I've played little bit with the patch and it led me to backend.c file and
connect_server() function
int connect_server(struct stream *s)
{
[...]
if (!conn_xprt_ready(srv_conn) && !srv_conn->mux) {
/* set the correct protocol on the output stream interface
*/
if (srv)
conn_prepare(srv_conn,
protocol_by_family(srv_conn->dst->ss_family), srv->xprt);
else if (obj_type(s->target) == OBJ_TYPE_PROXY) {
/* proxies exclusively run on raw_sock right now */
conn_prepare(srv_conn,
protocol_by_family(srv_conn->dst->ss_family), xprt_get(XPRT_RAW));
if (!(srv_conn->ctrl)) {
conn_free(srv_conn);
return SF_ERR_INTERNAL;
}
}
else {
conn_free(srv_conn);
return SF_ERR_INTERNAL; /* how did we get there ?
*/
}
// THIS ONE IS OK
TEST_STRM(s);
//////////////////////////////
srv_cs = si_alloc_cs(&s->si[1], srv_conn);
// FAIL
TEST_STRM(s);
//////////////////////////////
if (!srv_cs) {
conn_free(srv_conn);
return SF_ERR_RESOURCE;
}
[...]
}
pon., 9 lis 2020 o 11:51 Maciej Zdeb <mac...@zdeb.pl> napisał(a):
> Hi,
>
> This time h2s = 0x30 ;)
>
> it crashed here:
> void testcorrupt(void *ptr)
> {
> [...]
> if (h2s->cs != cs)
> return;
> [...]
>
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0 0x0000556b617f0562 in testcorrupt (ptr=0x7f99741d85a0) at
> src/mux_h2.c:6228
> 6228 src/mux_h2.c: No such file or directory.
> [Current thread is 1 (Thread 0x7f99a484d700 (LWP 28658))]
> (gdb) bt full
> #0 0x0000556b617f0562 in testcorrupt (ptr=0x7f99741d85a0) at
> src/mux_h2.c:6228
> cs = 0x7f99741d85a0
> h2s = 0x30
> #1 0x0000556b61850b1a in process_stream (t=0x7f99741d8c60,
> context=0x7f99682cd7b0, state=1284) at src/stream.c:2147
> srv = 0x556b622770e0
> s = 0x7f99682cd7b0
> sess = 0x7f9998057170
> rqf_last = 9469954
> rpf_last = 2151677952
> rq_prod_last = 8
> rq_cons_last = 0
> rp_cons_last = 8
> rp_prod_last = 0
> req_ana_back = 0
> req = 0x7f99682cd7c0
> res = 0x7f99682cd820
> si_f = 0x7f99682cdae8
> si_b = 0x7f99682cdb40
> rate = 1
> #2 0x0000556b61962a5f in run_tasks_from_list (list=0x556b61db1600
> <task_per_thread+832>, max=150) at src/task.c:371
> process = 0x556b6184d8e6 <process_stream>
> t = 0x7f99741d8c60
> state = 1284
> ctx = 0x7f99682cd7b0
> done = 2
> [...]
>
>
> pt., 6 lis 2020 o 20:00 Willy Tarreau <w...@1wt.eu> napisał(a):
>
>> Maciej,
>>
>> I wrote this ugly patch to try to crash as soon as possible when a corrupt
>> h2s->subs is detected. The patch was written for 2.2. I only instrumented
>> roughly 30 places in process_stream() which is a fairly likely candidate.
>> I just hope it happens within the context of the stream itself otherwise
>> it will become really painful.
>>
>> You can apply this patch on top of your existing changes. It will try to
>> detect the presence of a non-zero lowest bit in the subs pointer (which
>> should never happen). If we're lucky it will crash inside process_stream()
>> between two points and we'll be able to narrow it down. If we're unlucky
>> it will crash when entering it and that will not be fun.
>>
>> If you want to play with it, you can apply TEST_SI() on stream_interface
>> pointers (often called "si"), TEST_STRM() on stream pointers, and
>> TEST_CS()
>> on conn_stream pointers (often called "cs").
>>
>> Please just let me know how it goes. Note, I tested it, it passes all
>> regtests for me so I'm reasonably confident it should not crash by
>> accident. But I can't be sure, I'm just using heuristics, so please do
>> not put it in sensitive production!
>>
>> Thanks,
>> Willy
>>
>
