Willy Tarreau:
> Hi Wietse,
>
> On Tue, May 29, 2012 at 08:18:35AM -0400, Wietse Venema wrote:
> > Willy Tarreau:
> > > > >Regardless of command format details, if the proxy prepends a command
> > > > >to the client's SMTP stream, then postscreen must use unbuffered
> > > > >I/O to read that command. If buffering were turned on, the buffering
> > > > >layer could read past the proxy's<CR><LF> and eat up part of the
> > > > >client input kind-of like CVE-2011-0411.
> > >
> > > Precisely on this point there is an easier way, it consists in using
> > > recv(MSG_PEEK). The big advantage is that you don't need to store the
> > > temporary bytes you've read since they remain in the kernel's buffers.
> > > So it more or less looks like this :
> >
> > First, just like SMTP and HTTP protocol documentation, HAPROXY
> > documentation states nowhere that any particular information must
> > be sent (or received) in exactly one TCP segment.
>
> No, there is no such requirement, as this can never be guaranteed anywhere.
> That's why in my example, there was a return on incomplete lines, waiting
> for the next event to try to complete the line.
Postscreen, faced with the same non-problem in SMTP, does exactly
the same thing. The line read routine would need to be moved out
of the dummy SMTP engine so that it can be reused to read proxy
data, whether from haproxy, xclient or something else.
Wietse
