Otherwise we will trigger next UAF:
$ valgrind --vgdb-error=1 regress --no-fork +dns/client_fail_requests
==24733== Memcheck, a memory error detector
==24733== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==24733== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==24733== Command: regress --no-fork +dns/client_fail_requests
==24733==
==24733==
==24733== TO DEBUG THIS PROCESS USING GDB: start GDB like this
==24733== /path/to/gdb regress
==24733== and then give GDB the following command
==24733== target remote | /usr/lib/valgrind/../../bin/vgdb --pid=24733
==24733== --pid is optional if only one valgrind process is running
==24733==
dns/client_fail_requests: ==24733== Invalid read of size 4
==24733== at 0x4C3352: request_finished (evdns.c:662)
==24733== by 0x4CC8B7: evdns_base_free_and_unlock (evdns.c:4048)
==24733== by 0x4CCAFD: evdns_base_free (evdns.c:4088)
==24733== by 0x458E95: dns_client_fail_requests_test (regress_dns.c:2039)
==24733== by 0x48EA5D: testcase_run_bare_ (tinytest.c:105)
==24733== by 0x48ED3F: testcase_run_one (tinytest.c:252)
==24733== by 0x48F67E: tinytest_main (tinytest.c:434)
==24733== by 0x47C0DA: main (regress_main.c:461)
==24733== Address 0x61e6f70 is 448 bytes inside a block of size 456 free'd
==24733== at 0x4C29EAB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24733== by 0x4A8F4D: event_mm_free_ (event.c:3512)
==24733== by 0x4CC7A1: evdns_nameserver_free (evdns.c:4021)
==24733== by 0x4CC7DC: evdns_base_free_and_unlock (evdns.c:4037)
==24733== by 0x4CCAFD: evdns_base_free (evdns.c:4088)
==24733== by 0x458E95: dns_client_fail_requests_test (regress_dns.c:2039)
==24733== by 0x48EA5D: testcase_run_bare_ (tinytest.c:105)
==24733== by 0x48ED3F: testcase_run_one (tinytest.c:252)
==24733== by 0x48F67E: tinytest_main (tinytest.c:434)
==24733== by 0x47C0DA: main (regress_main.c:461)
==24733== Block was alloc'd at
==24733== at 0x4C28C4F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24733== by 0x4A8D5A: event_mm_malloc_ (event.c:3437)
==24733== by 0x4C8B96: evdns_nameserver_add_impl_ (evdns.c:2505)
==24733== by 0x4C916D: evdns_base_nameserver_ip_add (evdns.c:2629)
==24733== by 0x458DA3: dns_client_fail_requests_test (regress_dns.c:2031)
==24733== by 0x48EA5D: testcase_run_bare_ (tinytest.c:105)
==24733== by 0x48ED3F: testcase_run_one (tinytest.c:252)
==24733== by 0x48F67E: tinytest_main (tinytest.c:434)
==24733== by 0x47C0DA: main (regress_main.c:461)
==24733==
==24733== (action on error) vgdb me ...
Fixes: regress dns/client_fail_requests
Fixes: #269
In case when evdns_base_free() called with @fail_requests, we can potentially
have leaks, but we can avoid them if we will run event loop once again to
trigger defer cbs, so let's do this, instead of magical decrements (and also
this will give an example how to avoid leaks for evdns).
This covers SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE error codes from ssl,
under which we must block read/write to avoid busy looping, and hence extra CPU
usage.
This test introduces custom BIO that will count read/write and validates
counters, with patches for be_openssl that drops handling
SSL/SSL_ERROR_WANT_READ there are more then 43K reads, so 100 is pretty ok.
Otherwise we can trigger incorrect callback, the simplest way to trigger this
is using http regression tests -- https_chunk_out, since all it do is:
evhttp_send_reply_end()
evbuffer_add()
do_write()
evhttp_write_buffer()
evcon->cb = cb
And indeed this is what happens:
(gdb) bt
#0 do_write (bev_ssl=0x738a90, atmost=16384) at bufferevent_openssl.c:717
#1 0x00000000004b69f7 in consider_writing (bev_ssl=0x738a90) at bufferevent_openssl.c:875
#2 0x00000000004b7386 in be_openssl_outbuf_cb (buf=0x7387b0, cbinfo=0x7fffffffd590, arg=0x738a90) at bufferevent_openssl.c:1147
#3 0x0000000000490100 in evbuffer_run_callbacks (buffer=0x7387b0, running_deferred=0) at buffer.c:508
#4 0x00000000004901e5 in evbuffer_invoke_callbacks_ (buffer=0x7387b0) at buffer.c:529
#5 0x0000000000493a30 in evbuffer_add (buf=0x7387b0, data_in=0x4ecfb2, datlen=5) at buffer.c:1803
#6 0x00000000004be2e3 in evhttp_send_reply_end (req=0x7371a0) at http.c:2794
#7 0x000000000045c407 in http_chunked_trickle_cb (fd=-1, events=1, arg=0x75aaf0) at regress_http.c:402
...
(gdb) p bev.writecb
$4 = (bufferevent_data_cb) 0x4ba17e <evhttp_write_cb>
$5 = (void *) 0x7379b0
(gdb) p (struct evhttp_connection *)bev.cbarg
$6 = (struct evhttp_connection *) 0x7379b0
(gdb) p $6->cb
$7 = (void (*)(struct evhttp_connection *, void *)) 0x0
And be_sock don't do like this anyway.
Fixes: https_chunk_out
Now it included by openssl, but nfter
openssl/openssl@master-post-reformat-1494-g6329b60 it will print warning
(apparently they dropped <string.h> from the generic headers).
By using bufferevent_enable() there will be no event for READ *or* WRITE if
they are not enabled before, and this patch reduces difference for
be_sock_enable/be_openssl_enable (handshake)
Using the following examples you can get changes between be_openssl and
be_sock:
$ function diff_addr()
{
eval diff -u $(printf "<(strip_addr %s) " "$@")
}
$ function strip_addr()
{
sed 's/0x[a-zA-Z0-9]*/0xFFFF/g' "$@"
}
$ EVENT_DEBUG_LOGGING_ALL= regress --verbose --no-fork +http/https_connection_retry 2> /tmp/https-retry.log >&2
$ EVENT_DEBUG_LOGGING_ALL= regress --verbose --no-fork +http/connection_retry 2> /tmp/http-retry.log >&2
$ diff_addr /tmp/http-retry.log /tmp/https-retry.log
This patchset adds some basic tests to cover some https cases:
$ regress +http/https_..
http/https_basic: [forking] OK
http/https_simple: [forking] OK
http/https_simple_dirty: [forking] OK
http/https_incomplete: [forking] OK
http/https_incomplete_timeout: [forking] OK
http/https_connection_retry: [forking] OK
http/https_connection_retry_conn_address: [forking] OK
7 tests ok. (0 skipped)
But there are some leaks in http regression tests (like init_ssl() and others),
must be fixed by using custom setup routine.
* https-coverage-v6:
test/http: allow dirty shutdown for ssl to fix https_incomplete
test/http: https basic
test/http: incomplete{,_timeout} for https
test/http: add simplest test for http/https/https_dirty_shutdown
test/http: https: retry coverage
test/http: https server support (plus some helpers)
test/http: more sanity checks
test/ssl: export getkey()/getcert()/get_ssl_ctx()/init_ssl() for https
Fixes:
../test/regress_bufferevent.c: In function ‘test_bufferevent_socket_filter_inactive’:
../test/regress_bufferevent.c:1180:1: warning: label ‘end’ defined but not used [-Wunused-label]
end:
For finalizers we can register yet another finalizer out from finalizer, and
iff finalizer will be in active_later_queue we can add finalizer to
activequeues, and we will have events in activequeues after event_base_free()
returns, which is not what we want (we even have an assertion for this).
A simple case is bufferevent with underlying (i.e. filters) in inactive queue.
Fixes: regress bufferevent/bufferevent_socket_filter_inactive
Right now this will fail with the next assertion:
$ regress --no-fork --verbose bufferevent/bufferevent_socket_filter_inactive
bufferevent/bufferevent_socket_filter_inactive: [err] ../event.c:862: Assertion TAILQ_EMPTY(&base->activequeues[i]) failed in event_base_free_
Aborted
../test/regress_buffer.c:201:12: warning: logical not is only applied to the left hand side of this comparison [-Wlogical-not-parentheses]
tt_assert(!memcmp((char*)EVBUFFER_DATA(evb), "1/hello", 7) != 0);
* evdns-randomization:
evdns: fix randomize-case by make case-insensitive as required
tests/regress_dns: cover that randomize-case works case-insensitive
evnds: inline TEST_NAME macro to make debuggin easier
Fixes#288
Interesting that this wasn't found by regression tests since they respond with
that SoME-rAndDom-CaSe domains, and no case-insensitive mode is required during
comparing response from the server and request.
Fixes#288
Covered-by: regress dns/search_lower
Sample bt:
(gdb) bt
#0 0x00000000004a95d2 in evthread_setup_global_lock_ (lock_=0x0, locktype=0, enable_locks=1)
#1 0x00000000004afbc7 in evsig_global_setup_locks_ (enable_locks=1) at signal.c:475
#2 0x00000000004a5da8 in event_global_setup_locks_ (enable_locks=1) at event.c:3838
#3 0x00000000004a8983 in evthread_set_lock_callbacks (cbs=0x7fffffffdde0) at evthread.c:129
#4 0x0000000000445a8f in use_lock_unlock_profiler () at regress_bufferevent.c:306
#5 0x0000000000445af2 in test_bufferevent_pair_release_lock (arg=0x70e710) at regress_bufferevent.c:327
#6 0x000000000048c9a8 in testcase_run_bare_ (testcase=0x6fdc10 <bufferevent_testcases+80>) at tinytest.c:105
#7 0x000000000048cc8a in testcase_run_one (group=0x6ff270 <testgroups+112>, testcase=0x6fdc10 <bufferevent_testcases+80>) at tinytest.c:252
#8 0x000000000048d5c9 in tinytest_main (c=3, v=0x7fffffffe008, groups=0x6ff200 <testgroups>) at tinytest.c:434
#9 0x000000000047a08f in main (argc=3, argv=0x7fffffffe008) at regress_main.c:459
Found-with: regress bufferevent/bufferevent_pair_release_lock (-DEVENT__DISABLE_DEBUG_MODE=ON)
