Hello,
Squid's ssl_crtd helper may produce responses exceeding 9907 bytes
in size (and possibly much larger if multiple chained certificates need
to be returned to Squid). The old helper.cc code would fill the 8KB read
buffer completely, schedule a read for zero bytes, receive zero bytes,
declare an EOF condition, and close the stream (which kills ssl_crtd).
Due to insufficient information logged, the observable symptoms were
pretty much the same as if ssl_crtd closed the stream first, indicating
an ssl_crtd bug.
BUF_8KB comments indicated that other helpers may use larger-then-8KB
messages as well although no specific cases were identified.
We now warn if the read buffer reaches its capacity and kill the
offending helper explicitly (because we cannot safely recover from this
condition without implementing growing message accumulation buffers).
And an increase in minimum buffer capacity to 32KB should make such
events rare.
Please note that this minimal patch does not attempt to fix many other
problems with helper code, including rampant code duplication and fixed
message buffer size. I am not planning to work on these problems right
now, and patches to address them are welcomed.
Thank you,
Alex.
This archive was generated by hypermail 2.2.0 : Tue Feb 28 2012 - 12:00:21 MST