Re: /bzr/squid3/trunk/ r9845: Correct header limit checks. 64KB max is REQUIRED.

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 25 Jul 2009 12:39:44 +1200

Alex Rousskov wrote:
> On 07/24/2009 02:31 PM, Henrik Nordstrom wrote:
>> fre 2009-07-24 klockan 14:24 -0600 skrev Alex Rousskov:
>>>> - if (hdr_len > Config.maxReplyHeaderSize || (hdr_len <= 0 && (size_t)buf->contentSize() > Config.maxReplyHeaderSize)) {
>>>> + if (hdr_len >= Config.maxReplyHeaderSize || (hdr_len <= 0 && (size_t)buf->contentSize() > Config.maxReplyHeaderSize)) {
>
>>> Does the comparison need to be ">="? On the surface, it seems like this
>>> change contradicts expected maxReplyHeaderSize semantics and
>>> documentation because the maximum header size should still be allowed.
>
>> It's because we do not want to go above 64KB-1 at this time.
>
> Should not the maximum allowed Config.maxReplyHeaderSize value be
> changed to (64KB-1) instead, then?

I took Henriks word for it last night on this change. The TODO: notes
and debugs are wrong either way. The bounds check MUST occur before
sanityChecks.

The state we have now is that:
  * the MemBuf is limited to 2 GB!!
  * headersEnd ignores everything except the end of real content so far
or \r\n. returning 0 or N. where N is the position of that final \n in
a zero-based array.
  * Config.maxReplyHeaderSize may be 64KB -1 _including_ final \n

Problem is whether at N=64KB and \n present _at_ 64KB any String header
conversion will drop the final \n during its \0 termination or assert
with grow(N+1) > N ?
   assert(len_ + len < 65536); // otherwise snew.len_ overflows below

First problem case hits with minimal valid request having
   N=strlen(". ")+64KB_url. So the answer there appears to be no. Any
header longer than 64KB will have a total size >64KB.

The (rather limited) sanity checks do ensure that 2 bytes minimum are
taken up with first-line syntax. Leaving <64KB-1 for header Strings and
URL where the problem limits start occurring again.

So to conclude; I think the strictness of the limit here was only
relevant when MemBuf capacity was possibly within range of the max
header limits. We have at least 2 bytes of leeway now.

Do you agree?

>
>> Not sure anyone is going to care or even notice that 1 byte difference.
>
> I do care, and I would not be surprised if the check becomes "wrong"
> (i.e., correct!) again during some future code polishing.

Good point. Might as well polish set correctly now.

The more I understand of this the more polish I'm seeing :(

>
> At the very least there should be a comment there saying that this has
> to be that way, but I think enforcing a lower limit on the
> Config.maxReplyHeaderSize setting is the right solution.

I can think of situations (REST filled stuff) where a 14 byte first-line
is the entire headers. I would not put it past the REST people to
enforce stuff like that on some of their reverse-proxies.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
   Current Beta Squid 3.1.0.10 or 3.1.0.11
Received on Sat Jul 25 2009 - 00:39:58 MDT

This archive was generated by hypermail 2.2.0 : Mon Jul 27 2009 - 12:00:09 MDT