nginx.git/src/core, branch release-1.20.2 nginx Changed ngx_chain_update_chains() to test tag first (ticket #2248). 2021-10-29T23:39:19+00:00 Maxim Dounin mdounin@mdounin.ru 2021-10-29T23:39:19+00:00 a8bc01b466e3edec205ec4ecc5d0b2b6a172c9a2 Without this change, aio used with HTTP/2 can result in connection hang, as observed with "aio threads; aio_write on;" and proxying (ticket #2248). The problem is that HTTP/2 updates buffers outside of the output filters (notably, marks them as sent), and then posts a write event to call output filters. If a filter does not call the next one for some reason (for example, because of an AIO operation in progress), this might result in a state when the owner of a buffer already called ngx_chain_update_chains() and can reuse the buffer, while the same buffer is still sitting in the busy chain of some other filter. In the particular case a buffer was sitting in output chain's ctx->busy, and was reused by event pipe. Output chain's ctx->busy was permanently blocked by it, and this resulted in connection hang. Fix is to change ngx_chain_update_chains() to skip buffers from other modules unconditionally, without trying to wait for these buffers to become empty. 
Without this change, aio used with HTTP/2 can result in connection hang,
as observed with "aio threads; aio_write on;" and proxying (ticket #2248).

The problem is that HTTP/2 updates buffers outside of the output filters
(notably, marks them as sent), and then posts a write event to call
output filters.  If a filter does not call the next one for some reason
(for example, because of an AIO operation in progress), this might
result in a state when the owner of a buffer already called
ngx_chain_update_chains() and can reuse the buffer, while the same buffer
is still sitting in the busy chain of some other filter.

In the particular case a buffer was sitting in output chain's ctx->busy,
and was reused by event pipe.  Output chain's ctx->busy was permanently
blocked by it, and this resulted in connection hang.

Fix is to change ngx_chain_update_chains() to skip buffers from other
modules unconditionally, without trying to wait for these buffers to
become empty.
Version bump. 2021-11-16T13:57:52+00:00 Maxim Dounin mdounin@mdounin.ru 2021-11-16T13:57:52+00:00 284322947094b5c29ffc2166a946b26258c8f46c 






Resolver: explicit check for compression pointers in question.
2021-05-25T12:17:50+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-05-25T12:17:50+00:00

ac18345675e4703efb843d06f96d596ab42c5dc5

Since nginx always uses exactly one entry in the question section of
a DNS query, and never uses compression pointers in this entry, parsing
of a DNS response in ngx_resolver_process_response() does not expect
compression pointers to appear in the question section of the DNS
response.  Indeed, compression pointers in the first name of a DNS response
hardly make sense, do not seem to be allowed by RFC 1035 (which says
"a pointer to a prior occurance of the same name", note "prior"), and
were never observed in practice.

Added an explicit check to ngx_resolver_process_response()'s parsing
of the question section to properly report an error if compression pointers
nevertheless appear in the question section.





Since nginx always uses exactly one entry in the question section of
a DNS query, and never uses compression pointers in this entry, parsing
of a DNS response in ngx_resolver_process_response() does not expect
compression pointers to appear in the question section of the DNS
response.  Indeed, compression pointers in the first name of a DNS response
hardly make sense, do not seem to be allowed by RFC 1035 (which says
"a pointer to a prior occurance of the same name", note "prior"), and
were never observed in practice.

Added an explicit check to ngx_resolver_process_response()'s parsing
of the question section to properly report an error if compression pointers
nevertheless appear in the question section.







Resolver: simplified ngx_resolver_copy().
2021-05-25T12:17:45+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-05-25T12:17:45+00:00

d1f51296bc175a897742572dc0be824a94df3f5a

Instead of checking on each label if we need to place a dot or not,
now it always adds a dot after a label, and reduces the resulting
length afterwards.





Instead of checking on each label if we need to place a dot or not,
now it always adds a dot after a label, and reduces the resulting
length afterwards.







Resolver: reworked ngx_resolver_copy() copy loop.
2021-05-25T12:17:43+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-05-25T12:17:43+00:00

52601fc5dcb7532d2ee6d9edcf02b7828b425d7e

To make the code easier to read, reworked the ngx_resolver_copy()
copy loop to match the one used to calculate length.  No functional
changes.





To make the code easier to read, reworked the ngx_resolver_copy()
copy loop to match the one used to calculate length.  No functional
changes.







Resolver: fixed label types handling in ngx_resolver_copy().
2021-05-25T12:17:41+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-05-25T12:17:41+00:00

3893b483ed2d90f514ffe10a5d1ac12a90b89d4e

Previously, anything with any of the two high bits set were interpreted
as compression pointers.  This is incorrect, as RFC 1035 clearly states
that "The 10 and 01 combinations are reserved for future use".  Further,
the 01 combination is actually allocated for EDNS extended label type
(see RFC 2671 and RFC 6891), not really used though.

Fix is to reject unrecognized label types rather than misinterpreting
them as compression pointers.





Previously, anything with any of the two high bits set were interpreted
as compression pointers.  This is incorrect, as RFC 1035 clearly states
that "The 10 and 01 combinations are reserved for future use".  Further,
the 01 combination is actually allocated for EDNS extended label type
(see RFC 2671 and RFC 6891), not really used though.

Fix is to reject unrecognized label types rather than misinterpreting
them as compression pointers.







Resolver: fixed off-by-one read in ngx_resolver_copy().
2021-05-25T12:17:38+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-05-25T12:17:38+00:00

dbd4dfd19fbd4d894f1215ea84f9c8ec2b3e84fc

It is believed to be harmless, and in the worst case it uses some
uninitialized memory as a part of the compression pointer length,
eventually leading to the "name is out of DNS response" error.





It is believed to be harmless, and in the worst case it uses some
uninitialized memory as a part of the compression pointer length,
eventually leading to the "name is out of DNS response" error.







Resolver: fixed off-by-one write in ngx_resolver_copy().
2021-05-25T12:17:36+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-05-25T12:17:36+00:00

7199ebc203f74fd9e44595474de6bdc41740c5cf

Reported by Luis Merino, Markus Vervier, Eric Sesterhenn, X41 D-Sec GmbH.





Reported by Luis Merino, Markus Vervier, Eric Sesterhenn, X41 D-Sec GmbH.







Version bump.
2021-05-25T12:29:54+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-05-25T12:29:54+00:00

473ef4f869e9e2c0bd42f66d6c0ba252f50dfe3c












Stable branch.
2021-04-20T13:06:58+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-04-20T13:06:58+00:00

0c760317c37c577dcc1fdd68ec28ecbb77da4c20