From: Willy Tarreau Date: Thu, 26 Nov 2020 16:06:04 +0000 (+0100) Subject: BUG/MAJOR: peers: fix partial message decoding X-Git-Tag: v2.4-dev2~29 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=345ebcfc010e397cb718400a32b4db845dda7a2f;p=thirdparty%2Fhaproxy.git BUG/MAJOR: peers: fix partial message decoding Another bug in the peers message parser was uncovered by last commit 1dfd4f106 ("BUG/MEDIUM: peers: fix decoding of multi-byte length in stick-table messages"): the function return on incomplete message does not check if the channel has a pending close before deciding to return 0. It did not hurt previously because the loop calling co_getblk() once per character would have depleted the buffer and hit the end, causing <0 to be returned and matching the condition. But now that we process at once what is available this cannot be relied on anymore and it's now clearly visible that the final check is missing. What happens when this strikes is that if a peer connection breaks in the middle of a message, the function will return 0 (missing data) but the caller doesn't check for the closed buffer, subscribes to reads, and the applet handler is immediately called again since some data are still available. This is detected by the loop prevention and the process dies complaining that an appctx is spinning. This patch simply adds the check for closed channel. It must be backported to the same versions as the fix above. --- diff --git a/src/peers.c b/src/peers.c index 3466fa5762..abc2c596b8 100644 --- a/src/peers.c +++ b/src/peers.c @@ -1897,8 +1897,8 @@ static inline int peer_recv_msg(struct appctx *appctx, char *msg_head, size_t ms return 1; incomplete: - if (reql < 0) { - /* there was an error */ + if (reql < 0 || (si_oc(si)->flags & (CF_SHUTW|CF_SHUTW_NOW))) { + /* there was an error or the message was truncated */ appctx->st0 = PEER_SESS_ST_END; return -1; }