-
Notifications
You must be signed in to change notification settings - Fork 103
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Frame forwarded h2 message to never overflow max frame size on receive side #1400
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The PR looks incomplete and there are several issues.
Also there are some traces #1378 (comment) which must be analyzed and fixed or reported as a separate issue.
…ects, all error responses
1c041ea
to
2396e30
Compare
3bcfbb9
to
4b17404
Compare
f008f09
to
9e9d02f
Compare
Never happens since we don't copy anything in the last page with body, but make the code safe it will happen once. Also fix warning on incomplete record case
The combined buffer was sent to http/2 client as a single body fragment and client receives extra garbage at the beginning of the body not allowing to parse it. This was an optimization for http/1, since the header is always written when body is sent. In http/2 the header is not required and native http/2 framing is used. Since http/1 is now compatibility mode, drop the optimization.
Two issues are fixed here. First, frang is called as early as possible now and sticky cookie module is not called for untrusted requests. So attacker cant stress cookie module from now on. But I can tell that about http tables, they are still vulnerable. Second, a null-dereference happened in frang if a request was already replied by sticky module.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, only minor changes are required.
* no data in the next record part. | ||
*/ | ||
if (WARN_ON_ONCE(!trec->len)) | ||
return -EINVAL; | ||
p = trec->data; | ||
|
||
if (it->frag == MAX_SKB_FRAGS | ||
&& (r = tfw_msg_iter_append_skb(it))) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems we should here also set SKBTX_SHARED_FRAG
flag as we do this above if sh_frag
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, we don't need to. tfw_msg_iter_append_skb()
not only add a new empty skb to the list, but also sets the same tx_flags
last skb had.
tempesta_fw/http.c
Outdated
|
||
/** | ||
* Split response body stored locally. Allocate a new skb and put body there | ||
* by fragments. Every skb fragment is has size of single page and has frame |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* by fragments. Every skb fragment is has size of single page and has frame | |
* by fragments. Every skb fragment has size of single page and has frame |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Fixed.
* processing thus no chunked body allowed, only plain TfwStr is accepted there. | ||
*/ | ||
static int | ||
tfw_h2_append_predefined_body(TfwHttpResp *resp, unsigned int stream_id, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[Offtopic] That's pity to generate static message body, but it seems we don't have much opportunities in the wonderful HTTP/2 world, so I close #163 (comment)
tempesta_fw/http.c
Outdated
* Run frang checks first before any processing happen. Can't start | ||
* the checks earlier, since vhost and specific client is required | ||
* for frang checks. | ||
* TDB: if a request was received in a single skb, the only frang check |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* TDB: if a request was received in a single skb, the only frang check | |
* TBD: if a request was received in a single skb, the only frang check |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Fixed.
tempesta_fw/http.c
Outdated
* for frang checks. | ||
* TDB: if a request was received in a single skb, the only frang check | ||
* happens here. Looks like http tables are not protected with | ||
* anti-DDoS limits and attacker may stress http tables as long as he |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* anti-DDoS limits and attacker may stress http tables as long as he | |
* anti-DDoS limits and attacker may stress http tables as long as they |
Here and at the below: ladies also can launch attacks as well ;) "They" is usually used in modern English even in singular form
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought about 'attacker' as a gender-neutral term. Ok, fixed it.
tempesta_fw/http.c
Outdated
* to close the connection instead on sending 403 errors, but such | ||
* behaviour is not browser friendly and even may increase request | ||
* rate from browsers during "referer" attacks, since browser usually | ||
* retry failed and unreplied requests. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe we're good with the change and HTTP tables in general. There are HTTP rate limits now before them and also there are nftables rate limit and we're planning to use XDP (#1048) to block volumetric attacks early.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, you right here I was to furious and ddin't notice the fact we close connection every time we face block
action in http tables. Attackers then need to reopen connection every time to stress us, but now we filter them by new connection rate limit, which is normally much more strict than request rate. So we're good with the scenario (Also checked it on practice). Comment was updated.
size_t b_off; | ||
|
||
return __tfw_http_msg_body_dup(filename, &c_len_hdr, len, &b_off); | ||
return __tfw_http_msg_body_dup(filename, NULL, len, &b_off); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
__tfw_http_msg_body_dup()
is called only in http.c, so make it static
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
d31d7b3
to
c24cda4
Compare
#1378