Wednesday, April 22, 2020

[389-commits] [389-ds-base] branch 389-ds-base-1.4.3 updated: Ticket 51035 - Heavy StartTLS connection load can randomly fail with err=1

This is an automated email from the git hooks/post-receive script.

tbordaz pushed a commit to branch 389-ds-base-1.4.3
in repository 389-ds-base.

The following commit(s) were added to refs/heads/389-ds-base-1.4.3 by this push:
new 285fd0d Ticket 51035 - Heavy StartTLS connection load can randomly fail with err=1
285fd0d is described below

commit 285fd0dfe9d35d6339eb6e7968d56638b8613df1
Author: Thierry Bordaz <tbordaz@redhat.com>
AuthorDate: Mon Apr 20 15:17:03 2020 +0200

Ticket 51035 - Heavy StartTLS connection load can randomly fail with err=1

Bug Description:
startTls pushes a network layer on top of the connection.
So when processing startTLS, there should not be a pending operation
else there is a risk that the operation sends back data on moving
network layer.
When startTls detects a pending operation it aborts startTls.
However if a new operation is received while processing startTls,
the operation is pending but can not be read because startTls
holds c_mutex.

Fix Description:
In case of unread pending operation, relax the control
and just log an information message.

https://pagure.io/389-ds-base/issue/51035

Reviewed by: Mark Reynolds, William Brown

Platforms tested: F30

Flag Day: no

Doc impact: no
---
ldap/servers/slapd/operation.c | 4 ++--
ldap/servers/slapd/start_tls_extop.c | 30 +++++++++++++++++++++++++-----
2 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/ldap/servers/slapd/operation.c b/ldap/servers/slapd/operation.c
index 8590e2d..ff16cd9 100644
--- a/ldap/servers/slapd/operation.c
+++ b/ldap/servers/slapd/operation.c
@@ -150,8 +150,8 @@ operation_init(Slapi_Operation *o, int flags)
/* We can't get rid of this til we remove the operation stack. */
memset(o, 0, sizeof(Slapi_Operation));
o->o_ber = ber;
- o->o_msgid = -1;
- o->o_tag = LBER_DEFAULT;
+ o->o_msgid = -1; /* if changed please update start-tls that test this value */
+ o->o_tag = LBER_DEFAULT; /* if changed please update start-tls that test this value */
o->o_status = SLAPI_OP_STATUS_PROCESSING;
slapi_sdn_init(&(o->o_sdn));
o->o_authtype = NULL;
diff --git a/ldap/servers/slapd/start_tls_extop.c b/ldap/servers/slapd/start_tls_extop.c
index bfa32b7..f415c41 100644
--- a/ldap/servers/slapd/start_tls_extop.c
+++ b/ldap/servers/slapd/start_tls_extop.c
@@ -188,11 +188,31 @@ start_tls(Slapi_PBlock *pb)
/* Check whether the Start TLS request can be accepted. */
if (connection_operations_pending(conn, pb_op,
1 /* check for ops where result not yet sent */)) {
- slapi_log_err(SLAPI_LOG_PLUGIN, "start_tls",
- "Other operations are still pending on the connection.\n");
- ldaprc = LDAP_OPERATIONS_ERROR;
- ldapmsg = "Other operations are still pending on the connection.";
- goto unlock_and_return;
+ for (Operation *op = conn->c_ops; op != NULL; op = op->o_next) {
+ if (op == pb_op) {
+ continue;
+ }
+ if ((op->o_msgid == -1) && (op->o_tag == LBER_DEFAULT)) {
+ /* while processing start-tls extop we also received a new incoming operation
+ * As this operation will not processed until start-tls completes.
+ * Be fair do not consider this operation as a pending one
+ */
+ slapi_log_err(SLAPI_LOG_CONNS, "start_tls",
+ "New incoming operation blocked by start-tls, Continue start-tls (conn=%"PRIu64").\n",
+ conn->c_connid);
+ continue;
+ } else {
+ /* It is problematic, this pending operation is processed and
+ * start-tls can push new network layer while the operation
+ * send result. Safest to abort start-tls
+ */
+ slapi_log_err(SLAPI_LOG_CONNS, "start_tls",
+ "Other operations are still pending on the connection.\n");
+ ldaprc = LDAP_OPERATIONS_ERROR;
+ ldapmsg = "Other operations are still pending on the connection.";
+ goto unlock_and_return;
+ }
+ }
}



--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
_______________________________________________
389-commits mailing list -- 389-commits@lists.fedoraproject.org
To unsubscribe send an email to 389-commits-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-commits@lists.fedoraproject.org

No comments:

Post a Comment