Fixed: A long TLS+HTTP/2 request such as by a browser causing block of other requests.

Test: Disabled privileges test if clixon_restconf started with -r
2022-05-02 10:31:53 +02:00 · 2022-05-02 10:31:53 +02:00 · 90474d1523
commit 90474d1523
parent 463aa15544
3 changed files with 38 additions and 24 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -68,7 +68,7 @@ Users may have to change how they access the system
    * Added 404 return without body if neither restconf, data or streams prefix match
 * Netconf: Usage of chunked framing"
    * To keep existing end-of-message encoding, set `CLICON_NETCONF_BASE_CAPABILITY` to `0`
-    * Added `clixon_netconf` command-line option `-0`and changed `-H` to `-1`
+    * Added `clixon_netconf` command-line option `-0` and changed `-H` to `-1`
       * `-0` means dont send hello, but fix netconf base version to 0 and use EOM framing
       * `-1` means dont send hello, but fix netconf base version to 1 and use chunked framing 
 * New `clixon-config@2022-03-21.yang` revision
@ -112,6 +112,7 @@ Users may have to change how they access the system

 ### Corrected Bugs

+* Fixed: A long TLS+HTTP/2 request such as by a browser causing block of other requests.
 * Fixed: [Error message seen twice in some cases](https://github.com/clicon/clixon/issues/325)
 * Fixed: [if choice is declared with multiple elements or leaf-list with in a case scope , addition or updation is not happening as expected](https://github.com/clicon/clixon/issues/327)
  * This includes several choice/case adjustments to follow RFC 7950 Sec 7.9 better
--- a/apps/restconf/restconf_native.c
+++ b/apps/restconf/restconf_native.c
@ -465,7 +465,7 @@ native_send_badrequest(clicon_handle       h,
 * @retval    -1    Error
 */
 static int
-native_clear_input(clicon_handle         h,
+http1_native_clear_input(clicon_handle         h,
 			 restconf_stream_data *sd)
 {
    int retval = -1;
@ -524,6 +524,7 @@ read_ssl(restconf_conn *rc,
    }
    retval = 0;
 done:
+    clicon_debug(1, "%s %d", __FUNCTION__, retval);
    return retval;
 }

@ -577,7 +578,8 @@ read_regular(restconf_conn *rc,
 }

 #ifdef HAVE_HTTP1
-/*! RESTCONF HTTP/1 processing after chunk of bytes read
+
+/*! Restconf HTTP/1 processing after chunk of bytes read
 *
 * @param[in]  rc           Restconf connection handle 
 * @param[in]  buf          Input buffer
@ -588,7 +590,7 @@ read_regular(restconf_conn *rc,
 * @retval     1            OK
 */
 static int
-restconf_http1(restconf_conn        *rc,
+restconf_http1_process(restconf_conn        *rc,
 		       char                 *buf,
 		       size_t                n,
 		       int                  *readmore)
@ -641,7 +643,7 @@ restconf_http1(restconf_conn        *rc,
 	    else if ((ret = clixon_event_poll(rc->rc_s)) < 0)
 		goto done;
 	    if (ret > 0){
-		if (native_clear_input(h, sd) < 0)
+		if (http1_native_clear_input(h, sd) < 0)
 		    goto done;
 		(*readmore)++;
 		goto ok;
@ -790,15 +792,18 @@ restconf_http2_upgrade(restconf_conn *rc)
 }
 #endif /* HAVE_LIBHTTP1 */

-/*!
+/*! Restconf HTTP/2 processing after chunk of bytes read
+ * @param[in]  rc       Restconf connection
 * @param[in]  buf      Input buffer
 * @param[in]  n        Size of input buffer
+ * @param[in]  n        Length of data in input buffer
+ * @param[out] readmore If set, read data again, do not continue processing
 * @retval     -1       Error
 * @retval     0        Socket closed, quit
 * @retval     1        OK
 */
 static int
-restconf_http2(restconf_conn *rc,
+restconf_http2_process(restconf_conn *rc,
 		       char          *buf,
 		       size_t         n,
 		       int           *readmore)
@ -823,7 +828,13 @@ restconf_http2(restconf_conn *rc,
 	    retval = 0;
 	    goto done;
 	}
-	/* There may be more data frames */
+	/* Check if read more data frames */
+	ret = 0;
+	if (rc->rc_ssl)
+	    ret = SSL_pending(rc->rc_ssl);
+	else if ((ret = clixon_event_poll(rc->rc_s)) < 0)
+	    goto done;
+	if (ret > 0)
 	    (*readmore)++;
    }
    retval = 1;
@ -891,7 +902,7 @@ restconf_connection(int   s,
 #ifdef HAVE_HTTP1
 	case HTTP_10:
 	case HTTP_11:
-	    if ((ret = restconf_http1(rc, buf, n, &readmore)) < 0)
+	    if ((ret = restconf_http1_process(rc, buf, n, &readmore)) < 0)
 		goto done;
 	    if (ret == 0)
 		goto ok;
@ -905,12 +916,10 @@ restconf_connection(int   s,
 #endif /* HAVE_HTTP1 */
 #ifdef HAVE_LIBNGHTTP2
 	case HTTP_2:
-	    if ((ret = restconf_http2(rc, buf, n, &readmore)) < 0)
+	    if ((ret = restconf_http2_process(rc, buf, n, &readmore)) < 0)
 		goto done;
 	    if (ret == 0)
 		goto ok;
-	    if (readmore)
-		continue;
 	    break;
 #endif /* HAVE_LIBNGHTTP2 */
 	default:
--- a/test/test_http_data.sh
+++ b/test/test_http_data.sh
@ -228,11 +228,15 @@ EOF
 	new "WWW get http soft link"
 	expectpart "$(curl $CURLOPTS -X GET -H 'Accept: text/html' $proto://localhost/data/inside.html)" 0 "HTTP/$HVER 403" "Content-Type: text/html" "<title>403 Forbidden</title>" --not-- "<title>Dont access this</title>"
 	
-	
-	if [ ! -f /.dockerenv ] ; then	# XXX Privs dont not work on docker/alpine?
+	# Two cases where the privileges test is not run:
+	# 1) Docker in alpine for some reason
+	# 2) Restconf run explicitly as root (eg coverage)
+	if [ ! -f /.dockerenv ] ; then  
+            if [[ "$clixon_restconf" != *"-r"* ]]; then
 		new "WWW get http not read access"
 		expectpart "$(curl $CURLOPTS -X GET -H 'Accept: text/html' $proto://localhost/data/noread.html)" 0 "HTTP/$HVER 403" "Content-Type: text/html" "<title>403 Forbidden</title>"
            fi
+	fi

 	# Try .. Cannot get .. in path to work in curl (it seems to remove it)
 	if [ "$proto" = http -a -n "$netcat" ]; then