On Wed, April 4, 2018 10:02 am, trondd wrote: > Bringing this back up from the depths. I kept rolling back to older httpd > code and forgetting about this :( > I still see this issue in 6.3 A new packet cap look the same.
Ok, I was able to do some more digging into this. httpd does not close the socket after the range request completes. fstat will show the socket remaining open. A linux client will show the socket in FIN_WAIT2 with netstat. The packet caps support this and show that after a 404 (or successful GET), a FIN packet follows. After the partial request is sent, httpd does not send the FIN packet. You can reproduce with curl (in this case simulating freshclam's request) curl --http1.0 -H "Connection: close" --range 0-511 http://server.com/main.cvd Certain files work ok. I also tried using base tarballs. Httpd works correctly with index.txt, SHA256.sig but not base63.tgz nor even INSTALL.amd64. curl --http1.0 -H "Connection: close" --range 0-2 http://server.com/pub/OpenBSD/6.3/amd64/INSTALL.amd64 Repeated invocations of curl leaves a pile of sockets open on the OBSD server machine. They don't seem to ever time out. I would think this could lead to a DOS by socket or file descriptor exhaustion. Not sure why, yet, but server_close is not being called in these cases. Tim. Below are new pcaps Good pcap, where it sends a PF packet with the requested content and cleans up properly Bad pcap, where it does not send a F packet And my http.conf file. 172.25.87.91 is the server and .83 is the client. Good pcap Apr 04 18:34:56.852601 00:50:56:86:e8:fd 00:50:56:53:53:06 0800 74: 172.25.87.83.59386 > 172.25.87.91.80: S 8717427:8717427(0) win 29200 <mss 1460,sackOK,timestamp 792150152 0,nop,wscale 7> (DF) .PVSS..PV.....E..<D.@.@.....WS..W[...P...s......r.r.......... /7@......... Apr 04 18:34:56.852813 00:50:56:53:53:06 00:50:56:86:e8:fd 0800 78: 172.25.87.91.80 > 172.25.87.83.59386: S 2061278000:2061278000(0) ack 8717428 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp 2801688519 792150152> .PV....PVSS...E..@....@.....W[..WS.P..z..0...t..@.u3................. .._./7@. Apr 04 18:34:56.973081 00:50:56:86:e8:fd 00:50:56:53:53:06 0800 66: 172.25.87.83.59386 > 172.25.87.91.80: . ack 1 win 229 <nop,nop,timestamp 792150377 2801688519> (DF) .PVSS..PV.....E..4D.@.@.....WS..W[...P...tz..1.....>..... /7Ai.._. Apr 04 18:34:56.973261 00:50:56:86:e8:fd 00:50:56:53:53:06 0800 224: 172.25.87.83.59386 > 172.25.87.91.80: P 1:159(158) ack 1 win 229 <nop,nop,timestamp 792150377 2801688519> (DF) .PVSS..PV.....E...D.@.@..G..WS..W[...P...tz..1....p...... /7Ai.._.GET /pub/OpenBSD/6.3/amd64/index.txt HTTP/1.0 Range: bytes=0-2 User-Agent: curl/7.29.0 Host: obsd-build.llan.ll.mit.edu Accept: */* Connection: close Apr 04 18:34:56.973855 00:50:56:53:53:06 00:50:56:86:e8:fd 0800 299: 172.25.87.91.80 > 172.25.87.83.59386: P 1:234(233) ack 159 win 271 <nop,nop,timestamp 2801688519 792150377> .PV....PVSS...E.......@..t..W[..WS.P..z..1............... .._./7AiHTTP/1.0 206 Partial Content Connection: close Content-Length: 3 Content-Range: bytes 0-2/2557 Content-Type: text/plain Date: Wed, 04 Apr 2018 22:34:56 GMT Last-Modified: Wed, 04 Apr 2018 18:24:33 GMT Server: OpenBSD httpd Apr 04 18:34:56.974107 00:50:56:53:53:06 00:50:56:86:e8:fd 0800 69: 172.25.87.91.80 > 172.25.87.83.59386: FP 234:237(3) ack 159 win 271 <nop,nop,timestamp 2801688519 792150377> .PV....PVSS...E..7<V..@.7...W[..WS.P..z.................. .._./7Aitot Apr 04 18:34:56.974231 00:50:56:86:e8:fd 00:50:56:53:53:06 0800 66: 172.25.87.83.59386 > 172.25.87.91.80: . ack 234 win 237 <nop,nop,timestamp 792150378 2801688519> (DF) .PVSS..PV.....E..4D.@.@.....WS..W[...P....z.............. /7Aj.._. Apr 04 18:34:56.974528 00:50:56:86:e8:fd 00:50:56:53:53:06 0800 66: 172.25.87.83.59386 > 172.25.87.91.80: F 159:159(0) ack 238 win 237 <nop,nop,timestamp 792150378 2801688519> (DF) .PVSS..PV.....E..4D.@.@.....WS..W[...P....z.............. /7Aj.._. Apr 04 18:34:56.974571 00:50:56:53:53:06 00:50:56:86:e8:fd 0800 66: 172.25.87.91.80 > 172.25.87.83.59386: . ack 160 win 271 <nop,nop,timestamp 2801688519 792150378> .PV....PVSS...E..4....@.....W[..WS.P..z.................. .._./7Aj Bad pcap Apr 04 18:35:09.611294 00:50:56:86:e8:fd 00:50:56:53:53:06 0800 74: 172.25.87.83.59394 > 172.25.87.91.80: S 2140443861:2140443861(0) win 29200 <mss 1460,sackOK,timestamp 792163015 0,nop,wscale 7> (DF) .PVSS..PV.....E..<..@.@.M...WS..W[...P..........r.0S......... /7r......... Apr 04 18:35:09.611404 00:50:56:53:53:06 00:50:56:86:e8:fd 0800 78: 172.25.87.91.80 > 172.25.87.83.59394: S 2511497397:2511497397(0) ack 2140443862 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp 633492354 792163015> .PV....PVSS...E..@\...@.....W[..WS.P....h.......@.................... %.S./7r. Apr 04 18:35:09.611813 00:50:56:86:e8:fd 00:50:56:53:53:06 0800 66: 172.25.87.83.59394 > 172.25.87.91.80: . ack 1 win 229 <nop,nop,timestamp 792163015 633492354> (DF) .PVSS..PV.....E..4..@.@.M...WS..W[...P......h.....X...... /7r.%.S. Apr 04 18:35:09.611881 00:50:56:86:e8:fd 00:50:56:53:53:06 0800 228: 172.25.87.83.59394 > 172.25.87.91.80: P 1:163(162) ack 1 win 229 <nop,nop,timestamp 792163016 633492354> (DF) .PVSS..PV.....E.....@.@.M,..WS..W[...P......h......`..... /7r.%.S.GET /pub/OpenBSD/6.3/amd64/INSTALL.amd64 HTTP/1.0 Range: bytes=0-2 User-Agent: curl/7.29.0 Host: obsd-build.llan.ll.mit.edu Accept: */* Connection: close Apr 04 18:35:09.612428 00:50:56:53:53:06 00:50:56:86:e8:fd 0800 314: 172.25.87.91.80 > 172.25.87.83.59394: P 1:249(248) ack 163 win 271 <nop,nop,timestamp 633492354 792163016> .PV....PVSS...E..,....@.....W[..WS.P....h....x........... %.S./7r.HTTP/1.0 206 Partial Content Connection: close Content-Length: 3 Content-Range: bytes 0-2/43409 Content-Type: application/octet-stream Date: Wed, 04 Apr 2018 22:35:09 GMT Last-Modified: Wed, 04 Apr 2018 18:24:13 GMT Server: OpenBSD httpd Apr 04 18:35:09.612820 00:50:56:86:e8:fd 00:50:56:53:53:06 0800 66: 172.25.87.83.59394 > 172.25.87.91.80: . ack 249 win 237 <nop,nop,timestamp 792163016 633492354> (DF) .PVSS..PV.....E..4..@.@.M...WS..W[...P...x..i.....V...... /7r.%.S. Apr 04 18:35:09.612914 00:50:56:53:53:06 00:50:56:86:e8:fd 0800 69: 172.25.87.91.80 > 172.25.87.83.59394: P 249:252(3) ack 163 win 271 <nop,nop,timestamp 633492354 792163016> .PV....PVSS...E..7.v..@..i..W[..WS.P....i....x........... %.S./7r.INS Apr 04 18:35:09.613270 00:50:56:86:e8:fd 00:50:56:53:53:06 0800 66: 172.25.87.83.59394 > 172.25.87.91.80: . ack 252 win 237 <nop,nop,timestamp 792163017 633492354> (DF) .PVSS..PV.....E..4..@.@.M...WS..W[...P...x..i.....V...... /7r.%.S. Apr 04 18:35:09.613283 00:50:56:86:e8:fd 00:50:56:53:53:06 0800 66: 172.25.87.83.59394 > 172.25.87.91.80: F 163:163(0) ack 252 win 237 <nop,nop,timestamp 792163017 633492354> (DF) .PVSS..PV.....E..4..@.@.M...WS..W[...P...x..i.....V...... /7r.%.S. Apr 04 18:35:09.613364 00:50:56:53:53:06 00:50:56:86:e8:fd 0800 66: 172.25.87.91.80 > 172.25.87.83.59394: . ack 164 win 271 <nop,nop,timestamp 633492354 792163017> .PV....PVSS...E..4~...@.....W[..WS.P....i....y........... %.S./7r. httpd.conf # $OpenBSD: httpd.conf,v 1.14 2015/02/04 08:39:35 florian Exp $ # # Macros # ext_addr="*" # # Global Options # # prefork 3 # # Servers # # A minimal default server server "default" { listen on $ext_addr port 80 location "/pub/*" { directory auto index } } server "secure" { listen on $ext_addr tls port 443 # TLS certificate and key files created with acme-client(1) tls certificate "/etc/ssl/obsd-build.pem" tls key "/etc/ssl/private/obsd-build.key" tls ciphers "HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!RC4:!DES:!MD5:!SHA1" tls protocols tlsv1.2 location "/pub/*" { directory auto index } } # Include MIME types instead of the built-in ones types { include "/usr/share/misc/mime.types" }
