mirror of
https://git.proxmox.com/git/pve-http-server
synced 2025-05-02 12:38:22 +00:00
c82d1707ed
When handling new connections in 'accept_connections' the number of active connections (conn_count) got increased before the callback, which would eventually decrease it got registered in AnyEvent::Handle->new. Any error/die before registering the callback would skip the decrement, and leave the process in an endless loop upon exiting in wait_end_loop. This can happen e.g. when the call to getpeername fails, or if the connection is denied by the ALLOW_FROM/DENY_FROM settings in '/etc/default/pveproxy' (which is also a simple reproducer for that). Additionally it can cause a denial of service, by attempting to connect from a denied ip until the connection count exeeds the maximum connections of all child-processes. This patch addresses the issue by incrementing the connection count before attempting to create the handle, and decrementing it again, if handle creation fails. A warning is logged if 'conn_count' turns negative when decrementing during cleanup on error/eof. In case creating a new handle during initial accept_connection fails, a warning is logged as well, but 'conn_count' is not decremented. Reported via our community-forum: https://forum.proxmox.com/threads/pveproxy-eats-available-ram.79617/ Co-Authored-by: Dominik Csapak <d.csapak@proxmox.com> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com> |
||
|---|---|---|
| .. | ||
| Formatter | ||
| AnyEvent.pm | ||
| Formatter.pm | ||
| Utils.pm | ||