Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

http: fix parsing of binary upgrade response body #17806

Closed
wants to merge 1 commit into from

Conversation

bnoordhuis
Copy link
Member

@bnoordhuis bnoordhuis commented Dec 21, 2017

Fix a bug where a connection upgrade response with a Transfer-Encoding
header and a body whose first byte is > 127 causes said byte to be
dropped on the floor when passing the remainder of the message to
the 'upgrade' event listeners.

Fixes: #17789
CI: https://ci.nodejs.org/job/node-test-commit/15003/

@nodejs-github-bot nodejs-github-bot added the http Issues or PRs related to the http subsystem. label Dec 21, 2017
@@ -471,29 +470,22 @@ function parserOnIncomingClient(res, shouldKeepAlive) {
// We already have a response object, this means the server
// sent a double response.
socket.destroy();
return;
return 0; // No special treatment.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Before anyone asks - yes, these could be constants, please suggest good names. :-)

(They don't have names in http_parser either though.)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just made these up on the spot. Feel free to ignore. How about kSkipBodyAsUpgrade, kSkipBodyNoUpgrade... and I don't know for the 0 case.

// to the content-length of the entity-body had the request
// been a GET.
var isHeadResponse = req.method === 'HEAD';
debug('AGENT isHeadResponse', isHeadResponse);
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed because not very useful and slightly misleading - this is not inside the agent.

@@ -616,7 +616,7 @@ function parserOnIncoming(server, socket, state, req, keepAlive) {
} else {
server.emit('request', req, res);
}
return false; // Not a HEAD response. (Not even a response!)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bogus comment, removed.

if (!upgrade) {
// For upgraded connections and CONNECT method request, we'll emit this
// after parser.execute so that we can capture the first part of the new
// protocol.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Slightly wrong comment, removed.

// https://github.com/nodejs/node/issues/17789 - a connection upgrade response
// that has a Transfer-Encoding header and a body whose first byte is > 127
// triggers a bug where said byte is skipped over.
net.createServer(function(conn) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This callback and the one passed to listen could also be wrapped in common.mustCall.

@@ -471,29 +470,22 @@ function parserOnIncomingClient(res, shouldKeepAlive) {
// We already have a response object, this means the server
// sent a double response.
socket.destroy();
return;
return 0; // No special treatment.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just made these up on the spot. Feel free to ignore. How about kSkipBodyAsUpgrade, kSkipBodyNoUpgrade... and I don't know for the 0 case.

@maclover7
Copy link
Contributor

ping @bnoordhuis

@joyeecheung
Copy link
Member

Is this ready to land? Or do you want to fix the nits before this PR gets landed? @bnoordhuis

@BridgeAR BridgeAR added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Jan 19, 2018
Fix a bug where a connection upgrade response with a Transfer-Encoding
header and a body whose first byte is > 127 causes said byte to be
dropped on the floor when passing the remainder of the message to
the 'upgrade' event listeners.

Fixes: nodejs#17789
@bnoordhuis
Copy link
Member Author

bnoordhuis commented Jan 19, 2018

Rebased + new CI: https://ci.nodejs.org/job/node-test-commit/15534/

I've incorporated the comments about the test. I decided to leave the constants unnamed.

BridgeAR pushed a commit to BridgeAR/node that referenced this pull request Jan 21, 2018
Fix a bug where a connection upgrade response with a Transfer-Encoding
header and a body whose first byte is > 127 causes said byte to be
dropped on the floor when passing the remainder of the message to
the 'upgrade' event listeners.

Fixes: nodejs#17789

PR-URL: nodejs#17806
Fixes: nodejs#17789
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Tiancheng "Timothy" Gu <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
@BridgeAR
Copy link
Member

Landed in de4600e

@BridgeAR BridgeAR closed this Jan 21, 2018
evanlucas pushed a commit that referenced this pull request Jan 30, 2018
Fix a bug where a connection upgrade response with a Transfer-Encoding
header and a body whose first byte is > 127 causes said byte to be
dropped on the floor when passing the remainder of the message to
the 'upgrade' event listeners.

Fixes: #17789

PR-URL: #17806
Fixes: #17789
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Tiancheng "Timothy" Gu <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
evanlucas pushed a commit that referenced this pull request Jan 30, 2018
Fix a bug where a connection upgrade response with a Transfer-Encoding
header and a body whose first byte is > 127 causes said byte to be
dropped on the floor when passing the remainder of the message to
the 'upgrade' event listeners.

Fixes: #17789

PR-URL: #17806
Fixes: #17789
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Tiancheng "Timothy" Gu <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
@MylesBorins
Copy link
Contributor

Should this be backported to LTS? It lands cleanly on 8.x but will need a manual backport to v6.x

@bnoordhuis
Copy link
Member Author

Yes, should be back-ported. I'll look into the v6.x back-port.

@jeroenvollenbrock
Copy link

@gibfahn Is there any reason this one was not included in 8.10.0? I can confirm the bug persists in node 8.11.1 :)

MylesBorins pushed a commit that referenced this pull request Apr 11, 2018
Fix a bug where a connection upgrade response with a Transfer-Encoding
header and a body whose first byte is > 127 causes said byte to be
dropped on the floor when passing the remainder of the message to
the 'upgrade' event listeners.

Fixes: #17789

PR-URL: #17806
Fixes: #17789
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Tiancheng "Timothy" Gu <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
@MylesBorins
Copy link
Contributor

@jeroenvollenbrock not sure why it was missed... I've landed it on staging

@bnoordhuis did you have a chance to look into the 6.x backport?

@MylesBorins MylesBorins mentioned this pull request May 2, 2018
MayaLekova pushed a commit to MayaLekova/node that referenced this pull request May 8, 2018
Fix a bug where a connection upgrade response with a Transfer-Encoding
header and a body whose first byte is > 127 causes said byte to be
dropped on the floor when passing the remainder of the message to
the 'upgrade' event listeners.

Fixes: nodejs#17789

PR-URL: nodejs#17806
Fixes: nodejs#17789
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Tiancheng "Timothy" Gu <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
@shellscape
Copy link

@lpinca @MylesBorins it looks like Node 10.14.1 has a regression and this problem has snuck back into the release. This gist can consistently reproduce the error: https://gist.github.com/shellscape/2020916f92be5d61f4d411fb6d2bce61

Note that stepping back down to any 10.x version lower than 10.14.0 does not reproduce the error.

@lpinca
Copy link
Member

lpinca commented Dec 11, 2018

@shellscape none of these commits https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V10.md#2018-11-29-version-10141-dubnium-lts-mylesborins seem related.

Try to reproduce it only with core modules. This fix landed with regression tests so chances are the issue you are experiencing is different / not in node core.

@shellscape
Copy link

@lpinca indeed, which baffled me. we've spun up brand new containers to verify the issue was isolated to 10.14.x. same containers from scratch with 10.13.x are completely fine.

@MylesBorins
Copy link
Contributor

I'll dig into the repro and see what's going on

@shellscape
Copy link

@MylesBorins much appreciated. if you end up needing that in a separate repository, say the word and it shall be done.

@BridgeAR
Copy link
Member

BridgeAR commented Dec 11, 2018

@shellscape would you be so kind and open a new issue about this with as much information as possible? That way it's easier to track the progress :)

@shellscape
Copy link

@BridgeAR I'll do my best, please don't nuke it right away if there's something lacking, happy to clean it up to spec. It'll be my first Node org issue.

@BridgeAR
Copy link
Member

Don't worry, we normally only close an issue if they it's resolved, not a core issue or in the wrong repository.

As @lpinca pointed out, it's best to try to reduce the test case further by removing any third party modules. That way looking into it becomes much easier.

@shellscape
Copy link

@BridgeAR #24958. Trying to reproduce this with core modules is a bit beyond my range of ability. Gave it a shot, but there's a lot of knowledge needed to reproduce the same conditions that I apparently don't have as yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. http Issues or PRs related to the http subsystem.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

http_parser takes one byte to much, upgrade websockets