Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: fix panic error message on Request.Body read after Hijack #20933

Closed
jlhawn opened this issue Jul 6, 2017 · 6 comments
Closed

net/http: fix panic error message on Request.Body read after Hijack #20933

jlhawn opened this issue Jul 6, 2017 · 6 comments

Comments

@jlhawn
Copy link

@jlhawn jlhawn commented Jul 6, 2017

What version of Go are you using (go version)?

go version go1.8.3 darwin/amd64

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOOS="darwin

nit: Isn't this already in the go version output above?

What did you do?

If (*http.Request).Body is read after the connection is hijacked, a backgroundRead operation is triggered once EOF of the body is encountered. This background read will read from the underlying connection when it shouldn't (because the connection has been hijacked).

What did you expect to see?

I would expect this program to not fail: https://play.golang.org/p/QUXm31VhCr

Note that if I change that program to always read from the hijacked connection buffer, it will panic instead: https://play.golang.org/p/E7UyjfgkdS

http: panic serving 127.0.0.1:3: invalid concurrent Body.Read call

What did you see instead?

The backgroundRead callback happens unconditionally and will read a byte from the connection that is lost if you then try to read directly from the conn and will result in a panic if you try to read from the buffered reader.

The programs above worked as expected in go1.7


The bug seems to be introduced here:

go/src/net/http/server.go

Lines 1683 to 1684 in faf882d

if requestBodyRemains(req.Body) {
registerOnHitEOF(req.Body, w.conn.r.startBackgroundRead)

cc @bradfitz

Before calling ServeHTTP(w, r), if requestBodyRemains then a callback is registered which will begin a backgroundRead once the body is fully read. The background read probably should not occur if the connection has been hijacked.

A proposed fix would be to change startBackgroundRead to check if cr.conn.hijacked() immediately after acquiring the lock and return early if the connection has been hijacked.

@bradfitz

This comment has been minimized.

Copy link
Contributor

@bradfitz bradfitz commented Jul 6, 2017

Yes, this was changed in Go 1.8.

After your call to Hijack, you're not supposed to read from Request.Body anymore. I'll keep this bug open to fix that error message.

After a hijack, you're expected to read from the returned bufio.Reader:

https://golang.org/pkg/net/http/#Hijacker

// The returned bufio.Reader may contain unprocessed buffered
// data from the client.

(That includes the 1 byte)

BTW, the time for Go 1.8 feedback was in December. We're currently wrapping up Go 1.9, which is almost out. If you could test Go 1.9beta2, that'd b egreat.

@bradfitz bradfitz changed the title Single byte missing after hijacking HTTP connection net/http: fix panic error message on Request.Body read after Hijack Jul 6, 2017
@bradfitz bradfitz added the NeedsFix label Jul 6, 2017
@bradfitz bradfitz added this to the Go1.10 milestone Jul 6, 2017
@jlhawn

This comment has been minimized.

Copy link
Author

@jlhawn jlhawn commented Jul 6, 2017

After your call to Hijack, you're not supposed to read from Request.Body anymore.

Is that explicitly documented anywhere?

I can confirm that rearranging the example so that it Hijacks only after fully reading the request seems to fix it: https://play.golang.org/p/akmrJbBnN6

wsong pushed a commit to wsong/swarm that referenced this issue Jul 7, 2017
Apparently, reading from Request.Body after a hijack is not allowed:

golang/go#20933

So we need to make sure that we stop messing with the request after the
hijack call. I also ensured that we read any buffered data that might be there.

Signed-off-by: Wayne Song <wsong@docker.com>
wsong pushed a commit to wsong/swarm that referenced this issue Jul 11, 2017
Apparently, reading from Request.Body after a hijack is not allowed:

golang/go#20933

So we need to make sure that we stop messing with the request after the
hijack call. I also ensured that we read any buffered data that might be there.

Signed-off-by: Wayne Song <wsong@docker.com>
@odeke-em

This comment has been minimized.

Copy link
Member

@odeke-em odeke-em commented Jul 21, 2017

Hello @bradfitz, @JiHawn replied asking if we've documented that "After your call to Hijack, you're not supposed to read from Request.Body anymore." -- it doesn't seem like that's documented AFAIK from https://tip.golang.org/pkg/net/http
screen shot 2017-07-20 at 9 51 31 pm

@gopherbot

This comment has been minimized.

Copy link

@gopherbot gopherbot commented Jul 21, 2017

CL https://golang.org/cl/50634 mentions this issue.

@bradfitz

This comment has been minimized.

Copy link
Contributor

@bradfitz bradfitz commented Jul 21, 2017

Okay, it's now documented for Go 1.9 in c522b2b. We can panic more nicely in Go 1.10.

gopherbot pushed a commit that referenced this issue Jul 21, 2017
We can make it panic with a more explicit and readable error message
during Go 1.10, but document it for now. This has always been the
case; it's not a new rule.

Updates #20933

Change-Id: I53c1fefb47a8f4aae0bb32fa742afa3a2ed20e8a
Reviewed-on: https://go-review.googlesource.com/50634
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
@gopherbot

This comment has been minimized.

Copy link

@gopherbot gopherbot commented Aug 29, 2017

Change https://golang.org/cl/59850 mentions this issue: net/http: make startBackgroundRead panic if hijacked

@gopherbot gopherbot closed this in 915126b Aug 31, 2017
@golang golang locked and limited conversation to collaborators Aug 31, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.