From: Christopher Faulet Date: Tue, 3 Sep 2024 12:10:29 +0000 (+0200) Subject: BUG/MEDIUM: mux-h1: Properly handle empty message when an error is triggered X-Git-Tag: v3.1-dev7~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0d4271cdae18780de79e1ce997d562f91eeee316;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: mux-h1: Properly handle empty message when an error is triggered When a 400/408/500/501 error is returned by the H1 multiplexer, we first try to get the error message of the proxy before using the default one. This may be configured to be mapped on /dev/null or on an empty file. In that case, no message is emitted, as expected. But everything is handled as the error was successfully sent. However, there is an bug here. In h1_send_error() function, this case is not properly handled. The flag H1C_F_ABRTED is not set on the H1 connection as it should be and h1_close() function is not called, leaving the H1 connection in an undefined state. It is especially an issue when a "empty" 408-Request-Time-out error is emitted while there are data blocked in the output buffer. In that case, the connection remains openned until the client closes and a "cR--"/408 is logged repeatedly, every time the client timeout is reached. This patch must backported as far as 2.8. --- diff --git a/src/mux_h1.c b/src/mux_h1.c index 43bc6d57e9..13066ced6e 100644 --- a/src/mux_h1.c +++ b/src/mux_h1.c @@ -3558,7 +3558,7 @@ static int h1_send_error(struct h1c *h1c) b_is_null(h1c->px->replies[rc]->body.errmsg)) { /* Empty error, so claim a success */ ret = 1; - goto out; + goto out_abort; } if (h1c->flags & (H1C_F_OUT_ALLOC|H1C_F_OUT_FULL)) { @@ -3590,6 +3590,7 @@ static int h1_send_error(struct h1c *h1c) h1s_destroy(h1c->h1s); } + out_abort: h1c->flags = (h1c->flags & ~(H1C_F_WAIT_NEXT_REQ|H1C_F_ABRT_PENDING)) | H1C_F_ABRTED; h1_close(h1c); out: