From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Stoiko Ivanov <s.ivanov@proxmox.com>
Subject: Re: [pve-devel] [PATCH http-server v2 3/5] accept-phase: shutdown socket on early error
Date: Mon, 7 Dec 2020 11:39:48 +0100 [thread overview]
Message-ID: <a5649c78-c6e3-5c0f-ccf3-87203eb6a42f@proxmox.com> (raw)
In-Reply-To: <20201204175629.30116-4-s.ivanov@proxmox.com>
On 04.12.20 18:56, Stoiko Ivanov wrote:
> if an error happens before AnyEvent::Handle registers the cleanup
> callback, we should shutdown the socket, when handling it.
>
> Co-Authored-by: Dominik Csapak <d.csapak@proxmox.com>
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
> PVE/APIServer/AnyEvent.pm | 18 ++++++++++++++++--
> 1 file changed, 16 insertions(+), 2 deletions(-)
>
> diff --git a/PVE/APIServer/AnyEvent.pm b/PVE/APIServer/AnyEvent.pm
> index af2fde8..a679006 100644
> --- a/PVE/APIServer/AnyEvent.pm
> +++ b/PVE/APIServer/AnyEvent.pm
> @@ -1535,6 +1535,11 @@ sub check_host_access {
>
> my $cip = Net::IP->new($clientip);
>
> + if (!$cip) {
> + self->dprint("client IP not parsable: $@");
> + return 0;
> + }
> +
> my $match_allow = 0;
> my $match_deny = 0;
>
> @@ -1567,10 +1572,13 @@ sub check_host_access {
> sub accept_connections {
> my ($self) = @_;
>
> - my $hdl_err;
> + my ($clientfh, $early_err, $hdl_err);
ah OK, ignore my regards to "$early_err" in the previous comment, I thought it was pre-exsiting...
> eval {
>
> - while (my $clientfh = $self->accept()) {
> + while (1) {
> + $early_err = 1;
> + $clientfh = $self->accept();
> + last if !$clientfh;
what use has above change? Why not keeping it as is, you can still declare $clientfh
earlier to extend it's scope:
> + while ($clientfh = $self->accept()) {
>
> my $reqstate = { keep_alive => $self->{keep_alive} };
>
> @@ -1582,14 +1590,19 @@ sub accept_connections {
> if (my $sin = getpeername($clientfh)) {
> my ($pfamily, $pport, $phost) = PVE::Tools::unpack_sockaddr_in46($sin);
> ($reqstate->{peer_port}, $reqstate->{peer_host}) = ($pport, Socket::inet_ntop($pfamily, $phost));
> + } else {
> + shutdown($clientfh, 1);
Do we still plan to send anything? I.e., was `1` (SHUT_RD) used because of caution or
are there more explicit reasons for not using `2` (SHUT_RDWR)? Can be fine, but would
be good to know.
> + next;
> }
>
> if (!$self->{trusted_env} && !$self->check_host_access($reqstate->{peer_host})) {
> print "$$: ABORT request from $reqstate->{peer_host} - access denied\n" if $self->{debug};
> $reqstate->{log}->{code} = 403;
> $self->log_request($reqstate);
> + shutdown($clientfh, 1);
same as above
> next;
> }
> + $early_err = 0;
>
> $hdl_err = 1;
> $self->{conn_count}++;
> @@ -1625,6 +1638,7 @@ sub accept_connections {
>
> if (my $err = $@) {
> syslog('err', $err);
> + shutdown($clientfh, 1) if $early_err || $hdl_err;
same as above, and maybe we could do with just one such flag variables, reducing the combination
matrix a bit.
> if ($hdl_err) {
> if ($self->{conn_count} <= 0) {
> my $msg = "connection count <= 0 not decrementing!\n";
>
next prev parent reply other threads:[~2020-12-07 10:40 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-04 17:56 [pve-devel] [PATCH http-server v2 0/5] improve error handling in accept_connections Stoiko Ivanov
2020-12-04 17:56 ` [pve-devel] [PATCH http-server v2 1/5] add debug print helper Stoiko Ivanov
2020-12-07 10:11 ` Thomas Lamprecht
2020-12-04 17:56 ` [pve-devel] [PATCH http-server v2 2/5] accept-phase: fix conn_count "leak" Stoiko Ivanov
2020-12-07 10:28 ` Thomas Lamprecht
2020-12-04 17:56 ` [pve-devel] [PATCH http-server v2 3/5] accept-phase: shutdown socket on early error Stoiko Ivanov
2020-12-07 10:39 ` Thomas Lamprecht [this message]
2020-12-04 17:56 ` [pve-devel] [PATCH http-server v2 4/5] add debug log for problems during accept Stoiko Ivanov
2020-12-07 10:50 ` Thomas Lamprecht
2020-12-04 17:56 ` [pve-devel] [PATCH http-server v2 5/5] debug: uniformly use dprint Stoiko Ivanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a5649c78-c6e3-5c0f-ccf3-87203eb6a42f@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=s.ivanov@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal