Do not allow client_ip_max_connections+1 connections (#2168)

Previously, setting client_ip_max_connections to a non-negative N would
allow N+1 client connections, due to an off-by-one error.

diff --git a/doc/release-notes/release-8.sgml.in b/doc/release-notes/release-8.sgml.in
index 4655df84a4e81c196a2a13dfd034786d7fe1381a..2c7a44edd119bcff5c7abecc43344d906a8a667f 100644 (file)
--- a/doc/release-notes/release-8.sgml.in
+++ b/doc/release-notes/release-8.sgml.in
@@ -95,6 +95,15 @@ This section gives an account of those changes in three categories:
        <em>src_as</em> and <em>dst_as</em> ACLs, Squid no longer initiates ASN
        lookups.
 
+       <tag>client_ip_max_connections</tag>
+
+       <p>Fixed off-by-one enforcement. Squid now allows at most <em>N</em>
+       concurrent connections per client IP (not <em>N</em>+1), where <em>N</em>
+       is the configured directive value. Deployments that relied on the extra
+       connection should increase the configured limit by one to preserve
+       previous behavior.
+
+
 </descrip>
 
 <sect1>Removed directives<label id="removeddirectives">

diff --git a/src/comm/TcpAcceptor.cc b/src/comm/TcpAcceptor.cc
index bdf3b04b3683c4f81565fefc751f7ac100ce42ea..e657e4d90d8434c27401a905ef2a8e2511222355 100644 (file)
--- a/src/comm/TcpAcceptor.cc
+++ b/src/comm/TcpAcceptor.cc
@@ -414,7 +414,7 @@ Comm::TcpAcceptor::acceptInto(Comm::ConnectionPointer &details)
     details->nfConnmark = Ip::Qos::getNfConnmark(details, Ip::Qos::dirAccepted);
 
     if (Config.client_ip_max_connections >= 0) {
-        if (clientdbEstablished(details->remote, 0) > Config.client_ip_max_connections) {
+        if (clientdbEstablished(details->remote, 0) >= Config.client_ip_max_connections) {
             debugs(50, DBG_IMPORTANT, "WARNING: " << details->remote << " attempting more than " << Config.client_ip_max_connections << " connections.");
             return false;
         }