Frame forwarded h2 message to never overflow max frame size on receive side #1400
Conversation
There was a problem hiding this comment.
The PR looks incomplete and there are several issues.
Also there are some traces #1378 (comment) which must be analyzed and fixed or reported as a separate issue.
…ects, all error responses
vankoven
force-pushed
the
ik-frame-h2-messages
branch
from
1c041ea
to
2396e30
Compare
vankoven
force-pushed
the
ik-frame-h2-messages
branch
from
3bcfbb9
to
4b17404
Compare
vankoven
force-pushed
the
ik-frame-h2-messages
branch
from
f008f09
to
9e9d02f
Compare
Never happens since we don't copy anything in the last page with body, but make the code safe it will happen once. Also fix warning on incomplete record case
The combined buffer was sent to http/2 client as a single body fragment and client receives extra garbage at the beginning of the body not allowing to parse it. This was an optimization for http/1, since the header is always written when body is sent. In http/2 the header is not required and native http/2 framing is used. Since http/1 is now compatibility mode, drop the optimization.
Two issues are fixed here. First, frang is called as early as possible now and sticky cookie module is not called for untrusted requests. So attacker cant stress cookie module from now on. But I can tell that about http tables, they are still vulnerable. Second, a null-dereference happened in frang if a request was already replied by sticky module.
| * no data in the next record part. | ||
| */ | ||
| if (WARN_ON_ONCE(!trec->len)) | ||
| return -EINVAL; | ||
| p = trec->data; | ||
|
|
||
| if (it->frag == MAX_SKB_FRAGS | ||
| && (r = tfw_msg_iter_append_skb(it))) |
There was a problem hiding this comment.
It seems we should here also set SKBTX_SHARED_FRAG flag as we do this above if sh_frag
There was a problem hiding this comment.
No, we don't need to. tfw_msg_iter_append_skb() not only add a new empty skb to the list, but also sets the same tx_flags last skb had.
tempesta_fw/http.c
Outdated
|
|
||
| /** | ||
| * Split response body stored locally. Allocate a new skb and put body there | ||
| * by fragments. Every skb fragment is has size of single page and has frame |
There was a problem hiding this comment.
| * by fragments. Every skb fragment is has size of single page and has frame | |
| * by fragments. Every skb fragment has size of single page and has frame |
| * processing thus no chunked body allowed, only plain TfwStr is accepted there. | ||
| */ | ||
| static int | ||
| tfw_h2_append_predefined_body(TfwHttpResp *resp, unsigned int stream_id, |
There was a problem hiding this comment.
[Offtopic] That's pity to generate static message body, but it seems we don't have much opportunities in the wonderful HTTP/2 world, so I close #163 (comment)
tempesta_fw/http.c
Outdated
| * Run frang checks first before any processing happen. Can't start | ||
| * the checks earlier, since vhost and specific client is required | ||
| * for frang checks. | ||
| * TDB: if a request was received in a single skb, the only frang check |
There was a problem hiding this comment.
| * TDB: if a request was received in a single skb, the only frang check | |
| * TBD: if a request was received in a single skb, the only frang check |
tempesta_fw/http.c
Outdated
| * for frang checks. | ||
| * TDB: if a request was received in a single skb, the only frang check | ||
| * happens here. Looks like http tables are not protected with | ||
| * anti-DDoS limits and attacker may stress http tables as long as he |
There was a problem hiding this comment.
| * anti-DDoS limits and attacker may stress http tables as long as he | |
| * anti-DDoS limits and attacker may stress http tables as long as they |
Here and at the below: ladies also can launch attacks as well ;) "They" is usually used in modern English even in singular form
There was a problem hiding this comment.
I thought about 'attacker' as a gender-neutral term. Ok, fixed it.
tempesta_fw/http.c
Outdated
| * to close the connection instead on sending 403 errors, but such | ||
| * behaviour is not browser friendly and even may increase request | ||
| * rate from browsers during "referer" attacks, since browser usually | ||
| * retry failed and unreplied requests. |
There was a problem hiding this comment.
I believe we're good with the change and HTTP tables in general. There are HTTP rate limits now before them and also there are nftables rate limit and we're planning to use XDP (#1048) to block volumetric attacks early.
There was a problem hiding this comment.
Yeah, you right here I was to furious and ddin't notice the fact we close connection every time we face block action in http tables. Attackers then need to reopen connection every time to stress us, but now we filter them by new connection rate limit, which is normally much more strict than request rate. So we're good with the scenario (Also checked it on practice). Comment was updated.
| size_t b_off; | ||
|
|
||
| return __tfw_http_msg_body_dup(filename, &c_len_hdr, len, &b_off); | ||
| return __tfw_http_msg_body_dup(filename, NULL, len, &b_off); |
There was a problem hiding this comment.
__tfw_http_msg_body_dup() is called only in http.c, so make it static
vankoven
force-pushed
the
ik-frame-h2-messages
branch
from
d31d7b3
to
c24cda4
Compare
#1378