Commit 0a4ab924 authored by Jim Jagielski's avatar Jim Jagielski
Browse files

Merge r1758307, r1758308, r1758309, r1758311 from trunk: 

mpm_winnt: remove 'data' AcceptFilter in favor of 'connect'

The 'data' AcceptFilter optimization instructs Windows to wait until
data is received on a connection before completing the AcceptEx
operation. Unfortunately, it seems this isn't performed atomically --
AcceptEx "partially" accepts the incoming connection during the wait for
data, leaving all other incoming connections in the accept queue. This
opens the server to a denial of service.

Since the fix for this requires a substantial rearchitecture (likely
involving multiple outstanding calls to AcceptEx), disable the 'data'
filter for now and replace it with 'connect', which uses the AcceptEx
interface but does not wait for data.

Users running prior releases of httpd on Windows should explicitly move
to a 'connect' AcceptFilter in their configurations if they are
currently using the default 'data' filter.

Many thanks to mludha, Arthur Ramsey, Paul Spangler, and many others for
their assistance in tracking down and diagnosing this issue.

PR: 59970

mpm_winnt: remove the AcceptEx data network bucket

Follow-up to the prior commit: without an incoming data buffer, the
custom network bucket code is now orphaned and we can remove it
entirely. This has the added benefit that we are no longer using the
internal OVERLAPPED.Pointer field, which is discouraged by the MSDN
docs.

mpm_winnt: remove duplication of ap_process_connection

Further follow-up to the previous commit: now that we no longer patch a
network bucket into the brigade, we can revert to calling
ap_process_connection() directly instead of duplicating its logic.

docs: rebuild
Submitted by: jchampion
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1759471 13f79535-47bb-0310-9956-ffa450edef68
parent bbe5a751

CHANGES

+3 −0
Original line number Diff line number Diff line
@@ -2,6 +2,9 @@ 


Changes with Apache 2.4.24



  *) mpm_winnt: Prevent a denial of service when the 'data' AcceptFilter is in

     use by replacing it with the 'connect' filter. PR 59970. [Jacob Champion]



  *) mod_cgid: Resolve a case where a short CGI response causes a subsequent

     CGI to be killed prematurely, resulting in a truncated subsequent

     response. [Eric Covener]

docs/manual/mod/core.html.en

+22 −11
Original line number Diff line number Diff line
@@ -183,20 +183,15 @@ AcceptFilter https data</pre> 
       tcp(7)</a> man page.</p>



    <p>The default values on Windows are:</p>

    <pre class="prettyprint lang-config">AcceptFilter http data

AcceptFilter https data</pre>

    <pre class="prettyprint lang-config">AcceptFilter http connect

AcceptFilter https connect</pre>





    <p>Window's mpm_winnt interprets the AcceptFilter to toggle the AcceptEx()

       API, and does not support http protocol buffering.  There are two values

       which utilize the Windows AcceptEx() API and will recycle network

       sockets between connections.  <code>data</code> waits until data has

       been transmitted as documented above, and the initial data buffer and

       network endpoint addresses are all retrieved from the single AcceptEx()

       invocation.  <code>connect</code> will use the AcceptEx() API, also

       retrieve the network endpoint addresses, but like <code>none</code>

       the <code>connect</code> option does not wait for the initial data

       transmission.</p>

       API, and does not support http protocol buffering. <code>connect</code>

       will use the AcceptEx() API, also retrieve the network endpoint

       addresses, but like <code>none</code> the <code>connect</code> option

       does not wait for the initial data transmission.</p>



    <p>On Windows, <code>none</code> uses accept() rather than AcceptEx()

       and will not recycle sockets between connections.  This is useful for
@@ -204,6 +199,22 @@ AcceptFilter https data</pre> 
       network providers such as vpn drivers, or spam, virus or spyware

       filters.</p>



    <div class="warning">

      <h3>The <code>data</code> AcceptFilter (Windows)</h3>



      <p>For versions 2.4.23 and prior, the Windows <code>data</code> accept

         filter waited until data had been transmitted and the initial data

         buffer and network endpoint addresses had been retrieved from the

         single AcceptEx() invocation. This implementation was subject to a

         denial of service attack and has been disabled.</p>



      <p>Current releases of httpd default to the <code>connect</code> filter

         on Windows, and will fall back to <code>connect</code> if

         <code>data</code> is specified. Users of prior releases are encouraged

         to add an explicit setting of <code>connect</code> for their

         AcceptFilter, as shown above.</p>

    </div>





<h3>See also</h3>

<ul>

docs/manual/mod/core.xml

+22 −11
Original line number Diff line number Diff line
@@ -85,20 +85,15 @@ AcceptFilter https data 


    <p>The default values on Windows are:</p>

    <highlight language="config">

AcceptFilter http data

AcceptFilter https data

AcceptFilter http connect

AcceptFilter https connect

    </highlight>



    <p>Window's mpm_winnt interprets the AcceptFilter to toggle the AcceptEx()

       API, and does not support http protocol buffering.  There are two values

       which utilize the Windows AcceptEx() API and will recycle network

       sockets between connections.  <code>data</code> waits until data has

       been transmitted as documented above, and the initial data buffer and

       network endpoint addresses are all retrieved from the single AcceptEx()

       invocation.  <code>connect</code> will use the AcceptEx() API, also

       retrieve the network endpoint addresses, but like <code>none</code>

       the <code>connect</code> option does not wait for the initial data

       transmission.</p>

       API, and does not support http protocol buffering. <code>connect</code>

       will use the AcceptEx() API, also retrieve the network endpoint

       addresses, but like <code>none</code> the <code>connect</code> option

       does not wait for the initial data transmission.</p>



    <p>On Windows, <code>none</code> uses accept() rather than AcceptEx()

       and will not recycle sockets between connections.  This is useful for
@@ -106,6 +101,22 @@ AcceptFilter https data 
       network providers such as vpn drivers, or spam, virus or spyware

       filters.</p>



    <note type="warning">

      <title>The <code>data</code> AcceptFilter (Windows)</title>



      <p>For versions 2.4.23 and prior, the Windows <code>data</code> accept

         filter waited until data had been transmitted and the initial data

         buffer and network endpoint addresses had been retrieved from the

         single AcceptEx() invocation. This implementation was subject to a

         denial of service attack and has been disabled.</p>



      <p>Current releases of httpd default to the <code>connect</code> filter

         on Windows, and will fall back to <code>connect</code> if

         <code>data</code> is specified. Users of prior releases are encouraged

         to add an explicit setting of <code>connect</code> for their

         AcceptFilter, as shown above.</p>

    </note>



</usage>

<seealso><directive module="core">Protocol</directive></seealso>

</directivesynopsis>

docs/manual/mod/core.xml.es

+4 −3
Original line number Diff line number Diff line 
<?xml version="1.0"?>

<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">

<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>

<!-- English Revision: 1040494:1750752 (outdated) -->



<?xml-stylesheet type="text/xsl" href="../style/manual.es.xsl"?>

<!-- English Revision: 1741251:1758307 (outdated) -->

<!-- Translated by Luis Gil de Bernabé Pfeiffer lgilbernabe[AT]apache.org -->

<!-- Reviewed by Sergio Ramos-->

<!--

 Licensed to the Apache Software Foundation (ASF) under one or more

 contributor license agreements.  See the NOTICE file distributed with

docs/manual/mod/core.xml.fr

+1 −1
Original line number Diff line number Diff line 
<?xml version="1.0" encoding="UTF-8" ?>

<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">

<?xml-stylesheet type="text/xsl" href="../style/manual.fr.xsl"?>

<!-- English Revision: 1750752 -->

<!-- English Revision: 1757920:1758307 (outdated) -->

<!-- French translation : Lucien GENTIS -->

<!-- Reviewed by : Vincent Deffontaines -->