Skip to content

Commit

Permalink
🔀 🐛 Correctly handle memory request failures.
Browse files Browse the repository at this point in the history 
commit eae8ec3
Author: ADD-SP <me@addesp.com>
Date:   Tue Jan 12 12:15:28 2021 +0800

    :bug: Correctly handle memory request failures.

commit 25a6dea
Author: ADD-SP <me@addesp.com>
Date:   Sun Jan 10 15:14:21 2021 +0800

    :twisted_rightwards_arrows: Synchronize the hotfix of master.

    commit d00ccea
    Author: ADD-SP <me@addesp.com>
    Date:   Sun Jan 10 15:12:45 2021 +0800

        :twisted_rightwards_arrows: :bug: Fixed a build error on Alpine Linux. #17

        commit a8bb0871273f79c9c4709e319bd3d2533e8f9428
        Author: ADD-SP <me@addesp.com>
        Date:   Sun Jan 10 15:08:51 2021 +0800

            :loud_sound: Update CHANGES.

        commit e989aa3
        Author: ADD-SP <me@addesp.com>
        Date:   Sat Jan 9 20:05:40 2021 +0800

            :ambulance: Undefined behavior of the C language.

commit 070819c
Author: ADD-SP <me@addesp.com>
Date:   Sun Jan 10 15:03:57 2021 +0800

    :loud_sound: Update CHANGES.

commit 0e7b464
Author: ADD-SP <me@addesp.com>
Date:   Sat Jan 9 18:09:05 2021 +0800

    :bug: Segmentation fault.

commit c9dfd31
Author: ADD-SP <me@addesp.com>
Date:   Fri Jan 8 17:55:28 2021 +0800

    :bug: Constant blocking time of one minute.

    When an IP triggers CC-DENY, the blocking time is constant for one minute.
  • Loading branch information
@ADD-SP
ADD-SP committed Jan 12, 2021
1 parent 267612b commit 1e3d650
Show file tree
Hide file tree
Showing 4 changed files with 70 additions and 57 deletions.
32 changes: 20 additions & 12 deletions inc/ngx_http_waf_module_check.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -257,25 +257,33 @@ static ngx_int_t ngx_http_waf_handler_check_cc(ngx_http_request_t* r, ngx_int_t*
if (diff_clear_minute > max(60, srv_conf->waf_cc_deny_duration * 5)) {
token_bucket_set_clear(set);
set->last_clear = now;
set->last_put = now;
} else if (diff_put_minute >= 1) {
token_bucket_set_put(set, NULL, srv_conf->waf_cc_deny_limit, now);
set->last_put = now;
}



if (token_bucket_set_take(set, &inx_addr, 1, now) != SUCCESS) {
ctx->blocked = FALSE;
strcpy((char*)ctx->rule_type, "CC-DNEY");
strcpy((char*)ctx->rule_deatils, "");
*out_http_status = NGX_HTTP_SERVICE_UNAVAILABLE;
ngx_shmtx_unlock(&shpool->mutex);
return MATCHED;
ngx_int_t ret = NOT_MATCHED;
switch (token_bucket_set_take(set, &inx_addr, 1, now)) {
case MALLOC_ERROR:
ngx_log_error(NGX_LOG_WARN, r->connection->log, 0,
"ngx_waf: Unable to allocate shared memory, the next request will reset the shared memory pool.");
set->last_clear = 0;
set->last_put = 0;
break;
case FAIL:
ctx->blocked = FALSE;
strcpy((char*)ctx->rule_type, "CC-DNEY");
strcpy((char*)ctx->rule_deatils, "");
*out_http_status = NGX_HTTP_SERVICE_UNAVAILABLE;
ret = MATCHED;
break;
case SUCCESS:
break;
}



ngx_shmtx_unlock(&shpool->mutex);
return NOT_MATCHED;
return ret;
}


Expand Down
14 changes: 7 additions & 7 deletions inc/ngx_http_waf_module_ip_trie.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ static ngx_int_t ip_trie_init(ip_trie_t** trie, ngx_pool_t* memory_pool, int ip_

*trie = (ip_trie_t*)ngx_pcalloc(memory_pool, sizeof(ip_trie_t));
if (*trie == NULL) {
return FAIL;
return MALLOC_ERROR;
}

(*trie)->ip_type = ip_type;
Expand All @@ -72,7 +72,7 @@ static ngx_int_t ip_trie_init(ip_trie_t** trie, ngx_pool_t* memory_pool, int ip_
(*trie)->size = 0;

if ((*trie)->root == NULL) {
return FAIL;
return MALLOC_ERROR;
}

return SUCCESS;
Expand All @@ -91,7 +91,7 @@ static ngx_int_t ip_trie_add(ip_trie_t* trie, inx_addr_t* inx_addr, uint32_t suf

new_node = (ip_trie_node_t*)ngx_pcalloc(trie->memory_pool, sizeof(ip_trie_node_t));
if (new_node == NULL) {
return FAIL;
return MALLOC_ERROR;
}

new_node->is_ip = TRUE;
Expand Down Expand Up @@ -119,7 +119,7 @@ static ngx_int_t ip_trie_add(ip_trie_t* trie, inx_addr_t* inx_addr, uint32_t suf
if (cur_node == NULL) {
cur_node = (ip_trie_node_t*)ngx_pcalloc(trie->memory_pool, sizeof(ip_trie_node_t));
if (cur_node == NULL) {
return FAIL;
return MALLOC_ERROR;
}
if (prev_bit == 0) {
prev_node->left = cur_node;
Expand All @@ -140,7 +140,7 @@ static ngx_int_t ip_trie_add(ip_trie_t* trie, inx_addr_t* inx_addr, uint32_t suf
if (cur_node == NULL) {
cur_node = (ip_trie_node_t*)ngx_pcalloc(trie->memory_pool, sizeof(ip_trie_node_t));
if (cur_node == NULL) {
return FAIL;
return MALLOC_ERROR;
}
if (prev_bit == 0) {
prev_node->left = cur_node;
Expand All @@ -161,7 +161,7 @@ static ngx_int_t ip_trie_add(ip_trie_t* trie, inx_addr_t* inx_addr, uint32_t suf
if (cur_node == NULL) {
cur_node = (ip_trie_node_t*)ngx_pcalloc(trie->memory_pool, sizeof(ip_trie_node_t));
if (cur_node == NULL) {
return FAIL;
return MALLOC_ERROR;
}
if (prev_bit == 0) {
prev_node->left = cur_node;
Expand All @@ -182,7 +182,7 @@ static ngx_int_t ip_trie_add(ip_trie_t* trie, inx_addr_t* inx_addr, uint32_t suf
if (cur_node == NULL) {
cur_node = (ip_trie_node_t*)ngx_pcalloc(trie->memory_pool, sizeof(ip_trie_node_t));
if (cur_node == NULL) {
return FAIL;
return MALLOC_ERROR;
}
if (prev_bit == 0) {
prev_node->left = cur_node;
Expand Down
26 changes: 16 additions & 10 deletions inc/ngx_http_waf_module_macro.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,33 +20,39 @@
#define WHITE_URL_FILE ("white-url")
#define WHITE_REFERER_FILE ("white-referer")

#ifndef TRUE
#define TRUE (1)
#endif

#ifndef FALSE
#define FALSE (0)
#endif

#ifndef FAIL
#define FAIL (0)
#endif

#ifndef NOT_MATCHED
#define NOT_MATCHED (0)
#endif

#ifndef TRUE
#define TRUE (1)
#endif

#ifndef SUCCESS
#define SUCCESS (1)
#endif

#ifndef FAIL
#define FAIL (0)
#ifndef MATCHED
#define MATCHED (1)
#endif

#ifndef PROCESSING
#define PROCESSING (2)
#endif

#ifndef MATCHED
#define MATCHED (1)
#ifndef MALLOC_ERROR
#define MALLOC_ERROR (3)
#endif

#ifndef NOT_MATCHED
#define NOT_MATCHED (0)
#endif

/**
* @def RULE_MAX_LEN
Expand Down
55 changes: 27 additions & 28 deletions inc/ngx_http_waf_module_token_bucket_set.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,67 +120,66 @@ ngx_int_t token_bucket_set_init(token_bucket_set_t* set,

ngx_int_t token_bucket_set_take(token_bucket_set_t* set, inx_addr_t* inx_addr, ngx_uint_t count, time_t now) {
token_bucket_t* bucket = NULL;
ngx_int_t ret_status = SUCCESS;
HASH_FIND(hh, set->head, inx_addr, sizeof(inx_addr_t), bucket);

if (bucket == NULL) {
bucket = (token_bucket_t*)_token_bucket_set_malloc(set, sizeof(token_bucket_t));
if (bucket == NULL) {
ret_status = FAIL;
return MALLOC_ERROR;
} else {
memcpy(&(bucket->inx_addr), inx_addr, sizeof(inx_addr_t));
bucket->count = set->init_count;
bucket->is_ban = FALSE;
bucket->last_ban_time = 0;
HASH_ADD(hh, set->head, inx_addr, sizeof(inx_addr_t), bucket);
}
memcpy(&(bucket->inx_addr), inx_addr, sizeof(inx_addr_t));
bucket->count = set->init_count;
bucket->is_ban = FALSE;
bucket->last_ban_time = 0;
HASH_ADD(hh, set->head, inx_addr, sizeof(inx_addr_t), bucket);
}

if (ret_status == SUCCESS && bucket->is_ban == FALSE) {
if (bucket->is_ban == FALSE) {
if (bucket->count >= count) {
bucket->count -= count;
} else {
bucket->is_ban = TRUE;
bucket->last_ban_time = now;
ret_status = FAIL;
return FAIL;
}
} else {
ret_status = FAIL;
return FAIL;
}

return ret_status;
return SUCCESS;
}


ngx_int_t token_bucket_set_put(token_bucket_set_t* set, inx_addr_t* inx_addr, ngx_uint_t count, time_t now) {
token_bucket_t* bucket = NULL;
ngx_int_t ret_status = SUCCESS;

if (inx_addr != NULL) {
HASH_FIND(hh, set->head, &bucket->inx_addr, sizeof(inx_addr_t), bucket);

if (bucket == NULL) {
bucket = (token_bucket_t*)_token_bucket_set_malloc(set, sizeof(token_bucket_t));
if (bucket == NULL) {
ret_status = FAIL;
return MALLOC_ERROR;
} else {
memcpy(&(bucket->inx_addr), inx_addr, sizeof(inx_addr_t));
bucket->is_ban = FALSE;
bucket->last_ban_time = 0;
bucket->count = count;
HASH_ADD(hh, set->head, inx_addr, sizeof(inx_addr_t), bucket);
}
memcpy(&(bucket->inx_addr), inx_addr, sizeof(inx_addr_t));
bucket->is_ban = FALSE;
bucket->last_ban_time = 0;
bucket->count = count;
HASH_ADD(hh, set->head, inx_addr, sizeof(inx_addr_t), bucket);
}

if (ret_status == SUCCESS) {
if (bucket->is_ban == TRUE) {
double diff_time_minute = difftime(now, bucket->last_ban_time) / 60;
if (diff_time_minute > set->ban_duration) {
bucket->is_ban = FALSE;
bucket->count = count;
}
} else {
bucket->count += count;
if (bucket->is_ban == TRUE) {
double diff_time_minute = difftime(now, bucket->last_ban_time) / 60;
if (diff_time_minute > set->ban_duration) {
bucket->is_ban = FALSE;
bucket->count = count;
}
} else {
bucket->count += count;
}

} else {
for (bucket = set->head; bucket != NULL; bucket = (token_bucket_t*)(bucket->hh.next)) {
if (bucket->is_ban == TRUE) {
Expand All @@ -195,7 +194,7 @@ ngx_int_t token_bucket_set_put(token_bucket_set_t* set, inx_addr_t* inx_addr, ng
}
}

return ret_status;
return SUCCESS;
}

ngx_int_t token_bucket_set_clear(token_bucket_set_t* set) {
Expand Down

0 comments on commit 1e3d650

Please sign in to comment.