9228:dd4a570ff4ac | 26-Feb-2024 |
Piotr Sikora |
Rewrite: fixed "return" directive without response text.
Previously, the response text wasn't initialized and the rewrite module was sending response body set to NULL.
Found with UndefinedBehaviorS
Rewrite: fixed "return" directive without response text.
Previously, the response text wasn't initialized and the rewrite module was sending response body set to NULL.
Found with UndefinedBehaviorSanitizer (pointer-overflow).
Signed-off-by: Piotr Sikora <piotr@aviatrix.com>
show more ...
|
9227:f208413f307f | 18-Mar-2024 |
Sergey Kandaurov |
Fixed undefined behaviour with IPv4-mapped IPv6 addresses.
Previously, it could result when left-shifting signed integer due to implicit integer promotion, such that the most significant bit appeare
Fixed undefined behaviour with IPv4-mapped IPv6 addresses.
Previously, it could result when left-shifting signed integer due to implicit integer promotion, such that the most significant bit appeared on the sign bit.
In practice, though, this results in the same left value as with an explicit cast, at least on known compilers, such as GCC and Clang. The reason is that in_addr_t, which is equivalent to uint32_t and same as "unsigned int" in ILP32 and LP64 data type models, has the same type width as the intermediate after integer promotion, so there's no side effects such as sign-extension. This explains why adding an explicit cast does not change object files in practice.
Found with UndefinedBehaviorSanitizer (shift).
Based on a patch by Piotr Sikora.
show more ...
|
9226:687c8306746f | 14-Mar-2024 |
Piotr Sikora |
Geo: fixed uninitialized memory access.
While copying ngx_http_variable_value_t structures to geo binary base in ngx_http_geo_copy_values(), and similarly in the stream module, uninitialized parts o
Geo: fixed uninitialized memory access.
While copying ngx_http_variable_value_t structures to geo binary base in ngx_http_geo_copy_values(), and similarly in the stream module, uninitialized parts of these structures are copied as well. These include the "escape" field and possible holes. Calculating crc32 of this data triggers uninitialized memory access.
Found with MemorySanitizer.
Signed-off-by: Piotr Sikora <piotr@aviatrix.com>
show more ...
|
9219:71880e854bc7 | 22-Mar-2024 |
Sergey Kandaurov |
Overhauled some diagnostic messages akin to 1b05b9bbcebf. |
Revision tags: release-1.25.4 |
|
9207:73eb75bee30f | 30-Jan-2024 |
Sergey Kandaurov |
HTTP/3: added more compatibility checks for "listen ... quic".
Now "fastopen", "backlog", "accept_filter", "deferred", and "so_keepalive" parameters are not allowed with "quic" in the "listen" direc
HTTP/3: added more compatibility checks for "listen ... quic".
Now "fastopen", "backlog", "accept_filter", "deferred", and "so_keepalive" parameters are not allowed with "quic" in the "listen" directive.
Reported by Izorkin.
show more ...
|
9204:631ee3c6d38c | 30-Jan-2024 |
Maxim Dounin |
Upstream: fixed usage of closed sockets with filter finalization.
When filter finalization is triggered when working with an upstream server, and error_page redirects request processing to some simp
Upstream: fixed usage of closed sockets with filter finalization.
When filter finalization is triggered when working with an upstream server, and error_page redirects request processing to some simple handler, ngx_http_request_finalize() triggers request termination when the response is sent. In particular, via the upstream cleanup handler, nginx will close the upstream connection and the corresponding socket.
Still, this can happen to be with ngx_event_pipe() on stack. While the code will set p->downstream_error due to NGX_ERROR returned from the output filter chain by filter finalization, otherwise the error will be ignored till control returns to ngx_http_upstream_process_request(). And event pipe might try reading from the (already closed) socket, resulting in "readv() failed (9: Bad file descriptor) while reading upstream" errors (or even segfaults with SSL).
Such errors were seen with the following configuration:
location /t2 { proxy_pass http://127.0.0.1:8080/big;
image_filter_buffer 10m; image_filter resize 150 100; error_page 415 = /empty; }
location /empty { return 204; }
location /big { # big enough static file }
Fix is to clear p->upstream in ngx_http_upstream_finalize_request(), and ensure that p->upstream is checked in ngx_event_pipe_read_upstream() and when handling events at ngx_event_pipe() exit.
show more ...
|
9203:0de20f43db25 | 30-Jan-2024 |
Maxim Dounin |
Fixed request termination with AIO and subrequests (ticket #2555).
When a request was terminated due to an error via ngx_http_terminate_request() while an AIO operation was running in a subrequest,
Fixed request termination with AIO and subrequests (ticket #2555).
When a request was terminated due to an error via ngx_http_terminate_request() while an AIO operation was running in a subrequest, various issues were observed. This happened because ngx_http_request_finalizer() was only set in the subrequest where ngx_http_terminate_request() was called, but not in the subrequest where the AIO operation was running. After completion of the AIO operation normal processing of the subrequest was resumed, leading to issues.
In particular, in case of the upstream module, termination of the request called upstream cleanup, which closed the upstream connection. Attempts to further work with the upstream connection after AIO operation completion resulted in segfaults in ngx_ssl_recv(), "readv() failed (9: Bad file descriptor) while reading upstream" errors, or socket leaks.
In ticket #2555, issues were observed with the following configuration with cache background update (with thread writing instrumented to introduce a delay, when a client closes the connection during an update):
location = /background-and-aio-write { proxy_pass ... proxy_cache one; proxy_cache_valid 200 1s; proxy_cache_background_update on; proxy_cache_use_stale updating; aio threads; aio_write on; limit_rate 1000; }
Similarly, the same issue can be seen with SSI, and can be caused by errors in subrequests, such as in the following configuration (where "/proxy" uses AIO, and "/sleep" returns 444 after some delay, causing request termination):
location = /ssi-active-boom { ssi on; ssi_types *; return 200 ' <!--#include virtual="/proxy" --> <!--#include virtual="/sleep" --> '; limit_rate 1000; }
Or the same with both AIO operation and the error in non-active subrequests (which needs slightly different handling, see below):
location = /ssi-non-active-boom { ssi on; ssi_types *; return 200 ' <!--#include virtual="/static" --> <!--#include virtual="/proxy" --> <!--#include virtual="/sleep" --> '; limit_rate 1000; }
Similarly, issues can be observed with just static files. However, with static files potential impact is limited due to timeout safeguards in ngx_http_writer(), and the fact that c->error is set during request termination.
In a simple configuration with an AIO operation in the active subrequest, such as in the following configuration, the connection is closed right after completion of the AIO operation anyway, since ngx_http_writer() tries to write to the connection and fails due to c->error set:
location = /ssi-active-static-boom { ssi on; ssi_types *; return 200 ' <!--#include virtual="/static-aio" --> <!--#include virtual="/sleep" --> '; limit_rate 1000; }
In the following configuration, with an AIO operation in a non-active subrequest, the connection is closed only after send_timeout expires:
location = /ssi-non-active-static-boom { ssi on; ssi_types *; return 200 ' <!--#include virtual="/static" --> <!--#include virtual="/static-aio" --> <!--#include virtual="/sleep" --> '; limit_rate 1000; }
Fix is to introduce r->main->terminated flag, which is to be checked by AIO event handlers when the r->main->blocked counter is decremented. When the flag is set, handlers are expected to wake up the connection instead of the subrequest (which might be already cleaned up).
Additionally, now ngx_http_request_finalizer() is always set in the active subrequest, so waking up the connection properly finalizes the request even if termination happened in a non-active subrequest.
show more ...
|
9202:e88cdaa0f1ff | 29-Jan-2024 |
Maxim Dounin |
AIO operations now add timers (ticket #2162).
Each AIO (thread IO) operation being run is now accompanied with 1-minute timer. This timer prevents unexpected shutdown of the worker process while an
AIO operations now add timers (ticket #2162).
Each AIO (thread IO) operation being run is now accompanied with 1-minute timer. This timer prevents unexpected shutdown of the worker process while an AIO operation is running, and logs an alert if the operation is running for too long.
This fixes "open socket left" alerts during worker processes shutdown due to pending AIO (or thread IO) operations while corresponding requests have no timers. In particular, such errors were observed while reading cache headers (ticket #2162), and with worker_shutdown_timeout.
show more ...
|
9188:b05c622715fa | 29-Nov-2023 |
Vladimir Khomutov |
HTTP: uniform checks in ngx_http_alloc_large_header_buffer().
If URI is not fully parsed yet, some pointers are not set. As a result, the calculation of "new + (ptr - old)" expression is flawed.
A
HTTP: uniform checks in ngx_http_alloc_large_header_buffer().
If URI is not fully parsed yet, some pointers are not set. As a result, the calculation of "new + (ptr - old)" expression is flawed.
According to C11, 6.5.6 Additive operators, p.9:
: When two pointers are subtracted, both shall point to elements : of the same array object, or one past the last element of the : array object
Since "ptr" is not set, subtraction leads to undefined behaviour, because "ptr" and "old" are not in the same buffer (i.e. array objects).
Prodded by GCC undefined behaviour sanitizer.
show more ...
|
9187:dacad3a9c7b8 | 27-Nov-2023 |
Vladimir Khomutov |
HTTP: removed unused r->port_start and r->port_end.
Neither r->port_start nor r->port_end were ever used.
The r->port_end is set by the parser, though it was never used by the following code (and w
HTTP: removed unused r->port_start and r->port_end.
Neither r->port_start nor r->port_end were ever used.
The r->port_end is set by the parser, though it was never used by the following code (and was never usable, since not copied by the ngx_http_alloc_large_header_buffer() without r->port_start set).
show more ...
|
9186:f366007dd23a | 14-Nov-2023 |
Sergey Kandaurov |
HTTP/3: added Huffman decoding error logging. |
9185:c458cd00bb0b | 14-Nov-2023 |
Sergey Kandaurov |
Adjusted Huffman coding debug logging, missed in 7977:336084ff943b.
Spotted by XingY Wang. |
Revision tags: release-1.25.3 |
|
9179:ea1f29c2010c | 21-Oct-2023 |
Sergey Kandaurov |
HTTP/2: fixed buffer management with HTTP/2 auto-detection.
As part of normal HTTP/2 processing, incomplete frames are saved in the control state using a fixed size memcpy of NGX_HTTP_V2_STATE_BUFFE
HTTP/2: fixed buffer management with HTTP/2 auto-detection.
As part of normal HTTP/2 processing, incomplete frames are saved in the control state using a fixed size memcpy of NGX_HTTP_V2_STATE_BUFFER_SIZE. For this matter, two state buffers are reserved in the HTTP/2 recv buffer.
As part of HTTP/2 auto-detection on plain TCP connections, initial data is first read into a buffer specified by the client_header_buffer_size directive that doesn't have state reservation. Previously, this made it possible to over-read the buffer as part of saving the state.
The fix is to read the available buffer size rather than a fixed size. Although memcpy of a fixed size can produce a better optimized code, handling of incomplete frames isn't a common execution path, so it was sacrificed for the sake of simplicity of the fix.
show more ...
|
9165:cdda286c0f1b | 10-Oct-2023 |
Maxim Dounin |
HTTP/2: per-iteration stream handling limit.
To ensure that attempts to flood servers with many streams are detected early, a limit of no more than 2 * max_concurrent_streams new streams per one eve
HTTP/2: per-iteration stream handling limit.
To ensure that attempts to flood servers with many streams are detected early, a limit of no more than 2 * max_concurrent_streams new streams per one event loop iteration was introduced. This limit is applied even if max_concurrent_streams is not yet reached - for example, if corresponding streams are handled synchronously or reset.
Further, refused streams are now limited to maximum of max_concurrent_streams and 100, similarly to priority_limit initial value, providing some tolerance to clients trying to open several streams at the connection start, yet low tolerance to flooding attempts.
show more ...
|
9161:4939fd04737f | 14-Sep-2023 |
Roman Arutyunyan |
HTTP/3: postponed session creation to init() callback.
Now the session object is assigned to c->data while ngx_http_connection_t object is referenced by its http_connection field, similar to ngx_htt
HTTP/3: postponed session creation to init() callback.
Now the session object is assigned to c->data while ngx_http_connection_t object is referenced by its http_connection field, similar to ngx_http_v2_connection_t and ngx_http_request_t.
The change allows to eliminate v3_session field from ngx_http_connection_t. The field was under NGX_HTTP_V3 macro, which was a source of binary compatibility problems when nginx/module is build with/without HTTP/3 support.
Postponing is essential since c->data should retain the reference to ngx_http_connection_t object throughout QUIC handshake, because SSL callbacks ngx_http_ssl_servername() and ngx_http_ssl_alpn_select() rely on this.
show more ...
|
9159:6d3ca6f8db35 | 13-Sep-2023 |
Roman Arutyunyan |
HTTP/3: moved variable initialization. |
9158:ad3d34ddfdcc | 13-Sep-2023 |
Roman Arutyunyan |
QUIC: "handshake_timeout" configuration parameter.
Previously QUIC did not have such parameter and handshake duration was controlled by HTTP/3. However that required creating and storing HTTP/3 ses
QUIC: "handshake_timeout" configuration parameter.
Previously QUIC did not have such parameter and handshake duration was controlled by HTTP/3. However that required creating and storing HTTP/3 session on first client datagram. Apparently there's no convenient way to store the session object until QUIC handshake is complete. In the followup patches session creation will be postponed to init() callback.
show more ...
|
9155:35bb47f65cab | 31-Aug-2023 |
Maxim Dounin |
Upstream: fixed handling of Status headers without reason-phrase.
Status header with an empty reason-phrase, such as "Status: 404 ", is valid per CGI specification, but looses the trailing space dur
Upstream: fixed handling of Status headers without reason-phrase.
Status header with an empty reason-phrase, such as "Status: 404 ", is valid per CGI specification, but looses the trailing space during parsing. Currently, this results in "HTTP/1.1 404" HTTP status line in the response, which violates HTTP specification due to missing trailing space.
With this change, only the status code is used from such short Status header lines, so nginx will generate status line itself, with the space and appropriate reason phrase if available.
Reported at: https://mailman.nginx.org/pipermail/nginx/2023-August/EX7G4JUUHJWJE5UOAZMO5UD6OJILCYGX.html
show more ...
|
Revision tags: release-1.25.2 |
|
9133:f91dc350be9f | 12-Jul-2023 |
Sergey Kandaurov |
HTTP/3: fixed $body_bytes_sent. |
Revision tags: release-1.25.1 |
|
9121:262c01782566 | 08-Jun-2023 |
Sergey Kandaurov |
HTTP/2: removed server push (ticket #2432).
Although it has better implementation status than HTTP/3 server push, it remains of limited use, with adoption numbers seen as negligible. Per IETF 102 ma
HTTP/2: removed server push (ticket #2432).
Although it has better implementation status than HTTP/3 server push, it remains of limited use, with adoption numbers seen as negligible. Per IETF 102 materials, server push was used only in 0.04% of sessions. It was considered to be "difficult to use effectively" in RFC 9113. Its use is further limited by badly matching to fetch/cache/connection models in browsers, see related discussions linked from [1].
Server push was disabled in Chrome 106 [2].
The http2_push, http2_push_preload, and http2_max_concurrent_pushes directives are made obsolete. In particular, this essentially reverts 7201:641306096f5b and 7207:3d2b0b02bd3d.
[1] https://jakearchibald.com/2017/h2-push-tougher-than-i-thought/ [2] https://chromestatus.com/feature/6302414934114304
show more ...
|
9120:0aaa09927703 | 08-Jun-2023 |
Roman Arutyunyan |
SSL: removed the "ssl" directive.
It has been deprecated since 7270:46c0c7ef4913 (1.15.0) in favour of the "ssl" parameter of the "listen" directive, which has been available since 2224:109849282793
SSL: removed the "ssl" directive.
It has been deprecated since 7270:46c0c7ef4913 (1.15.0) in favour of the "ssl" parameter of the "listen" directive, which has been available since 2224:109849282793 (0.7.14).
show more ...
|
9119:08ef02ad5c54 | 16-May-2023 |
Roman Arutyunyan |
HTTP/2: "http2" directive.
The directive enables HTTP/2 in the current server. The previous way to enable HTTP/2 via "listen ... http2" is now deprecated. The new approach allows to share HTTP/2 a
HTTP/2: "http2" directive.
The directive enables HTTP/2 in the current server. The previous way to enable HTTP/2 via "listen ... http2" is now deprecated. The new approach allows to share HTTP/2 and HTTP/0.9-1.1 on the same port.
For SSL connections, HTTP/2 is now selected by ALPN callback based on whether the protocol is enabled in the virtual server chosen by SNI. This however only works since OpenSSL 1.0.2h, where ALPN callback is invoked after SNI callback. For older versions of OpenSSL, HTTP/2 is enabled based on the default virtual server configuration.
For plain TCP connections, HTTP/2 is now auto-detected by HTTP/2 preface, if HTTP/2 is enabled in the default virtual server. If preface is not matched, HTTP/0.9-1.1 is assumed.
show more ...
|
Revision tags: release-1.25.0 |
|
9108:f742b1b46901 | 12-May-2023 |
Roman Arutyunyan |
HTTP/3: removed server push support. |
9107:adcc6d8acfd4 | 13-May-2023 |
Roman Arutyunyan |
Common tree insert function for QUIC and UDP connections.
Previously, ngx_udp_rbtree_insert_value() was used for plain UDP and ngx_quic_rbtree_insert_value() was used for QUIC. Because of this it w
Common tree insert function for QUIC and UDP connections.
Previously, ngx_udp_rbtree_insert_value() was used for plain UDP and ngx_quic_rbtree_insert_value() was used for QUIC. Because of this it was impossible to initialize connection tree in ngx_create_listening() since this function is not aware what kind of listening it creates.
Now ngx_udp_rbtree_insert_value() is used for both QUIC and UDP. To make is possible, a generic key field is added to ngx_udp_connection_t. It keeps client address for UDP and connection ID for QUIC.
show more ...
|
9105:8057e053480a | 11-May-2023 |
Maxim Dounin |
QUIC: style. |