From 9c8b1e38b0043fdee0bf05351df7f931c315e584 Mon Sep 17 00:00:00 2001 From: Christian Lachner Date: Tue, 4 Dec 2018 10:56:40 +0100 Subject: [PATCH] haproxy: Update all patches for HAProxy v1.8.14 - Add new patches (see https://www.haproxy.org/bugs/bugs-1.8.14.html) - Raise PKG_RELEASE to 5 - Improve version-handling Signed-off-by: Christian Lachner --- net/haproxy/Makefile | 13 ++-- ...esence-of-the-h2-pattern-in-npn-alpn.patch | 43 +++++++++++++ ...ake-sure-stksess-is-properly-aligned.patch | 61 +++++++++++++++++++ ...ges-when-parsing-of-a-backend-starts.patch | 38 ++++++++++++ ...-fix-encoding-of-accept-ranges-field.patch | 32 ++++++++++ ...sl.patch => 0045-deprecated-openssl.patch} | 0 6 files changed, 180 insertions(+), 7 deletions(-) create mode 100644 net/haproxy/patches/0041-BUG-MINOR-config-better-detect-the-presence-of-the-h2-pattern-in-npn-alpn.patch create mode 100644 net/haproxy/patches/0042-BUG-MEDIUM-Make-sure-stksess-is-properly-aligned.patch create mode 100644 net/haproxy/patches/0043-BUG-MINOR-config-Copy-default-error-messages-when-parsing-of-a-backend-starts.patch create mode 100644 net/haproxy/patches/0044-BUG-MEDIUM-hpack-fix-encoding-of-accept-ranges-field.patch rename net/haproxy/patches/{0041-deprecated-openssl.patch => 0045-deprecated-openssl.patch} (100%) diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile index bacde98cc2..a4a4483b4c 100644 --- a/net/haproxy/Makefile +++ b/net/haproxy/Makefile @@ -11,7 +11,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=haproxy PKG_VERSION:=1.8.14 -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.haproxy.org/download/1.8/src/ @@ -137,20 +137,20 @@ define Build/Compile DESTDIR="$(PKG_INSTALL_DIR)" \ CC="$(TARGET_CC)" \ PCREDIR="$(STAGING_DIR)/usr/" \ - SMALL_OPTS="-DBUFSIZE=16384 -DMAXREWRITE=1030 -DSYSTEM_MAXCONN=165530 " \ + SMALL_OPTS="-DBUFSIZE=16384 -DMAXREWRITE=1030 -DSYSTEM_MAXCONN=165530" \ USE_LINUX_TPROXY=1 USE_LINUX_SPLICE=1 USE_TFO=1 \ USE_ZLIB=yes USE_PCRE=1 USE_PCRE_JIT=1 USE_GETADDRINFO=1 \ - VERSION="$(PKG_VERSION)-$(PKG_RELEASE)" \ + VERSION="$(PKG_VERSION)" SUBVERS="-$(PKG_RELEASE)" \ + VERDATE="$(shell date -d @$(SOURCE_DATE_EPOCH) '+%Y/%m/%d')" IGNOREGIT=1 \ $(ADDON) \ CFLAGS="$(TARGET_CFLAGS)" \ LD="$(TARGET_CC)" \ - LDFLAGS="$(TARGET_LDFLAGS) -latomic" \ - IGNOREGIT=1 + LDFLAGS="$(TARGET_LDFLAGS) -latomic" $(MAKE_VARS) $(MAKE) -C $(PKG_BUILD_DIR) \ DESTDIR="$(PKG_INSTALL_DIR)" \ LD="$(TARGET_CC)" \ - LDFLAGS="$(TARGET_LDFLAGS)" \ + LDFLAGS="$(TARGET_LDFLAGS)" \ $(MAKE_FLAGS) \ install @@ -158,7 +158,6 @@ define Build/Compile DESTDIR="$(PKG_INSTALL_DIR)" \ $(MAKE_FLAGS) \ ADDLIB="-lcrypto" \ - VERSION="$(PKG_VERSION)-$(PKG_RELEASE)" \ halog endef diff --git a/net/haproxy/patches/0041-BUG-MINOR-config-better-detect-the-presence-of-the-h2-pattern-in-npn-alpn.patch b/net/haproxy/patches/0041-BUG-MINOR-config-better-detect-the-presence-of-the-h2-pattern-in-npn-alpn.patch new file mode 100644 index 0000000000..787f60c144 --- /dev/null +++ b/net/haproxy/patches/0041-BUG-MINOR-config-better-detect-the-presence-of-the-h2-pattern-in-npn-alpn.patch @@ -0,0 +1,43 @@ +commit c990c7fe448248c4e2a34b84b593cc1b3536b328 +Author: Willy Tarreau +Date: Sun Nov 11 10:36:25 2018 +0100 + + BUG/MINOR: config: better detect the presence of the h2 pattern in npn/alpn + + In 1.8, commit 45a66cc ("MEDIUM: config: ensure that tune.bufsize is at + least 16384 when using HTTP/2") tried to avoid an annoying issue making + H2 fail when haproxy is built with default buffer sizes smaller than 16kB, + which used to be the case for a very long time. Sadly, the test only sees + when NPN/ALPN exactly match "h2" and not when it's combined like + "h2,http/1.1" nor "http/1.1,h2". We can safely use strstr() there because + the string is prefixed by the token's length (0x02) which is unambiguous + as it cannot be part of any other token. + + This fix should be backported to 1.8 as a safety guard against bad + configurations. + + (cherry picked from commit 4db49c0704898e51892a176505299de3e022c5ea) + Signed-off-by: William Lallemand + +diff --git a/src/cfgparse.c b/src/cfgparse.c +index 87a4d803..618ffd39 100644 +--- a/src/cfgparse.c ++++ b/src/cfgparse.c +@@ -7629,7 +7629,7 @@ int check_config_validity() + if (curproxy->mode == PR_MODE_HTTP && global.tune.bufsize < 16384) { + #ifdef OPENSSL_NPN_NEGOTIATED + /* check NPN */ +- if (bind_conf->ssl_conf.npn_str && strcmp(bind_conf->ssl_conf.npn_str, "\002h2") == 0) { ++ if (bind_conf->ssl_conf.npn_str && strstr(bind_conf->ssl_conf.npn_str, "\002h2")) { + ha_alert("config : HTTP frontend '%s' enables HTTP/2 via NPN at [%s:%d], so global.tune.bufsize must be at least 16384 bytes (%d now).\n", + curproxy->id, bind_conf->file, bind_conf->line, global.tune.bufsize); + cfgerr++; +@@ -7637,7 +7637,7 @@ int check_config_validity() + #endif + #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation + /* check ALPN */ +- if (bind_conf->ssl_conf.alpn_str && strcmp(bind_conf->ssl_conf.alpn_str, "\002h2") == 0) { ++ if (bind_conf->ssl_conf.alpn_str && strstr(bind_conf->ssl_conf.alpn_str, "\002h2")) { + ha_alert("config : HTTP frontend '%s' enables HTTP/2 via ALPN at [%s:%d], so global.tune.bufsize must be at least 16384 bytes (%d now).\n", + curproxy->id, bind_conf->file, bind_conf->line, global.tune.bufsize); + cfgerr++; diff --git a/net/haproxy/patches/0042-BUG-MEDIUM-Make-sure-stksess-is-properly-aligned.patch b/net/haproxy/patches/0042-BUG-MEDIUM-Make-sure-stksess-is-properly-aligned.patch new file mode 100644 index 0000000000..b70b00bcc5 --- /dev/null +++ b/net/haproxy/patches/0042-BUG-MEDIUM-Make-sure-stksess-is-properly-aligned.patch @@ -0,0 +1,61 @@ +commit 5b259db1160fa12820cc5ba6399e4dbcefa6ab22 +Author: Olivier Houchard +Date: Wed Nov 14 17:54:36 2018 +0100 + + BUG/MEDIUM: Make sure stksess is properly aligned. + + When we allocate struct stksess, we also allocate memory to store the + associated data before the struct itself. + As the data can be of different types, they can have different size. However, + we need the struct stksess to be properly aligned, as it can do 64bits + load/store (including atomic load/stores) on 64bits platforms, and some of + them doesn't support unaligned access. + So, when allocating the struct stksess, round the size up to the next + multiple of sizeof(void *), and make sure the struct stksess itself is + properly aligned. + Many thanks to Paul Martin for investigating and reporting that bug. + + This should be backported to earlier releases. + + (cherry picked from commit 52dabbc4fad338233c7f0c96f977a43f8f81452a) + Signed-off-by: William Lallemand + +diff --git a/src/stick_table.c b/src/stick_table.c +index f1442603..0a238378 100644 +--- a/src/stick_table.c ++++ b/src/stick_table.c +@@ -44,6 +44,7 @@ + /* structure used to return a table key built from a sample */ + static THREAD_LOCAL struct stktable_key static_table_key; + ++#define round_ptr_size(i) (((i) + (sizeof(void *) - 1)) &~ (sizeof(void *) - 1)) + /* + * Free an allocated sticky session , and decrease sticky sessions counter + * in table . +@@ -51,7 +52,7 @@ static THREAD_LOCAL struct stktable_key static_table_key; + void __stksess_free(struct stktable *t, struct stksess *ts) + { + t->current--; +- pool_free(t->pool, (void *)ts - t->data_size); ++ pool_free(t->pool, (void *)ts - round_ptr_size(t->data_size)); + } + + /* +@@ -229,7 +230,7 @@ struct stksess *__stksess_new(struct stktable *t, struct stktable_key *key) + ts = pool_alloc(t->pool); + if (ts) { + t->current++; +- ts = (void *)ts + t->data_size; ++ ts = (void *)ts + round_ptr_size(t->data_size); + __stksess_init(t, ts); + if (key) + stksess_setkey(t, ts, key); +@@ -597,7 +598,7 @@ int stktable_init(struct stktable *t) + t->updates = EB_ROOT_UNIQUE; + HA_SPIN_INIT(&t->lock); + +- t->pool = create_pool("sticktables", sizeof(struct stksess) + t->data_size + t->key_size, MEM_F_SHARED); ++ t->pool = create_pool("sticktables", sizeof(struct stksess) + round_ptr_size(t->data_size) + t->key_size, MEM_F_SHARED); + + t->exp_next = TICK_ETERNITY; + if ( t->expire ) { diff --git a/net/haproxy/patches/0043-BUG-MINOR-config-Copy-default-error-messages-when-parsing-of-a-backend-starts.patch b/net/haproxy/patches/0043-BUG-MINOR-config-Copy-default-error-messages-when-parsing-of-a-backend-starts.patch new file mode 100644 index 0000000000..21200bf4fb --- /dev/null +++ b/net/haproxy/patches/0043-BUG-MINOR-config-Copy-default-error-messages-when-parsing-of-a-backend-starts.patch @@ -0,0 +1,38 @@ +commit 54824cf35520b11ff97e0937beeb429dcdc55fd0 +Author: Christopher Faulet +Date: Mon Nov 12 11:57:31 2018 +0100 + + BUG/MINOR: config: Copy default error messages when parsing of a backend starts + + To be used, error messages declared in a default section must be copied when the + parsing of a proxy section starts. But this was only done for frontends. + + This patch may be backported to older versions. + + (cherry picked from commit 6b44975fbd2f7d81074e20bc07fc0e01466cc9c9) + Signed-off-by: William Lallemand + +diff --git a/src/cfgparse.c b/src/cfgparse.c +index 618ffd39..6bc6b259 100644 +--- a/src/cfgparse.c ++++ b/src/cfgparse.c +@@ -2787,15 +2787,15 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) + curproxy->server_id_hdr_name = strdup(defproxy.server_id_hdr_name); + } + ++ /* initialize error relocations */ ++ for (rc = 0; rc < HTTP_ERR_SIZE; rc++) ++ chunk_dup(&curproxy->errmsg[rc], &defproxy.errmsg[rc]); ++ + if (curproxy->cap & PR_CAP_FE) { + curproxy->maxconn = defproxy.maxconn; + curproxy->backlog = defproxy.backlog; + curproxy->fe_sps_lim = defproxy.fe_sps_lim; + +- /* initialize error relocations */ +- for (rc = 0; rc < HTTP_ERR_SIZE; rc++) +- chunk_dup(&curproxy->errmsg[rc], &defproxy.errmsg[rc]); +- + curproxy->to_log = defproxy.to_log & ~LW_COOKIE & ~LW_REQHDR & ~ LW_RSPHDR; + } + diff --git a/net/haproxy/patches/0044-BUG-MEDIUM-hpack-fix-encoding-of-accept-ranges-field.patch b/net/haproxy/patches/0044-BUG-MEDIUM-hpack-fix-encoding-of-accept-ranges-field.patch new file mode 100644 index 0000000000..e170b140c0 --- /dev/null +++ b/net/haproxy/patches/0044-BUG-MEDIUM-hpack-fix-encoding-of-accept-ranges-field.patch @@ -0,0 +1,32 @@ +commit 64a7cbf4ea3276b72ffb121acab676542cebde1b +Author: Willy Tarreau +Date: Tue Nov 20 04:47:38 2018 +0100 + + BUG/MEDIUM: hpack: fix encoding of "accept-ranges" field + + James Brown reported that when an "accept-ranges" header field is sent + through haproxy and converted from HTTP/1.1 to H2, it's mis-encoded as + "accept-language". It happens that it's one of the few very common header + fields encoded using its index value and that this index value was misread + in the spec as 17 instead of 18, resulting in the wrong name being sent. + Thanks to Lukas for spotting the issue in the HPACK encoder itself. + + This fix must be backported to 1.8. + + (cherry picked from commit 4bf194cbdbcda8ec4ce83d7f12d2fe9b08483c94) + [wla: buffer API edit] + Signed-off-by: William Lallemand + +diff --git a/src/hpack-enc.c b/src/hpack-enc.c +index d1f68c58..99c73103 100644 +--- a/src/hpack-enc.c ++++ b/src/hpack-enc.c +@@ -101,7 +101,7 @@ int hpack_encode_header(struct chunk *out, const struct ist n, const struct ist + else if (isteq(n, ist("last-modified"))) + out->str[len++] = 0x6c; // literal with indexing -- name="last-modified" (idx 44) + else if (isteq(n, ist("accept-ranges"))) +- out->str[len++] = 0x51; // literal with indexing -- name="accept-ranges" (idx 17) ++ out->str[len++] = 0x52; // literal with indexing -- name="accept-ranges" (idx 18) + else if (isteq(n, ist("cache-control"))) + out->str[len++] = 0x58; // literal with indexing -- name="cache-control" (idx 24) + else if (isteq(n, ist("content-length"))) diff --git a/net/haproxy/patches/0041-deprecated-openssl.patch b/net/haproxy/patches/0045-deprecated-openssl.patch similarity index 100% rename from net/haproxy/patches/0041-deprecated-openssl.patch rename to net/haproxy/patches/0045-deprecated-openssl.patch -- 2.30.2