TS-4697: free MIOBuffer if fails on ipallow check.

apache · Jul 23, 2016 · c01b37a · c01b37a
1 parent dd72dd5
commit c01b37a
Show file tree

Hide file tree

Showing 9 changed files with 19 additions and 13 deletions.
diff --git a/iocore/net/I_SessionAccept.h b/iocore/net/I_SessionAccept.h
@@ -34,7 +34,7 @@ class SessionAccept : public Continuation
 public:
   SessionAccept(ProxyMutex *amutex) : Continuation(amutex) { SET_HANDLER(&SessionAccept::mainEvent); }
   ~SessionAccept() {}
-  virtual void accept(NetVConnection *, MIOBuffer *, IOBufferReader *) = 0;
+  virtual int accept(NetVConnection *, MIOBuffer *, IOBufferReader *) = 0;
 
   /* Returns NULL if the specified client_ip is not allowed by ip_allow
    * Returns a pointer to the relevant IP policy for later processing otherwise */

diff --git a/iocore/net/P_SSLNextProtocolAccept.h b/iocore/net/P_SSLNextProtocolAccept.h
@@ -37,7 +37,7 @@ class SSLNextProtocolAccept : public SessionAccept
   SSLNextProtocolAccept(Continuation *, bool);
   ~SSLNextProtocolAccept();
 
-  void accept(NetVConnection *, MIOBuffer *, IOBufferReader *);
+  int accept(NetVConnection *, MIOBuffer *, IOBufferReader *);
 
   // Register handler as an endpoint for the specified protocol. Neither
   // handler nor protocol are copied, so the caller must guarantee their

diff --git a/iocore/net/SSLNextProtocolAccept.cc b/iocore/net/SSLNextProtocolAccept.cc
@@ -145,10 +145,11 @@ SSLNextProtocolAccept::mainEvent(int event, void *edata)
   }
 }
 
-void
+int
 SSLNextProtocolAccept::accept(NetVConnection *, MIOBuffer *, IOBufferReader *)
 {
   ink_release_assert(0);
+  return EVENT_CONT;
 }
 
 bool

diff --git a/proxy/ProtocolProbeSessionAccept.cc b/proxy/ProtocolProbeSessionAccept.cc
@@ -108,7 +108,9 @@ struct ProtocolProbeTrampoline : public Continuation, public ProtocolProbeSessio
     }
 
     // Directly invoke the session acceptor, letting it take ownership of the input buffer.
-    probeParent->endpoint[key]->accept(netvc, this->iobuf, reader);
+    if (probeParent->endpoint[key]->accept(netvc, this->iobuf, reader) != EVENT_CONT ) {
+      goto done;
+    }
     delete this;
     return EVENT_CONT;
 
@@ -151,10 +153,11 @@ ProtocolProbeSessionAccept::mainEvent(int event, void *data)
   return EVENT_CONT;
 }
 
-void
+int
 ProtocolProbeSessionAccept::accept(NetVConnection *, MIOBuffer *, IOBufferReader *)
 {
   ink_release_assert(0);
+  return EVENT_CONT;
 }
 
 void

diff --git a/proxy/ProtocolProbeSessionAccept.h b/proxy/ProtocolProbeSessionAccept.h
@@ -48,7 +48,7 @@ class ProtocolProbeSessionAccept : public SessionAccept, public ProtocolProbeSes
   ~ProtocolProbeSessionAccept() {}
   void registerEndpoint(ProtoGroupKey key, SessionAccept *ap);
 
-  void accept(NetVConnection *, MIOBuffer *, IOBufferReader *);
+  int accept(NetVConnection *, MIOBuffer *, IOBufferReader *);
 
 private:
   int mainEvent(int event, void *netvc);

diff --git a/proxy/http/HttpSessionAccept.cc b/proxy/http/HttpSessionAccept.cc
@@ -27,7 +27,7 @@
 #include "I_Machine.h"
 #include "Error.h"
 
-void
+int
 HttpSessionAccept::accept(NetVConnection *netvc, MIOBuffer *iobuf, IOBufferReader *reader)
 {
   sockaddr const *client_ip   = netvc->get_remote_addr();
@@ -46,7 +46,7 @@ HttpSessionAccept::accept(NetVConnection *netvc, MIOBuffer *iobuf, IOBufferReade
       ////////////////////////////////////////////////////
       Warning("client '%s' prohibited by ip-allow policy", ats_ip_ntop(client_ip, ipb, sizeof(ipb)));
       netvc->do_io_close();
-      return;
+      return EVENT_DONE;
     }
   }
 
@@ -73,7 +73,7 @@ HttpSessionAccept::accept(NetVConnection *netvc, MIOBuffer *iobuf, IOBufferReade
 
   new_session->new_connection(netvc, iobuf, reader, backdoor);
 
-  return;
+  return EVENT_CONT;
 }
 
 int

diff --git a/proxy/http/HttpSessionAccept.h b/proxy/http/HttpSessionAccept.h
@@ -205,7 +205,7 @@ class HttpSessionAccept : public SessionAccept, private detail::HttpSessionAccep
   }
 
   ~HttpSessionAccept() { return; }
-  void accept(NetVConnection *, MIOBuffer *, IOBufferReader *);
+  int accept(NetVConnection *, MIOBuffer *, IOBufferReader *);
   int mainEvent(int event, void *netvc);
 
 private:

diff --git a/proxy/http2/Http2SessionAccept.cc b/proxy/http2/Http2SessionAccept.cc
@@ -36,7 +36,7 @@ Http2SessionAccept::~Http2SessionAccept()
 {
 }
 
-void
+int
 Http2SessionAccept::accept(NetVConnection *netvc, MIOBuffer *iobuf, IOBufferReader *reader)
 {
   sockaddr const *client_ip           = netvc->get_remote_addr();
@@ -45,7 +45,7 @@ Http2SessionAccept::accept(NetVConnection *netvc, MIOBuffer *iobuf, IOBufferRead
     ip_port_text_buffer ipb;
     Warning("HTTP/2 client '%s' prohibited by ip-allow policy", ats_ip_ntop(client_ip, ipb, sizeof(ipb)));
     netvc->do_io_close();
-    return;
+    return EVENT_DONE;
   }
   netvc->attributes = this->options.transport_type;
 
@@ -59,6 +59,8 @@ Http2SessionAccept::accept(NetVConnection *netvc, MIOBuffer *iobuf, IOBufferRead
   Http2ClientSession *new_session = THREAD_ALLOC_INIT(http2ClientSessionAllocator, this_ethread());
   new_session->acl_record         = session_acl_record;
   new_session->new_connection(netvc, iobuf, reader, false /* backdoor */);
+
+  return EVENT_CONT;
 }
 
 int

diff --git a/proxy/http2/Http2SessionAccept.h b/proxy/http2/Http2SessionAccept.h
@@ -43,7 +43,7 @@ struct Http2SessionAccept : public SessionAccept {
   explicit Http2SessionAccept(const HttpSessionAccept::Options &);
   ~Http2SessionAccept();
 
-  void accept(NetVConnection *, MIOBuffer *, IOBufferReader *);
+  int accept(NetVConnection *, MIOBuffer *, IOBufferReader *);
   int mainEvent(int event, void *netvc);
 
 private:
-Original file line number
+Diff line change
@@ Expand Up / @@ -145,10 +145,11 @@ SSLNextProtocolAccept::mainEvent(int event, void *edata) @@
       }
     }
-    void
+    int
     SSLNextProtocolAccept::accept(NetVConnection *, MIOBuffer *, IOBufferReader *)
     {
       ink_release_assert(0);
+      return EVENT_CONT;
     }
     bool
@@ Expand Down @@