Bug 62196 - Proxy response headers can be thrown away after processing a large header
Summary: Proxy response headers can be thrown away after processing a large header
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_proxy_http (show other bugs)
Version: 2.5-HEAD
Hardware: PC Mac OS X 10.1
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: FixedInTrunk
Depends on:
Blocks:
 
Reported: 2018-03-20 15:53 UTC by Hank Ibell
Modified: 2018-08-04 10:29 UTC (History)
0 users


Attachments
Use AP_GETLINE_NOSPC_EOL flag for ap_proxy_read_headers() (4.00 KB, patch)
2018-04-12 17:47 UTC, Yann Ylavic 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hank Ibell 2018-03-20 15:53:17 UTC 
Response headers from a proxied request can be thrown away after reading a large header. If a header exceeds the the buffer size by a small amount -- say the buffer size is 8 KB and the header is 10 KB -- the next header that is read will be thrown away.

This looks to be due to ap_rgetline_core throwing away the extra bit of data when it detects that the buffer would be overrun. ap_proxy_read_headers() in mod_proxy_http.c then tries to soak up the 'extra data' which was already thrown away by ap_rgetline_core and causes the next header to be thrown away:

    while ((len = ap_getline(field, MAX_STRING_LEN, rr, 1))
            >= MAX_STRING_LEN - 1) {
        /* soak up the extra data */
    }

Removing the while loop does not fix the problem because extra data will be left from a large header that is at least 3x the proxy response buffer size. The extra data is then seen as an invalid header and results in a HTTP 502 response.


In the example below, X-Test-Header-2 will be thrown away.

Sample config:
<VirtualHost *:80>
  ProxyPass "/test" "http://localhost:8080"
  ProxyPassReverse "/test" "http://localhost:8080"
</VirtualHost>

<VirtualHost *:8080>
  Header set X-Test-Header-1 "AAAAAAAAAAAAAAA..." # large header > 8KB
  Header set X-Test-Header-2 "Testing 1 2 3"
</VirtualHost>

Request/response:
$ curl -sD - http://localhost/test -o /dev/null
HTTP/1.1 200 OK
Date: Tue, 20 Mar 2018 15:46:37 GMT
Server: Apache/2.5.1-dev (Unix)
Last-Modified: Sun, 06 Nov 2016 05:34:43 GMT
ETag: "2d-5409b43abe2c0"
Accept-Ranges: bytes
Content-Length: 45
X-Test-Header-1: AAAA... [truncated]
Content-Type: text/html

Backend trace:
[Tue Mar 20 15:46:37.801645 2018] [headers:trace2] [pid 86969:tid 123145425690624] mod_headers.c(880): AH01502: headers: ap_headers_output_filter()
[Tue Mar 20 15:46:37.801714 2018] [http:trace3] [pid 86969:tid 123145425690624] http_filters.c(1070): [client ::1:59315] Response sent with status 200, headers:
[Tue Mar 20 15:46:37.801767 2018] [http:trace5] [pid 86969:tid 123145425690624] http_filters.c(1079): [client ::1:59315]   Date: Tue, 20 Mar 2018 15:46:37 GMT
[Tue Mar 20 15:46:37.801790 2018] [http:trace5] [pid 86969:tid 123145425690624] http_filters.c(1082): [client ::1:59315]   Server: Apache/2.5.1-dev (Unix)
[Tue Mar 20 15:46:37.801889 2018] [http:trace4] [pid 86969:tid 123145425690624] http_filters.c(900): [client ::1:59315]   Last-Modified: Sun, 06 Nov 2016 05:34:43 GMT
[Tue Mar 20 15:46:37.801915 2018] [http:trace4] [pid 86969:tid 123145425690624] http_filters.c(900): [client ::1:59315]   ETag: \\"2d-5409b43abe2c0\\"
[Tue Mar 20 15:46:37.801931 2018] [http:trace4] [pid 86969:tid 123145425690624] http_filters.c(900): [client ::1:59315]   Accept-Ranges: bytes
[Tue Mar 20 15:46:37.801944 2018] [http:trace4] [pid 86969:tid 123145425690624] http_filters.c(900): [client ::1:59315]   Content-Length: 45
[Tue Mar 20 15:46:37.801972 2018] [http:trace4] [pid 86969:tid 123145425690624] http_filters.c(900): [client ::1:59315]   X-Test-Header-1: AAAA...
[Tue Mar 20 15:46:37.802032 2018] [http:trace4] [pid 86969:tid 123145425690624] http_filters.c(900): [client ::1:59315]   X-Test-Header-2: Testing 1 2 3

Proxy trace:
[Tue Mar 20 15:46:37.805911 2018] [http:trace3] [pid 86970:tid 123145344696320] http_filters.c(1070): [client ::1:59314] Response sent with status 200, headers:
[Tue Mar 20 15:46:37.805926 2018] [http:trace5] [pid 86970:tid 123145344696320] http_filters.c(1079): [client ::1:59314]   Date: Tue, 20 Mar 2018 15:46:37 GMT
[Tue Mar 20 15:46:37.805938 2018] [http:trace5] [pid 86970:tid 123145344696320] http_filters.c(1082): [client ::1:59314]   Server: Apache/2.5.1-dev (Unix)
[Tue Mar 20 15:46:37.805952 2018] [http:trace4] [pid 86970:tid 123145344696320] http_filters.c(900): [client ::1:59314]   Last-Modified: Sun, 06 Nov 2016 05:34:43 GMT
[Tue Mar 20 15:46:37.805964 2018] [http:trace4] [pid 86970:tid 123145344696320] http_filters.c(900): [client ::1:59314]   ETag: \\"2d-5409b43abe2c0\\"
[Tue Mar 20 15:46:37.805976 2018] [http:trace4] [pid 86970:tid 123145344696320] http_filters.c(900): [client ::1:59314]   Accept-Ranges: bytes
[Tue Mar 20 15:46:37.805987 2018] [http:trace4] [pid 86970:tid 123145344696320] http_filters.c(900): [client ::1:59314]   Content-Length: 45
[Tue Mar 20 15:46:37.806009 2018] [http:trace4] [pid 86970:tid 123145344696320] http_filters.c(900): [client ::1:59314]   X-Test-Header-1: AAAA...
[Tue Mar 20 15:46:37.806057 2018] [http:trace4] [pid 86970:tid 123145344696320] http_filters.c(900): [client ::1:59314]   Content-Type: text/html
[Tue Mar 20 15:46:37.806090 2018] [core:trace6] [pid 86970:tid 123145344696320] util_filter.c(797): [client ::1:59314] reinstate empty brigade to full brigade in 'req_core' output filter
Comment 1 Yann Ylavic 2018-04-12 17:47:19 UTC 
Created attachment 35864 [details]
Use AP_GETLINE_NOSPC_EOL flag for ap_proxy_read_headers()

Pairs with https://bz.apache.org/bugzilla/attachment.cgi?id=35863 (or update) from Bug 62198.

Don't both patches resolve this issue?
Comment 2 Yann Ylavic 2018-04-19 16:08:46 UTC 
Committed to trunk in r1829573.
Comment 3 Christophe JAILLET 2018-08-04 10:29:26 UTC 
This has been backported in 2.4.x in r1834093

This is part of 2.4.34