Add a new method, ctl(), to muxes. It uses a "enum mux_ctl_type" to
let it know which information we're asking for, and can output it either
directly by returning the expected value, or by using an optional argument.
"output" argument.
Right now, the only known mux_ctl_type is MUX_STATUS, that will return 0 if
the mux is not ready, or MUX_STATUS_READY if the mux is ready.
We probably want to backport this to 1.9 and 2.0.
This reverts commit 9e46496d45. It was
wrong and is not reliable, depending on the compiler's version and
optimization, as the struct is assigned inside a statement, thus on
its own stack. It's not needed anymore now so let's remove this.
We previously relied on chunk_cat(dst, b_fromist(src)) for this but it
is not reliable as the allocated buffer is inside the expression and
may be on a temporary stack. While it's possible to allocate stack space
for a struct and return a pointer to it, it's not possible to initialize
it form a temporary variable to prevent arguments from being evaluated
multiple times. Since this is only used to append an ist after a chunk,
let's instead have a chunk_istcat() function to perform exactly this
from a native ist.
The only call place (URI computation in the cache) was updated.
There were very few entries to fix and this warning, while often
wrong, can actually spot future issues. If it can help developers
adjust their code in the future to make it more robust, it's not
necessarily that bad. Let's re-enable it and see how it goes.
Actually gcc believes it has detected a possible truncation but it
cannot since the output string is necessarily at least one char
shorter than what it expects. However addressing it is easy and
removes the need for an intermediate copy so let's do it.
The per-thread UUID string produced by generate_pseudo_uuid() could be
off by one character due to too small of size limit in snprintf(). In
practice the UUID remains large enough to avoid any collision though.
This should be backported to 2.0 and 1.9.
The gcc warning about format truncation in get_gmt_offset() is annoying
since we always call it with a valid time thus it cannot fail. However
it's true that nothing guarantees that future code reuses this function
incorrectly in the future, so better enforce the modulus on one day and
shut the warning.
- Clarify that everything and not only the matched part is replaced (GitHub #328)
- Reduce duplication and inconsistencies by referring to a single canonical directive
that includes everything one needs to know about.
- Fix indentation
cirrus ci builds are now limited to branches master, next
travis-ci images are upgraded to ubuntu bionic
cygwin builds are temporarily disabled on travis-ci
(maybe someone will figure out how to fix them, here's link
https://travis-ci.community/t/cygwin-issue-cygheap-base-mismatch-detected/5359/2 )
openssl upgraded to 1.0.2t, 1.1.0l, 1.1.1d
libressl are upgraded (2.9.2, 2.8.3, 2.7.5) --> (3.0.2, 2.9.2, 2.8.3)
Rework the 'set ssl cert' IO handler so it is clearer.
Use its own SETCERT_ST_* states insted of the STAT_ST ones.
Use an inner loop in SETCERT_ST_GEN and SETCERT_ST_INSERT to do the work
for both the certificate and the bundle.
The io_release() is now called only when the CKCH spinlock is taken so
we can unlock during a release without any condition.
Since commit 90b098c ("BUG/MINOR: cli: don't call the kw->io_release if
kw->parse failed"), the io_release() callback is not called anymore when
the parse() failed. Call it directly on the error path of the
cli_parse_set_cert() function.
Cyril Bonté reported that the doc contains two chapters number 6,
one of which is a leftover of the section about old header manipulation
directives that were removed by commit a6a56e6 ("MEDIUM: config: Remove
parsing of req* and rsp* directives"). This patch removes this.
This bug is pretty pernicious and have serious consequences : In 2.1, an
infinite loop in process_stream() because the backend stream-interface remains
in the ready state (SI_ST_RDY). In 2.0, a call in loop to process_stream()
because the stream-interface remains blocked in the connect state
(SI_ST_CON). In both cases, it happens after a connection retry attempt. In 1.9,
it seems to not happen. But it may be just by chance or just because it is
harder to get right conditions to trigger the bug. However, reading the code,
the bug seems to exist too.
Here is how the bug happens in 2.1. When we try to establish a new connection to
a server, the corresponding stream-interface is first set to the connect state
(SI_ST_CON). When the underlying connection is known to be connected (the flag
CO_FL_CONNECTED set), the stream-interface is switched to the ready state
(SI_ST_RDY). It is a transient state between the connect state (SI_ST_CON) and
the established state (SI_ST_EST). It must be handled on the next call to
process_stream(), which is responsible to operate the transition. During all
this time, errors can occur. A connection error or a client abort. The transient
state SI_ST_RDY was introduced to let a chance to process_stream() to catch
these errors before considering the connection as fully established.
Unfortunatly, if a read0 is catched in states SI_ST_CON or SI_ST_RDY, it is
possible to have a shutdown without transition to SI_ST_DIS (in fact, here,
SI_ST_CON is swichted to SI_ST_RDY). This happens if the request was fully
received and analyzed. In this case, the flag SI_FL_NOHALF is set on the backend
stream-interface. If an error is also reported during the connect, the behavior
is undefined because an error is returned to the client and a connection retry
is performed. So on the next connection attempt to the server, if another error
is reported, a client abort is detected. But the shutdown for writes was already
done. So the transition to the state SI_ST_DIS is impossible. We stay in the
state SI_ST_RDY. Because it is a transient state, we loop in process_stream() to
perform the transition.
It is hard to understand how the bug happens reading the code and even harder to
explain. But there is a trivial way to hit the bug by sending h2 requests to a
server only speaking h1. For instance, with the following config :
listen tst
bind *:80
server www 127.0.0.1:8000 proto h2 # in reality, it is a HTTP/1.1 server
It is a configuration error, but it is an easy way to observe the bug. Note it
may happen with a valid configuration.
So, after a careful analyzis, it appears that si_cs_recv() should never be
called for a not fully established stream-interface. This way the connection
retries will be performed before reporting an error to the client. Thus, if a
shutdown is performed because a read0 is handled, the stream-interface is
inconditionnaly set to the transient state SI_ST_DIS.
This patch must be backported to 2.0 and 1.9. However on these versions, this
patch reveals a design flaw about connections and a bad way to perform the
connection retries. We are working on it.
In h2_send(), when something is sent, we remove the flags
(H2_CF_MUX_MFULL|H2_CF_DEM_MROOM) on the h2 connection. This way, we are able to
wake up all streams waiting to send data. Unfortunatly, these flags are
unconditionally removed, even when nothing was sent. So if the h2c is blocked
because the mux buffers are full and we are unable to send anything, all streams
in the send_list are woken up for nothing. Now, we only remove these flags if at
least a send succeeds.
This patch must be backport to 2.0.
The io_release() callback of the cli_kw is supposed to be used to clean
what an io_handler() has made. It is called once the work in the IO
handler is finished, or when the connection was aborted by the client.
This patch fixes a bug where the io_release callback was called even
when the parse() callback failed. Which means that the io_release() could
called even if the io_handler() was not called.
Should be backported in every versions that have a cli_kw->release().
(as far as 1.7)
Released version 2.1-dev3 with the following main changes :
- MINOR: mux-h2/trace: missing conn pointer in demux full message
- MINOR: mux-h2: add a per-connection list of blocked streams
- BUILD: ebtree: make eb_is_empty() and eb_is_dup() take a const
- BUG/MEDIUM: mux-h2: do not enforce timeout on long connections
- BUG/MEDIUM: tasks: Don't forget to decrement tasks_run_queue.
- BUG/MINOR: peers: crash on reload without local peer.
- BUG/MINOR: mux-h2/trace: Fix traces on h2c initialization
- MINOR: h1-htx: Update h1_copy_msg_data() to ease the traces in the mux-h1
- MINOR: htx: Adapt htx_dump() to be used from traces
- MINOR: mux-h1/trace: register a new trace source with its events
- MINOR: proxy: Store http-send-name-header in lower case
- MINOR: http: Remove headers matching the name of http-send-name-header option
- BUG/MINOR: mux-h1: Adjust header case when the server name is add to a request
- BUG/MINOR: mux-h1: Adjust header case when chunked encoding is add to a message
- MINOR: mux-h1: Try to wakeup the stream on output buffer allocation
- MINOR: fcgi: Add function to get the string representation of a record type
- MINOR: mux-fcgi/trace: Register a new trace source with its events
- BUG/MEDIUM: cache: make sure not to cache requests with absolute-uri
- DOC: clarify some points around http-send-name-header's behavior
- MEDIUM: mux-h2: support emitting CONTINUATION frames after HEADERS
- BUG/MINOR: mux-h1/mux-fcgi/trace: Fix position of the 4th arg in some traces
- DOC: fix typo in Prometheus exporter doc
- MINOR: h2: clarify the rules for how to convert an H2 request to HTX
- MINOR: htx: Add 2 flags on the start-line to have more info about the uri
- MINOR: http: Add a function to get the authority into a URI
- MINOR: h1-htx: Set the flag HTX_SL_F_HAS_AUTHORITY during the request parsing
- MEDIUM: http-htx: Keep the Host header and the request start-line synchronized
- MINOR: h1-htx: Only use the path of a normalized URI to format a request line
- MEDIUM: h2: make the request parser rebuild a complete URI
- MINOR: h2: report in the HTX flags when the request has an authority
- MEDIUM: mux-h2: do not map Host to :authority on output
- MEDIUM: h2: use the normalized URI encoding for absolute form requests
- MINOR: stats: mention in the help message support for "json" and "typed"
- MINOR: stats: get rid of the ST_CONVDONE flag
- MINOR: stats: replace the ST_* uri_auth flags with STAT_*
- MINOR: stats: always merge the uri_auth flags into the appctx flags
- MINOR: stats: set the appctx flags when initializing the applet only
- MINOR: stats: get rid of the STAT_SHOWADMIN flag
- MINOR: stats: make stats_dump_fields_json() directly take flags
- MINOR: stats: uniformize the calling convention of the dump functions
- MINOR: stats: support the "desc" output format modifier for info and stat
- MINOR: stats: prepare to add a description with each stat/info field
- MINOR: stats: make "show stat" and "show info"
- MINOR: stats: fill all the descriptions for "show info" and "show stat"
- BUG/MEDIUM: applet: always check a fast running applet's activity before killing
- BUILD: stats: fix missing '=' sign in array declaration
- MINOR: lists: add new macro LIST_SPLICE_END_DETACHED
- MINOR: list: add new macro MT_LIST_BEHEAD
- MEDIUM: task: Split the tasklet list into two lists.
- MINOR: h2: Document traps to be avoided on multithread.
- MINOR: lists: Try to use local variables instead of macro arguments.
- MINOR: lists: Fix alignement of \ when relevant.
- MINOR: mux-h2: also support emitting CONTINUATION on trailers
- MINOR: ssl: crt-list do ckchn_lookup
- REORG: ssl: rename ckch_node to ckch_store
- REORG: ssl: move structures to ssl_sock.h
- MINOR: ssl: initialize the sni_keytypes_map as EB_ROOT
- MINOR: ssl: initialize explicitly the sni_ctx trees
- BUG/MINOR: ssl: abort on sni allocation failure
- BUG/MINOR: ssl: free the sni_keytype nodes
- BUG/MINOR: ssl: abort on sni_keytypes allocation failure
- MEDIUM: ssl: introduce the ckch instance structure
- MEDIUM: ssl: split ssl_sock_add_cert_sni()
- MINOR: ssl: ssl_sock_load_ckchn() can properly fail
- MINOR: ssl: ssl_sock_load_multi_ckchs() can properly fail
- MEDIUM: ssl: ssl_sock_load_ckchs() alloc a ckch_inst
- MINOR: ssl: ssl_sock_load_crt_file_into_ckch() is filling from a BIO
- MEDIUM: ssl/cli: 'set ssl cert' updates a certificate from the CLI
- MINOR: ssl: load the sctl in/from the ckch
- MINOR: ssl: load the ocsp in/from the ckch
- BUG/MEDIUM: ssl: NULL dereference in ssl_sock_load_cert_sni()
- BUG/MINOR: ssl: fix build without SSL
- BUG/MINOR: ssl: fix build without multi-cert bundles
- BUILD: ssl: wrong #ifdef for SSL engines code
- BUG/MINOR: ssl: fix OCSP build with BoringSSL
- BUG/MEDIUM: htx: Catch chunk_memcat() failures when HTX data are formatted to h1
- BUG/MINOR: chunk: Fix tests on the chunk size in functions copying data
- BUG/MINOR: mux-h1: Mark the output buffer as full when the xfer is interrupted
- MINOR: mux-h1: Xfer as much payload data as possible during output processing
- CLEANUP: h1-htx: Move htx-to-h1 formatting functions from htx.c to h1_htx.c
- BUG/MINOR: mux-h1: Capture ignored parsing errors
- MINOR: h1: Reject requests with different occurrences of the header host
- MINOR: h1: Reject requests if the authority does not match the header host
- REGTESTS: Send valid URIs in peers reg-tests and fix HA config to avoid warnings
- REGTESTS: Adapt proxy_protocol_random_fail.vtc to match normalized URI too
- BUG/MINOR: WURFL: fix send_log() function arguments
- BUG/MINOR: ssl: fix error messages for OCSP loading
- BUG/MINOR: ssl: can't load ocsp files
- MINOR: version: make the version strings variables, not constants
- BUG/MINOR: http-htx: Properly set htx flags on error files to support keep-alive
- MINOR: htx: Add a flag on HTX to known when a response was generated by HAProxy
- MINOR: mux-h1: Force close mode for proxy responses with an unfinished request
- BUILD: travis-ci: limit build to branches "master" and "next"
- BUILD/MEDIUM: threads: rename thread_info struct to ha_thread_info
- BUILD/SMALL: threads: enable threads on osx
- BUILD/MEDIUM: threads: enable cpu_affinity on osx
- MINOR: istbuf: add b_fromist() to make a buffer from an ist
- BUG/MINOR: cache: also cache absolute URIs
- BUG/MINOR: mworker/ssl: close openssl FDs unconditionally
- BUG/MINOR: tcp: Don't alter counters returned by tcp info fetchers
- BUG/MEDIUM: lists: Handle 1-element-lists in MT_LIST_BEHEAD().
- BUG/MEDIUM: mux_pt: Make sure we don't have a conn_stream before freeing.
- BUG/MEDIUM: tasklet: properly compute the sleeping threads mask in tasklet_wakeup()
- BUG/MAJOR: idle conns: schedule the cleanup task on the correct threads
- BUG/MEDIUM: task: make tasklets either local or shared but not both at once
- Revert e8826ded5f.
- BUG/MEDIUM: mux_pt: Don't destroy the connection if we have a stream attached.
- BUG/MEDIUM: mux_pt: Only call the wake emthod if nobody subscribed to receive.
- REGTEST: mcli/mcli_show_info: launch a 'show info' on the master CLI
- CLEANUP: ssl: make ssl_sock_load_cert*() return real error codes
- CLEANUP: ssl: make ssl_sock_load_ckchs() return a set of ERR_*
- CLEANUP: ssl: make cli_parse_set_cert handle errcode and warnings.
- CLEANUP: ssl: make ckch_inst_new_load_(multi_)store handle errcode/warn
- CLEANUP: ssl: make ssl_sock_put_ckch_into_ctx handle errcode/warn
- CLEANUP: ssl: make ssl_sock_load_dh_params handle errcode/warn
- CLEANUP: bind: handle warning label on bind keywords parsing.
- BUG/MEDIUM: ssl: 'tune.ssl.default-dh-param' value ignored with openssl > 1.1.1
- BUG/MINOR: mworker/cli: reload fail with inherited FD
- BUG/MINOR: ssl: Fix fd leak on error path when a TLS ticket keys file is parsed
- BUG/MINOR: stick-table: Never exceed (MAX_SESS_STKCTR-1) when fetching a stkctr
- BUG/MINOR: cache: alloc shctx after check config
- BUG/MINOR: sample: Make the `field` converter compatible with `-m found`
- BUG/MINOR: server: check return value of fopen() in apply_server_state()
- REGTESTS: make seamless-reload depend on 1.9 and above
- REGTESTS: server/cli_set_fqdn requires version 1.8 minimum
- BUG/MINOR: dns: allow srv record weight set to 0
- BUG/MINOR: ssl: fix memcpy overlap without consequences.
- BUG/MINOR: stick-table: fix an incorrect 32 to 64 bit key conversion
- BUG/MEDIUM: pattern: make the pattern LRU cache thread-local and lockless
- BUG/MINOR: mux-h2: do not emit logs on backend connections
- CLEANUP: ssl: remove old TODO commentary
- CLEANUP: ssl: fix SNI/CKCH lock labels
- MINOR: ssl: OCSP functions can load from file or buffer
- MINOR: ssl: load sctl from buf OR from a file
- MINOR: ssl: load issuer from file or from buffer
- MINOR: ssl: split ssl_sock_load_crt_file_into_ckch()
- BUG/MINOR: ssl/cli: fix looking up for a bundle
- MINOR: ssl/cli: update ocsp/issuer/sctl file from the CLI
- MINOR: ssl: update ssl_sock_free_cert_key_and_chain_contents
- MINOR: ssl: copy a ckch from src to dst
- MINOR: ssl: new functions duplicate and free a ckch_store
- MINOR: ssl/cli: assignate a new ckch_store
- MEDIUM: cli/ssl: handle the creation of SSL_CTX in an IO handler
- BUG/MINOR: ssl/cli: fix build of SCTL and OCSP
- BUG/MINOR: ssl/cli: out of bounds when built without ocsp/sctl
- BUG/MINOR: ssl: fix build with openssl < 1.1.0
- BUG/MINOR: ssl: fix build of X509_chain_up_ref() w/ libreSSL
- MINOR: tcp: avoid confusion in time parsing init
- MINOR: debug: add a new "debug dev stream" command
- MINOR: cli/debug: validate addresses using may_access() in "debug dev stream"
- REORG: move CLI access level definitions to cli.h
- MINOR: cli: add an expert mode to hide dangerous commands
- MINOR: debug: make most debug CLI commands accessible in expert mode
- MINOR: stats/debug: maintain a counter of debug commands issued
- BUG/MEDIUM: debug: address a possible null pointer dereference in "debug dev stream"
As reported in issue #343, there is one case where a NULL stream can
still be dereferenced, when getting &s->txn->flags. Let's protect all
assignments to stay on the safe side for future additions.
No backport is needed.
Debug commands will usually mark the fate of the process. We'd rather
have them counted and visible in a core or in stats output than trying
to guess how a flag combination could happen. The counter is only
incremented when the command is about to be issued however, so that
failed attempts are ignored.
Instead of relying on DEBUG_DEV for most debugging commands, which is
limiting, let's condition them to expert mode. Only one ("debug dev exec")
remains conditionned to DEBUG_DEV because it can have a security implication
on the system. The commands are not listed unless "expert-mode on" was first
entered on the CLI :
> expert-mode on
> help
debug dev close <fd> : close this file descriptor
debug dev delay [ms] : sleep this long
debug dev exec [cmd] ... : show this command's output
debug dev exit [code] : immediately exit the process
debug dev hex <addr> [len]: dump a memory area
debug dev log [msg] ... : send this msg to global logs
debug dev loop [ms] : loop this long
debug dev panic : immediately trigger a panic
debug dev stream ... : show/manipulate stream flags
debug dev tkill [thr] [sig] : send signal to thread
> debug dev stream
Usage: debug dev stream { <obj> <op> <value> | wake }*
<obj> = {strm | strm.f | sif.f | sif.s | sif.x | sib.f | sib.s | sib.x |
txn.f | req.f | req.r | req.w | res.f | res.r | res.w}
<op> = {'' (show) | '=' (assign) | '^' (xor) | '+' (or) | '-' (andnot)}
<value> = 'now' | 64-bit dec/hex integer (0x prefix supported)
'wake' wakes the stream asssigned to 'strm' (default: current)
Some commands like the debug ones are not enabled by default but can be
useful on some production environments. In order to avoid the temptation
of using them incorrectly, let's introduce an "expert" mode for a CLI
connection, which allows some commands to appear and be used. It is
enabled by command "expert-mode on" which is not listed by default.
This function adds some control by verifying that the target address is
really readable. It will not protect against writing to wrong places,
but will at least protect against a large number of mistakes such as
incorrectly copy-pasted addresses.
This new "debug dev stream" command allows to manipulate flags, timeouts,
states for streams, channels and stream interfaces, as well as waking a
stream up. These may be used to help reproduce certain bugs during
development. The operations are performed to the stream assigned by
"strm" which defaults to the CLI's stream. This stream pointer can be
chosen from one of those reported in "show sess". Example:
socat - /tmp/sock1 <<< "debug dev stream strm=0x1555b80 req.f=-1 req.r=now wake"
We never enter val_fc_time_value when an associated fetcher such as `fc_rtt` is
called without argument. meaning `type == ARGT_STOP` will never be true and so
the default `data.sint = TIME_UNIT_MS` will never be set. remove this part to
avoid thinking default data.sint is set to ms while reading the code.
Signed-off-by: William Dauchy <w.dauchy@criteo.com>
[Cf: This patch may safely backported as far as 1.7. But no matter if not.]
8c1cddef ("MINOR: ssl: new functions duplicate and free a ckch_store")
use some OpenSSL refcount functions that were introduced in OpenSSL
1.0.2 and OpenSSL 1.1.0.
Fix the problem by introducing them in openssl-compat.h.
Fix#336.
Commit 541a534 ("BUG/MINOR: ssl/cli: fix build of SCTL and OCSP")
introduced a bug in which we iterate outside the array durint a 'set ssl
cert' if we didn't built with the ocsp or sctl.
To avoid affecting too much the traffic during a certificate update,
create the SNIs in a IO handler which yield every 10 ckch instances.
This way haproxy continues to respond even if we tries to update a
certificate which have 50 000 instances.
When updating a certificate from the CLI, it is not possible to revert
some of the changes if part of the certicate update failed. We now
creates a copy of the ckch_store for the changes so we can revert back
if something goes wrong.
Even if the ckch_store was affected before this change, it wasn't
affecting the SSL_CTXs used for the traffic. It was only a problem if we
try to update a certificate after we failed to do it the first time.
The new ckch_store is also linked to the new sni_ctxs so it's easy to
insert the sni_ctxs before removing the old ones.
ssl_sock_copy_cert_key_and_chain() copy the content of a
<src> cert_key_and_chain to a <dst>.
It applies a refcount increasing on every SSL structures (X509, DH,
privte key..) and allocate new buffers for the other fields.
It is now possible to update new parts of a CKCH from the CLI.
Currently you will be able to update a PEM (by default), a OCSP response
in base64, an issuer file, and a SCTL file.
Each update will creates a new CKCH and new sni_ctx structure so we will
need a "commit" command later to apply several changes and create the
sni_ctx only once.
Split the ssl_sock_load_crt_file_into_ckch() in two functions:
- ssl_sock_load_files_into_ckch() which is dedicated to opening every
files related to a filename during the configuration parsing (PEM, sctl,
ocsp, issuer etc)
- ssl_sock_load_pem_into_ckch() which is dedicated to opening a PEM,
either in a file or a buffer
ssl_sock_load_issuer_file_into_ckch() is a new function which is able to
load an issuer from a buffer or from a file to a CKCH.
Use this function directly in ssl_sock_load_crt_file_into_ckch()
The ssl_sock_load_sctl_from_file() function was modified to
fill directly a struct cert_key_and_chain.
The function prototype was normalized in order to be used with the CLI
payload parser.
This function either read text from a buffer or read a file on the
filesystem.
It fills the ocsp_response buffer of the struct cert_key_and_chain.
The ssl_sock_load_ocsp_response_from_file() function was modified to
fill directly a struct cert_key_and_chain.
The function prototype was normalized in order to be used with the CLI
payload parser.
This function either read a base64 from a buffer or read a binary file
on the filesystem.
It fills the ocsp_response buffer of the struct cert_key_and_chain.
The logs were added to the H2 mux so that we can report logs in case
of errors that prevent a stream from being created, but as a side effect
these logs are emitted twice for backend connections: once by the H2 mux
itself and another time by the upper layer stream. It can even happen
more with connection retries.
This patch makes sure we do not emit logs for backend connections.
It should be backported to 2.0 and 1.9.
As reported in issue #335, a lot of contention happens on the PATLRU lock
when performing expensive regex lookups. This is absurd since the purpose
of the LRU cache was to have a fast cache for expressions, thus the cache
must not be shared between threads and must remain lockless.
This commit makes the LRU cache thread-local and gets rid of the PATLRU
lock. A test with 7 threads on 4 cores climbed from 67kH/s to 369kH/s,
or a scalability factor of 5.5.
Given the huge performance difference and the regression caused to
users migrating from processes to threads, this should be backported at
least to 2.0.
Thanks to Brian Diekelman for his detailed report about this regression.
As reported in issue #331, the code used to cast a 32-bit to a 64-bit
stick-table key is wrong. It only copies the 32 lower bits in place on
little endian machines or overwrites the 32 higher ones on big endian
machines. It ought to simply remove the wrong cast dereference.
This bug was introduced when changing stick table keys to samples in
1.6-dev4 by commit bc8c404449 ("MAJOR: stick-tables: use sample types
in place of dedicated types") so it the fix must be backported as far
as 1.6.
A trick is used to set SESSION_ID, and SESSION_ID_CONTEXT lengths
to 0 and avoid ASN1 encoding of these values.
There is no specific function to set the length of those parameters
to 0 so we fake this calling these function to a different value
with the same buffer but a length to zero.
But those functions don't seem to check the length of zero before
performing a memcpy of length zero but with src and dst buf on the
same pointer, causing valgrind to bark.
So the code was re-work to pass them different pointers even
if buffer content is un-used.
In a second time, reseting value, a memcpy overlap
happened on the SESSION_ID_CONTEXT. It was re-worked and this is
now reset using the constant global value SHCTX_APPNAME which is a
different pointer with the same content.
This patch should be backported in every version since ssl
support was added to haproxy if we want valgrind to shut up.
This is tracked in github issue #56.
Processing of SRV record weight was inaccurate and when a SRV record's
weight was set to 0, HAProxy enforced it to '1'.
This patch aims at fixing this without breaking compability with
previous behavior.
Backport status: 1.8 to 2.0
Since latest updates, vtest requires the master CLI when running in
master-worker mode, and this one is only available starting with 1.9.
The seamless reload test is the only one depending on this and now
fails on 1.8, so let's adjust it accordingly.
fopen() can return NULL when state file is missing. This patch adds a
check of fopen() return value so we can skip processing in such case.
No backport needed.
Previously an expression like:
path,field(2,/) -m found
always returned `true`.
Bug exists since the `field` converter exists. That is:
f399b0debf
The fix should be backported to 1.6+.
