Re: [PATCH] Stream pass: disabled passing from or to udp
> On 3 May 2024, at 20:30, Roman Arutyunyan wrote: > > Hi, > > On Fri, May 03, 2024 at 08:24:16PM +0400, Sergey Kandaurov wrote: >> >>> On 26 Apr 2024, at 15:15, Roman Arutyunyan wrote: >>> >>> # HG changeset patch >>> # User Roman Arutyunyan >>> # Date 1714057362 -14400 >>> # Thu Apr 25 19:02:42 2024 +0400 >>> # Branch stable-1.26 >> >> wrong branch > > Yes, already noticed this. > >>> # Node ID a60cd9c99efcc1204e6d395104beb39883308c93 >>> # Parent cdf74ac25b47ec928b53aa82ccc1c3d288a2f81c >>> Stream pass: disabled passing from or to udp. >>> >>> Passing from udp was not possible for the most part due to preread buffer >>> restriction. Passing to udp could occasionally work, but the connection >>> would >>> still be bound to the orignial listen rbtree, which prevented it from being >> >> typo in "original" > > Thanks. > >>> deleted on connection closure. >>> >>> Also, passing to a QUIC listen socket is disabled by this change as well. >> >> disabled for the same reasons? > > Let's just remove this part. I think no explanation is needed in this > version of the patch. > > Final version: > > Stream pass: disabled passing from or to udp. > > Passing from udp was not possible for the most part due to preread buffer > restriction. Passing to udp could occasionally work, but the connection would > still be bound to the original listen rbtree, which prevented it from being > deleted on connection closure. > > [..] Looks fine. -- Sergey Kandaurov ___ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel
[nginx] Stream pass: disabled passing from or to udp.
details: https://hg.nginx.org/nginx/rev/89093b003fcb branches: changeset: 9246:89093b003fcb user: Roman Arutyunyan date: Fri May 03 20:26:05 2024 +0400 description: Stream pass: disabled passing from or to udp. Passing from udp was not possible for the most part due to preread buffer restriction. Passing to udp could occasionally work, but the connection would still be bound to the original listen rbtree, which prevented it from being deleted on connection closure. diffstat: src/stream/ngx_stream_pass_module.c | 9 + 1 files changed, 9 insertions(+), 0 deletions(-) diffs (26 lines): diff -r c4792b0f1976 -r 89093b003fcb src/stream/ngx_stream_pass_module.c --- a/src/stream/ngx_stream_pass_module.c Fri May 03 20:29:01 2024 +0400 +++ b/src/stream/ngx_stream_pass_module.c Fri May 03 20:26:05 2024 +0400 @@ -83,6 +83,11 @@ ngx_stream_pass_handler(ngx_stream_sessi c->log->action = "passing connection to port"; +if (c->type == SOCK_DGRAM) { +ngx_log_error(NGX_LOG_ERR, c->log, 0, "cannot pass udp connection"); +goto failed; +} + if (c->buffer && c->buffer->pos != c->buffer->last) { ngx_log_error(NGX_LOG_ERR, c->log, 0, "cannot pass connection with preread data"); @@ -217,6 +222,10 @@ ngx_stream_pass_cleanup(void *data) static ngx_int_t ngx_stream_pass_match(ngx_listening_t *ls, ngx_addr_t *addr) { +if (ls->type == SOCK_DGRAM) { +return NGX_DECLINED; +} + if (!ls->wildcard) { return ngx_cmp_sockaddr(ls->sockaddr, ls->socklen, addr->sockaddr, addr->socklen, 1); ___ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH] Stream pass: disabled passing from or to udp
Hi, On Fri, May 03, 2024 at 08:24:16PM +0400, Sergey Kandaurov wrote: > > > On 26 Apr 2024, at 15:15, Roman Arutyunyan wrote: > > > > # HG changeset patch > > # User Roman Arutyunyan > > # Date 1714057362 -14400 > > # Thu Apr 25 19:02:42 2024 +0400 > > # Branch stable-1.26 > > wrong branch Yes, already noticed this. > > # Node ID a60cd9c99efcc1204e6d395104beb39883308c93 > > # Parent cdf74ac25b47ec928b53aa82ccc1c3d288a2f81c > > Stream pass: disabled passing from or to udp. > > > > Passing from udp was not possible for the most part due to preread buffer > > restriction. Passing to udp could occasionally work, but the connection > > would > > still be bound to the orignial listen rbtree, which prevented it from being > > typo in "original" Thanks. > > deleted on connection closure. > > > > Also, passing to a QUIC listen socket is disabled by this change as well. > > disabled for the same reasons? Let's just remove this part. I think no explanation is needed in this version of the patch. Final version: Stream pass: disabled passing from or to udp. Passing from udp was not possible for the most part due to preread buffer restriction. Passing to udp could occasionally work, but the connection would still be bound to the original listen rbtree, which prevented it from being deleted on connection closure. [..] -- Roman Arutyunyan ___ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel
[nginx] SSL: fixed possible configuration overwrite loading "engine:" keys.
details: https://hg.nginx.org/nginx/rev/c4792b0f1976 branches: changeset: 9245:c4792b0f1976 user: Sergey Kandaurov date: Fri May 03 20:29:01 2024 +0400 description: SSL: fixed possible configuration overwrite loading "engine:" keys. When loading certificate keys via ENGINE_load_private_key() in runtime, it was possible to overwrite configuration on ENGINE_by_id() failure. OpenSSL documention doesn't describe errors in details, the only reason I found in the comment to example is when the engine is not available. diffstat: src/event/ngx_event_openssl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diffs (19 lines): diff -r 690f46d3bc1f -r c4792b0f1976 src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c Fri May 03 20:28:32 2024 +0400 +++ b/src/event/ngx_event_openssl.c Fri May 03 20:29:01 2024 +0400 @@ -764,13 +764,13 @@ ngx_ssl_load_certificate_key(ngx_pool_t engine = ENGINE_by_id((char *) p); +*last++ = ':'; + if (engine == NULL) { *err = "ENGINE_by_id() failed"; return NULL; } -*last++ = ':'; - pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0); if (pkey == NULL) { ___ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel
[nginx] HTTP/3: fixed handling of malformed request body length.
details: https://hg.nginx.org/nginx/rev/690f46d3bc1f branches: changeset: 9244:690f46d3bc1f user: Sergey Kandaurov date: Fri May 03 20:28:32 2024 +0400 description: HTTP/3: fixed handling of malformed request body length. Previously, a request body larger than declared in Content-Length resulted in a 413 status code, because Content-Length was mistakenly used as the maximum allowed request body, similar to client_max_body_size. Following the HTTP/3 specification, such requests are now rejected with the 400 error as malformed. diffstat: src/http/v3/ngx_http_v3_request.c | 9 + 1 files changed, 9 insertions(+), 0 deletions(-) diffs (19 lines): diff -r ff0312de0112 -r 690f46d3bc1f src/http/v3/ngx_http_v3_request.c --- a/src/http/v3/ngx_http_v3_request.c Fri May 03 20:28:22 2024 +0400 +++ b/src/http/v3/ngx_http_v3_request.c Fri May 03 20:28:32 2024 +0400 @@ -1575,6 +1575,15 @@ ngx_http_v3_request_body_filter(ngx_http /* rc == NGX_OK */ if (max != -1 && (uint64_t) (max - rb->received) < st->length) { + +if (r->headers_in.content_length_n != -1) { +ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, + "client intended to send body data " + "larger than declared"); + +return NGX_HTTP_BAD_REQUEST; +} + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "client intended to send too large " "body: %O+%ui bytes", ___ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel
[nginx] Version bump.
details: https://hg.nginx.org/nginx/rev/ff0312de0112 branches: changeset: 9243:ff0312de0112 user: Sergey Kandaurov date: Fri May 03 20:28:22 2024 +0400 description: Version bump. diffstat: src/core/nginx.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diffs (14 lines): diff -r 49dce50fad40 -r ff0312de0112 src/core/nginx.h --- a/src/core/nginx.h Tue Apr 16 18:29:59 2024 +0400 +++ b/src/core/nginx.h Fri May 03 20:28:22 2024 +0400 @@ -9,8 +9,8 @@ #define _NGINX_H_INCLUDED_ -#define nginx_version 1025005 -#define NGINX_VERSION "1.25.5" +#define nginx_version 1027000 +#define NGINX_VERSION "1.27.0" #define NGINX_VER "nginx/" NGINX_VERSION #ifdef NGX_BUILD ___ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH] Stream pass: disabled passing from or to udp
> On 26 Apr 2024, at 15:15, Roman Arutyunyan wrote: > > # HG changeset patch > # User Roman Arutyunyan > # Date 1714057362 -14400 > # Thu Apr 25 19:02:42 2024 +0400 > # Branch stable-1.26 wrong branch > # Node ID a60cd9c99efcc1204e6d395104beb39883308c93 > # Parent cdf74ac25b47ec928b53aa82ccc1c3d288a2f81c > Stream pass: disabled passing from or to udp. > > Passing from udp was not possible for the most part due to preread buffer > restriction. Passing to udp could occasionally work, but the connection would > still be bound to the orignial listen rbtree, which prevented it from being typo in "original" > deleted on connection closure. > > Also, passing to a QUIC listen socket is disabled by this change as well. disabled for the same reasons? > > diff --git a/src/stream/ngx_stream_pass_module.c > b/src/stream/ngx_stream_pass_module.c > --- a/src/stream/ngx_stream_pass_module.c > +++ b/src/stream/ngx_stream_pass_module.c > @@ -83,6 +83,11 @@ ngx_stream_pass_handler(ngx_stream_sessi > > c->log->action = "passing connection to port"; > > +if (c->type == SOCK_DGRAM) { > +ngx_log_error(NGX_LOG_ERR, c->log, 0, "cannot pass udp connection"); > +goto failed; > +} > + > if (c->buffer && c->buffer->pos != c->buffer->last) { > ngx_log_error(NGX_LOG_ERR, c->log, 0, > "cannot pass connection with preread data"); > @@ -217,6 +222,10 @@ ngx_stream_pass_cleanup(void *data) > static ngx_int_t > ngx_stream_pass_match(ngx_listening_t *ls, ngx_addr_t *addr) > { > +if (ls->type == SOCK_DGRAM) { > +return NGX_DECLINED; > +} > + > if (!ls->wildcard) { > return ngx_cmp_sockaddr(ls->sockaddr, ls->socklen, > addr->sockaddr, addr->socklen, 1); The change is good. -- Sergey Kandaurov ___ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH] SSL: fixed possible configuration overwrite loading "engine:" keys
Hi, On Fri, May 03, 2024 at 04:28:17AM +0400, Sergey Kandaurov wrote: > # HG changeset patch > # User Sergey Kandaurov > # Date 1714670294 -14400 > # Thu May 02 21:18:14 2024 +0400 > # Node ID e00aeabf2b29b891891fd150a01c82b0763c57c0 > # Parent 49dce50fad40bf09db81ca2a35983ecd7b740e43 > SSL: fixed possible configuration overwrite loading "engine:" keys. > > When loading certificate keys via ENGINE_load_private_key() in runtime, > it was possible to overwrite configuration on ENGINE_by_id() failure. > OpenSSL documention doesn't describe errors in details, the only reason > I found in the comment to example is when the engine is not available. > > diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c > --- a/src/event/ngx_event_openssl.c > +++ b/src/event/ngx_event_openssl.c > @@ -764,13 +764,13 @@ ngx_ssl_load_certificate_key(ngx_pool_t > > engine = ENGINE_by_id((char *) p); > > +*last++ = ':'; > + > if (engine == NULL) { > *err = "ENGINE_by_id() failed"; > return NULL; > } > > -*last++ = ':'; > - > pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0); > > if (pkey == NULL) { > ___ > nginx-devel mailing list > nginx-devel@nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx-devel Looks ok -- Roman Arutyunyan ___ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel