELEASE:=00
PKG_RELEASE:=06
PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.5/src/ PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.5/src/
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)


+ 46
- 0
net/haproxy/patches/0001-BUILD-fix-make-install-to-support-spaces-in-the-inst.patch View File

@ -0,0 +1,46 @@
From 184422d39df1aa27e6ef4c1ae75177489147ec99 Mon Sep 17 00:00:00 2001
From: Arcadiy Ivanov <arcadiy.ivanov@servicemesh.com>
Date: Tue, 4 Nov 2014 07:06:13 -0500
Subject: [PATCH 1/6] BUILD: fix "make install" to support spaces in the
install dirs
Makefile is unable to install into directories containing spaces.
(cherry picked from commit 3785311e64792787de78370fa126fd806734f7fe)
---
Makefile | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/Makefile b/Makefile
index 707037b..9556069 100644
--- a/Makefile
+++ b/Makefile
@@ -710,19 +710,19 @@ src/dlmalloc.o: $(DLMALLOC_SRC)
$(CC) $(COPTS) -DDEFAULT_MMAP_THRESHOLD=$(DLMALLOC_THRES) -c -o $@ $<
install-man:
- install -d $(DESTDIR)$(MANDIR)/man1
- install -m 644 doc/haproxy.1 $(DESTDIR)$(MANDIR)/man1
+ install -d "$(DESTDIR)$(MANDIR)"/man1
+ install -m 644 doc/haproxy.1 "$(DESTDIR)$(MANDIR)"/man1
install-doc:
- install -d $(DESTDIR)$(DOCDIR)
+ install -d "$(DESTDIR)$(DOCDIR)"
for x in configuration architecture haproxy-en haproxy-fr; do \
- install -m 644 doc/$$x.txt $(DESTDIR)$(DOCDIR) ; \
+ install -m 644 doc/$$x.txt "$(DESTDIR)$(DOCDIR)" ; \
done
install-bin: haproxy haproxy-systemd-wrapper
- install -d $(DESTDIR)$(SBINDIR)
- install haproxy $(DESTDIR)$(SBINDIR)
- install haproxy-systemd-wrapper $(DESTDIR)$(SBINDIR)
+ install -d "$(DESTDIR)$(SBINDIR)"
+ install haproxy "$(DESTDIR)$(SBINDIR)"
+ install haproxy-systemd-wrapper "$(DESTDIR)$(SBINDIR)"
install: install-bin install-man install-doc
--
2.0.4

+ 87
- 0
net/haproxy/patches/0002-BUG-MEDIUM-ssl-fix-bad-ssl-context-init-can-cause-se.patch View File

@ -0,0 +1,87 @@
From 90951497008967f10ba8f9927b53c6e6bc138540 Mon Sep 17 00:00:00 2001
From: Emeric Brun <ebrun@haproxy.comw>
Date: Wed, 12 Nov 2014 17:35:37 +0100
Subject: [PATCH 2/6] BUG/MEDIUM: ssl: fix bad ssl context init can cause
segfault in case of OOM.
Some SSL context's init functions errors were not handled and
can cause a segfault due to an incomplete SSL context
initialization.
This fix must be backported to 1.5.
(cherry picked from commit 5547615cdac377797ae351a2e024376dbf6d6963)
---
src/ssl_sock.c | 44 ++++++++++++++++++++++++++++++++++----------
1 file changed, 34 insertions(+), 10 deletions(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f8bfbe7..620609f 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2040,15 +2040,29 @@ static int ssl_sock_init(struct connection *conn)
return -1;
}
- SSL_set_connect_state(conn->xprt_ctx);
- if (objt_server(conn->target)->ssl_ctx.reused_sess)
- SSL_set_session(conn->xprt_ctx, objt_server(conn->target)->ssl_ctx.reused_sess);
-
/* set fd on SSL session context */
- SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd);
+ if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) {
+ SSL_free(conn->xprt_ctx);
+ conn->xprt_ctx = NULL;
+ conn->err_code = CO_ER_SSL_NO_MEM;
+ return -1;
+ }
/* set connection pointer */
- SSL_set_app_data(conn->xprt_ctx, conn);
+ if (!SSL_set_app_data(conn->xprt_ctx, conn)) {
+ SSL_free(conn->xprt_ctx);
+ conn->xprt_ctx = NULL;
+ conn->err_code = CO_ER_SSL_NO_MEM;
+ return -1;
+ }
+
+ SSL_set_connect_state(conn->xprt_ctx);
+ if (objt_server(conn->target)->ssl_ctx.reused_sess) {
+ if(!SSL_set_session(conn->xprt_ctx, objt_server(conn->target)->ssl_ctx.reused_sess)) {
+ SSL_SESSION_free(objt_server(conn->target)->ssl_ctx.reused_sess);
+ objt_server(conn->target)->ssl_ctx.reused_sess = NULL;
+ }
+ }
/* leave init state and start handshake */
conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
@@ -2065,13 +2079,23 @@ static int ssl_sock_init(struct connection *conn)
return -1;
}
- SSL_set_accept_state(conn->xprt_ctx);
-
/* set fd on SSL session context */
- SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd);
+ if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) {
+ SSL_free(conn->xprt_ctx);
+ conn->xprt_ctx = NULL;
+ conn->err_code = CO_ER_SSL_NO_MEM;
+ return -1;
+ }
/* set connection pointer */
- SSL_set_app_data(conn->xprt_ctx, conn);
+ if (!SSL_set_app_data(conn->xprt_ctx, conn)) {
+ SSL_free(conn->xprt_ctx);
+ conn->xprt_ctx = NULL;
+ conn->err_code = CO_ER_SSL_NO_MEM;
+ return -1;
+ }
+
+ SSL_set_accept_state(conn->xprt_ctx);
/* leave init state and start handshake */
conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
--
2.0.4

+ 104
- 0
net/haproxy/patches/0003-BUG-MEDIUM-ssl-force-a-full-GC-in-case-of-memory-sho.patch View File

@ -0,0 +1,104 @@
From 9bcc01ae25985dd540080f43b160beab1f1a2bc6 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Thu, 13 Nov 2014 13:48:58 +0100
Subject: [PATCH 3/6] BUG/MEDIUM: ssl: force a full GC in case of memory
shortage
When memory becomes scarce and openssl refuses to allocate a new SSL
session, it is worth freeing the pools and trying again instead of
rejecting all incoming SSL connection. This can happen when some
memory usage limits have been assigned to the haproxy process using
-m or with ulimit -m/-v.
This is mostly an enhancement of previous fix and is worth backporting
to 1.5.
(cherry picked from commit fba03cdc5ac6e3ca318b34915596cbc0a0dacc55)
---
src/ssl_sock.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 620609f..f50efe5 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2033,9 +2033,16 @@ static int ssl_sock_init(struct connection *conn)
/* If it is in client mode initiate SSL session
in connect state otherwise accept state */
if (objt_server(conn->target)) {
+ int may_retry = 1;
+
+ retry_connect:
/* Alloc a new SSL session ctx */
conn->xprt_ctx = SSL_new(objt_server(conn->target)->ssl_ctx.ctx);
if (!conn->xprt_ctx) {
+ if (may_retry--) {
+ pool_gc2();
+ goto retry_connect;
+ }
conn->err_code = CO_ER_SSL_NO_MEM;
return -1;
}
@@ -2044,6 +2051,10 @@ static int ssl_sock_init(struct connection *conn)
if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) {
SSL_free(conn->xprt_ctx);
conn->xprt_ctx = NULL;
+ if (may_retry--) {
+ pool_gc2();
+ goto retry_connect;
+ }
conn->err_code = CO_ER_SSL_NO_MEM;
return -1;
}
@@ -2052,6 +2063,10 @@ static int ssl_sock_init(struct connection *conn)
if (!SSL_set_app_data(conn->xprt_ctx, conn)) {
SSL_free(conn->xprt_ctx);
conn->xprt_ctx = NULL;
+ if (may_retry--) {
+ pool_gc2();
+ goto retry_connect;
+ }
conn->err_code = CO_ER_SSL_NO_MEM;
return -1;
}
@@ -2072,9 +2087,16 @@ static int ssl_sock_init(struct connection *conn)
return 0;
}
else if (objt_listener(conn->target)) {
+ int may_retry = 1;
+
+ retry_accept:
/* Alloc a new SSL session ctx */
conn->xprt_ctx = SSL_new(objt_listener(conn->target)->bind_conf->default_ctx);
if (!conn->xprt_ctx) {
+ if (may_retry--) {
+ pool_gc2();
+ goto retry_accept;
+ }
conn->err_code = CO_ER_SSL_NO_MEM;
return -1;
}
@@ -2083,6 +2105,10 @@ static int ssl_sock_init(struct connection *conn)
if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) {
SSL_free(conn->xprt_ctx);
conn->xprt_ctx = NULL;
+ if (may_retry--) {
+ pool_gc2();
+ goto retry_accept;
+ }
conn->err_code = CO_ER_SSL_NO_MEM;
return -1;
}
@@ -2091,6 +2117,10 @@ static int ssl_sock_init(struct connection *conn)
if (!SSL_set_app_data(conn->xprt_ctx, conn)) {
SSL_free(conn->xprt_ctx);
conn->xprt_ctx = NULL;
+ if (may_retry--) {
+ pool_gc2();
+ goto retry_accept;
+ }
conn->err_code = CO_ER_SSL_NO_MEM;
return -1;
}
--
2.0.4

+ 102
- 0
net/haproxy/patches/0004-BUG-MEDIUM-checks-fix-conflicts-between-agent-checks.patch View File

@ -0,0 +1,102 @@
From 1f96a87c4e1412ccdc6cfe81bfd6f20a1782886a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cyril=20Bont=C3=A9?= <cyril.bonte@free.fr>
Date: Sat, 15 Nov 2014 22:41:27 +0100
Subject: [PATCH 4/6] BUG/MEDIUM: checks: fix conflicts between agent checks
and ssl healthchecks
Lasse Birnbaum Jensen reported an issue when agent checks are used at the same
time as standard healthchecks when SSL is enabled on the server side.
The symptom is that agent checks try to communicate in SSL while it should
manage raw data. This happens because the transport layer is shared between all
kind of checks.
To fix the issue, the transport layer is now stored in each check type,
allowing to use SSL healthchecks when required, while an agent check should
always use the raw_sock implementation.
The fix must be backported to 1.5.
(cherry picked from commit 9ce1311ebc834e20addc7a8392c0fc4e4ad687b7)
---
include/types/checks.h | 3 ++-
include/types/server.h | 1 -
src/checks.c | 2 +-
src/server.c | 2 +-
src/ssl_sock.c | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/include/types/checks.h b/include/types/checks.h
index a50043b..42b7b07 100644
--- a/include/types/checks.h
+++ b/include/types/checks.h
@@ -125,6 +125,7 @@ enum {
};
struct check {
+ struct xprt_ops *xprt; /* transport layer operations for health checks */
struct connection *conn; /* connection state for health checks */
unsigned short port; /* the port to use for the health checks */
struct buffer *bi, *bo; /* input and output buffers to send/recv check */
@@ -132,7 +133,7 @@ struct check {
struct timeval start; /* last health check start time */
long duration; /* time in ms took to finish last health check */
short status, code; /* check result, check code */
- char desc[HCHK_DESC_LEN]; /* health check descritpion */
+ char desc[HCHK_DESC_LEN]; /* health check description */
int use_ssl; /* use SSL for health checks */
int send_proxy; /* send a PROXY protocol header with checks */
struct tcpcheck_rule *current_step; /* current step when using tcpcheck */
diff --git a/include/types/server.h b/include/types/server.h
index 313f58d..c419b40 100644
--- a/include/types/server.h
+++ b/include/types/server.h
@@ -194,7 +194,6 @@ struct server {
struct { /* configuration used by health-check and agent-check */
struct protocol *proto; /* server address protocol for health checks */
- struct xprt_ops *xprt; /* transport layer operations for health checks */
struct sockaddr_storage addr; /* the address to check, if different from <addr> */
} check_common;
diff --git a/src/checks.c b/src/checks.c
index 5318f35..84bf0e5 100644
--- a/src/checks.c
+++ b/src/checks.c
@@ -1413,7 +1413,7 @@ static int connect_chk(struct task *t)
/* prepare a new connection */
conn_init(conn);
- conn_prepare(conn, s->check_common.proto, s->check_common.xprt);
+ conn_prepare(conn, s->check_common.proto, check->xprt);
conn_attach(conn, check, &check_conn_cb);
conn->target = &s->obj_type;
diff --git a/src/server.c b/src/server.c
index fdb63cc..94a31b6 100644
--- a/src/server.c
+++ b/src/server.c
@@ -929,7 +929,7 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
newsrv->addr = *sk;
newsrv->proto = newsrv->check_common.proto = protocol_by_family(newsrv->addr.ss_family);
- newsrv->xprt = newsrv->check_common.xprt = &raw_sock;
+ newsrv->xprt = newsrv->check.xprt = newsrv->agent.xprt = &raw_sock;
if (!newsrv->proto) {
Alert("parsing [%s:%d] : Unknown protocol family %d '%s'\n",
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f50efe5..b73d6f9 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1812,7 +1812,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
if (srv->use_ssl)
srv->xprt = &ssl_sock;
if (srv->check.use_ssl)
- srv->check_common.xprt = &ssl_sock;
+ srv->check.xprt = &ssl_sock;
srv->ssl_ctx.ctx = SSL_CTX_new(SSLv23_client_method());
if (!srv->ssl_ctx.ctx) {
--
2.0.4

+ 42
- 0
net/haproxy/patches/0005-BUG-MINOR-config-don-t-inherit-the-default-balance-a.patch View File

@ -0,0 +1,42 @@
From cac307c020db7a938b73d4fef27a3b4ad2ecdf6a Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Tue, 18 Nov 2014 15:04:29 +0100
Subject: [PATCH 5/6] BUG/MINOR: config: don't inherit the default balance
algorithm in frontends
Tom Limoncelli from Stack Exchange reported a minor bug : the frontend
inherits the LB parameters from the defaults sections. The impact is
that if a "balance" directive uses any L7 parameter in the defaults
sections and the frontend is in TCP mode, a warning is emitted about
their incompatibility. The warning is harmless but a valid, sane config
should never cause any warning to be reported.
This fix should be backported into 1.5 and possibly 1.4.
(cherry picked from commit 743c128580ee29c8f073b4a29771a5ce715f3721)
---
src/cfgparse.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 392a692..40d20ab 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -2003,7 +2003,6 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
curproxy->no_options = defproxy.no_options;
curproxy->no_options2 = defproxy.no_options2;
curproxy->bind_proc = defproxy.bind_proc;
- curproxy->lbprm.algo = defproxy.lbprm.algo;
curproxy->except_net = defproxy.except_net;
curproxy->except_mask = defproxy.except_mask;
curproxy->except_to = defproxy.except_to;
@@ -2037,6 +2036,7 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
}
if (curproxy->cap & PR_CAP_BE) {
+ curproxy->lbprm.algo = defproxy.lbprm.algo;
curproxy->fullconn = defproxy.fullconn;
curproxy->conn_retries = defproxy.conn_retries;
curproxy->max_ka_queue = defproxy.max_ka_queue;
--
2.0.4

+ 59
- 0
net/haproxy/patches/0006-BUG-MAJOR-frontend-initialize-capture-pointers-earli.patch View File

@ -0,0 +1,59 @@
From 8ba50128832bb31e95f06fe4cb2bd172f2b945fe Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Tue, 18 Nov 2014 18:49:19 +0100
Subject: [PATCH 6/6] BUG/MAJOR: frontend: initialize capture pointers earlier
Denys Fedoryshchenko reported and diagnosed a nasty bug caused by TCP
captures, introduced in late 1.5-dev by commit 18bf01e ("MEDIUM: tcp:
add a new tcp-request capture directive"). The problem is that we're
using the array of capture pointers initially designed for HTTP usage
only, and that this array was only reset when starting to process an
HTTP request. In a tcp-only frontend, the pointers are not reset, and
if the capture pool is shared, we can very well point to whatever other
memory location, resulting in random crashes when tcp-request content
captures are processed.
The fix simply consists in initializing these pointers when the pools
are prepared.
A workaround for existing versions consists in either disabling TCP
captures in tcp-only frontends, or in forcing the frontends to work in
HTTP mode.
Thanks to Denys for the amount of testing and detailed reports.
This fix must be backported to 1.5.
(cherry picked from commit 9654e57fac86c773091b892f42015ba2ba56be5a)
---
src/frontend.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/frontend.c b/src/frontend.c
index 3f80774..2928047 100644
--- a/src/frontend.c
+++ b/src/frontend.c
@@ -106,11 +106,17 @@ int frontend_accept(struct session *s)
if (global.tune.client_rcvbuf)
setsockopt(cfd, SOL_SOCKET, SO_RCVBUF, &global.tune.client_rcvbuf, sizeof(global.tune.client_rcvbuf));
- if (unlikely(s->fe->nb_req_cap > 0 && (s->txn.req.cap = pool_alloc2(s->fe->req_cap_pool)) == NULL))
- goto out_return; /* no memory */
+ if (unlikely(s->fe->nb_req_cap > 0)) {
+ if ((s->txn.req.cap = pool_alloc2(s->fe->req_cap_pool)) == NULL)
+ goto out_return; /* no memory */
+ memset(s->txn.req.cap, 0, s->fe->nb_req_cap * sizeof(void *));
+ }
- if (unlikely(s->fe->nb_rsp_cap > 0 && (s->txn.rsp.cap = pool_alloc2(s->fe->rsp_cap_pool)) == NULL))
- goto out_free_reqcap; /* no memory */
+ if (unlikely(s->fe->nb_rsp_cap > 0)) {
+ if ((s->txn.rsp.cap = pool_alloc2(s->fe->rsp_cap_pool)) == NULL)
+ goto out_free_reqcap; /* no memory */
+ memset(s->txn.rsp.cap, 0, s->fe->nb_rsp_cap * sizeof(void *));
+ }
if (s->fe->http_needed) {
/* we have to allocate header indexes only if we know
--
2.0.4

Loading…
Cancel
Save