net/http: Server.ConnContext accidentally modifies context for all connections

[rkollar]

What version of Go are you using (go version)?

$ go version
go version go1.13.4 linux/amd64

Does this issue reproduce with the latest release?

Yes.

What did you do?

Docs of ConnContext say that:

ConnContext optionally specifies a function that modifies the context used for a new connection c.

However, it assigns this new context to a variable shared between connections in the accept loop. Thus creating a growing chain of contexts.

Example code:

package main

import (
	"context"
	"fmt"
	"net"
	"net/http"
)

func main() {
	server := &http.Server{
		Addr: ":4444",
		Handler: http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
			rw.Header().Set("Connection", "close")
		}),
		ConnContext: func(ctx context.Context, c net.Conn) context.Context {
			fmt.Printf("conn: %s\n", c.RemoteAddr())

			if c2 := ctx.Value("conn"); c2 != nil {
				fmt.Printf("existing: %s\n", c2.(net.Conn).RemoteAddr())
			}

			return context.WithValue(ctx, "conn", c)
		},
	}
	go func() {
		panic(server.ListenAndServe())
	}()

	var err error

	fmt.Printf("\nrequest 1:\n")
	_, err = http.Get("http://localhost:4444/")
	if err != nil {
		panic(err)
	}
	fmt.Printf("request 1 done\n")

	fmt.Printf("\nrequest 2:\n")
	_, err = http.Get("http://localhost:4444/")
	if err != nil {
		panic(err)
	}
	fmt.Printf("request 2 done\n")
}

What did you expect to see?

request 1:
conn: [::1]:34022
request 1 done

request 2:
conn: [::1]:34024
request 2 done

What did you see instead?

request 1:
conn: [::1]:34022
request 1 done

request 2:
conn: [::1]:34024
existing: [::1]:34022
request 2 done

[bradfitz]

Wow, whoops. Thanks for the report!

[gopherbot]

Change https://golang.org/cl/208318 mentions this issue: net/http: fix Server.ConnContext modifying context for all new connections

[rkollar]

I would like to note that this could have some security implications. A large number of connections will eat both CPU and memory. For example: )

[bradfitz]

@rkollar, no need to convince me of its importance; I was already planning to backport this to previous releases. I'm just waiting on a test in that PR/CL. I can take the change over if you'd like.

[rkollar]

@bradfitz I'm already working on it, but it's my first submission and I have to go over the existing tests to learn what are the conventions. You can take over if you don't want to wait.

[bradfitz]

@gopherbot, please backport to Go 1.13.

[gopherbot]

Backport issue(s) opened: #35765 (for 1.13).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases.

[gopherbot]

Change https://golang.org/cl/208235 mentions this issue: [release-branch.go1.13] net/http: fix Server.ConnContext modifying context for all new connections

[agirbal]

Ah we just spent many hours trying to figure out why there seemed to be a massive memory leak following the use of this feature... Good catch and can't wait for fix!