gRPC: generate error when response size is wrong.

As long as the "Content-Length" header is given, we now make sure it exactly matches the size of the response. If it doesn't, the response is considered malformed and must not be forwarded (https://tools.ietf.org/html/rfc7540#section-8.1.2.6). While it is not really possible to "not forward" the response which is already being forwarded, we generate an error instead, which is the closest equivalent. Previous behaviour was to pass everything to the client, but this seems to be suboptimal and causes issues (ticket #1695). Also this directly contradicts HTTP/2 specification requirements. Note that the new behaviour for the gRPC proxy is more strict than that applied in other variants of proxying. This is intentional, as HTTP/2 specification requires us to do so, while in other types of proxying malformed responses from backends are well known and historically tolerated.
2020-07-06 18:36:25 +03:00 · 2020-07-06 18:36:25 +03:00 · e757117c04
commit e757117c04
parent 1f7aab0d12
1 changed files with 38 additions and 1 deletions
--- a/src/http/modules/ngx_http_grpc_module.c
+++ b/src/http/modules/ngx_http_grpc_module.c
@ -84,6 +84,8 @@ typedef struct {
    ngx_uint_t                 pings;
    ngx_uint_t                 settings;

+    off_t                      length;
+
    ssize_t                    send_window;
    size_t                     recv_window;

@ -1953,10 +1955,28 @@ ngx_http_grpc_filter_init(void *data)
    r = ctx->request;
    u = r->upstream;

-    u->length = 1;
+    if (u->headers_in.status_n == NGX_HTTP_NO_CONTENT
+        || u->headers_in.status_n == NGX_HTTP_NOT_MODIFIED
+        || r->method == NGX_HTTP_HEAD)
+    {
+        ctx->length = 0;
+
+    } else {
+        ctx->length = u->headers_in.content_length_n;
+    }

    if (ctx->end_stream) {
+
+        if (ctx->length > 0) {
+            ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+                          "upstream prematurely closed stream");
+            return NGX_ERROR;
+        }
+
        u->length = 0;
+
+    } else {
+        u->length = 1;
    }

    return NGX_OK;
@ -1999,6 +2019,12 @@ ngx_http_grpc_filter(void *data, ssize_t bytes)

                if (ctx->done) {

+                    if (ctx->length > 0) {
+                        ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+                                      "upstream prematurely closed stream");
+                        return NGX_ERROR;
+                    }
+
                    /*
                     * We have finished parsing the response and the
                     * remaining control frames.  If there are unsent
@ -2052,6 +2078,17 @@ ngx_http_grpc_filter(void *data, ssize_t bytes)
                    return NGX_ERROR;
                }

+                if (ctx->length != -1) {
+                    if ((off_t) ctx->rest > ctx->length) {
+                        ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+                                      "upstream sent response body larger "
+                                      "than indicated content length");
+                        return NGX_ERROR;
+                    }
+
+                    ctx->length -= ctx->rest;
+                }
+
                if (ctx->rest > ctx->recv_window) {
                    ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
                                  "upstream violated stream flow control, "