Merge remote-tracking branch 'asf/9.0.x' into 9.0.x

* asf/9.0.x:
  Updated ChangeLog
  Adds null check (apache#6994)
  Fix memory leak in header_rewrite (apache#6986)
  Preserve cert name through ssl vc migration (apache#6977)
  Assert non-zero HdrHeap object size (apache#6954)
  Issue 6847 Fixing documentation for secondary_mode (apache#6851)
  fix leak in early data (apache#6957)
  Fixes use after free when boringssl is used (apache#6985)
  Fix out of source tree builds for QUIC (apache#6984)

CHANGELOG-9.0.0

@@ -995,5 +995,10 @@ Changes with Apache Traffic Server 9.0.0
   #6949 - Set the default thread count factor to 1x the number of logical cores
   #6950 - Prevent buffer overflow during log filter actions
   #6953 - Assert on valid boundaries for UserArgTable access
+  #6954 - Assert non-zero HdrHeap object size
+  #6957 - Fix leak in early data
   #6968 - RateLimiting and Connection Config changes
   #6969 - Update docs for some DNS config settings
+  #6984 - Fix out of source tree builds for QUIC
+  #6985 - Fixes use after free when boringssl is used
+  #6994 - Adds null check

doc/admin-guide/files/parent.config.en.rst

@@ -185,7 +185,13 @@ The following list shows the possible actions and their allowed values.
       - If the chosen parent is marked down then another parent will
         be chosen from the ``secondary_parent`` list. The
         ``secondary_parent`` list will be exhausted before attempting
-        to choose another parent in the ``parent`` list.
+        to choose another parent in the ``parent`` list. This depends
+        on taking a parent down from a particular EDGE using traffic_ctl
+        like ``traffic_ctl host down sample.server.com``. This will be
+        useful during maintenance window or as a debugging aid when a
+        user wants to take down specific parents. Taking parents down
+        using ``traffic_ctl`` will cause the EDGE to ignore those parent
+        immediately from parent selection logic.
 
       - If the chosen parent is unavailable but not marked down then
         another parent will be chosen from the ``parent`` list. The

iocore/net/SSLUtils.cc

@@ -1833,10 +1833,6 @@ SSLAccept(SSL *ssl)
 
   if (SSLConfigParams::server_max_early_data > 0 && !netvc->early_data_finish) {
     size_t nread;
-    if (netvc->early_data_buf == nullptr) {
-      netvc->early_data_buf    = new_MIOBuffer(BUFFER_SIZE_INDEX_16K);
-      netvc->early_data_reader = netvc->early_data_buf->alloc_reader();
-    }
 
     while (true) {
       IOBufferBlock *block = new_IOBufferBlock();
@@ -1845,9 +1841,14 @@ SSLAccept(SSL *ssl)
 
       if (ret == SSL_READ_EARLY_DATA_ERROR) {
         Debug("ssl_early_data", "SSL_READ_EARLY_DATA_ERROR");
+        block->free();
         break;
       } else {
         if (nread > 0) {
+          if (netvc->early_data_buf == nullptr) {
+            netvc->early_data_buf    = new_MIOBuffer(BUFFER_SIZE_INDEX_16K);
+            netvc->early_data_reader = netvc->early_data_buf->alloc_reader();
+          }
           block->fill(nread);
           netvc->early_data_buf->append_block(block);
           SSL_INCREMENT_DYN_STAT(ssl_early_data_received_count);
@@ -1856,13 +1857,15 @@ SSLAccept(SSL *ssl)
             std::string early_data_str(reinterpret_cast<char *>(block->buf()), nread);
             Debug("ssl_early_data_show_received", "Early data buffer: \n%s", early_data_str.c_str());
           }
+        } else {
+          block->free();
         }
 
         if (ret == SSL_READ_EARLY_DATA_FINISH) {
           netvc->early_data_finish = true;
           Debug("ssl_early_data", "SSL_READ_EARLY_DATA_FINISH: size = %lu", nread);
 
-          if (netvc->early_data_reader->read_avail() == 0) {
+          if (netvc->early_data_reader == nullptr || netvc->early_data_reader->read_avail() == 0) {
             Debug("ssl_early_data", "no data in early data buffer");
             ERR_clear_error();
             ret = SSL_accept(ssl);
@@ -2191,12 +2194,8 @@ SSLMultiCertConfigLoader::set_session_id_context(SSL_CTX *ctx, const SSLConfigPa
   const char *setting_cert = sslMultCertSettings ? sslMultCertSettings->cert.get() : nullptr;
   bool result              = false;
 
-  // Set the list of CA's to send to client if we ask for a client certificate
   if (params->serverCACertFilename) {
     ca_list = SSL_load_client_CA_file(params->serverCACertFilename);
-    if (ca_list) {
-      SSL_CTX_set_client_CA_list(ctx, ca_list);
-    }
   }
 
   if (EVP_DigestInit_ex(digest, evp_md_func, nullptr) == 0) {
@@ -2223,6 +2222,9 @@ SSLMultiCertConfigLoader::set_session_id_context(SSL_CTX *ctx, const SSLConfigPa
         goto fail;
       }
     }
+
+    // Set the list of CA's to send to client if we ask for a client certificate
+    SSL_CTX_set_client_CA_list(ctx, ca_list);
   }
 
   if (EVP_DigestFinal_ex(digest, hash_buf, &hash_len) == 0) {

iocore/net/UnixNetVConnection.cc

@@ -1394,8 +1394,9 @@ UnixNetVConnection::migrateToCurrentThread(Continuation *cont, EThread *t)
   hold_con.move(this->con);
   SSLNetVConnection *sslvc = dynamic_cast<SSLNetVConnection *>(this);
 
-  SSL *save_ssl = (sslvc) ? sslvc->ssl : nullptr;
-  if (save_ssl) {
+  SSL *save_ssl = nullptr;
+  if (sslvc) {
+    save_ssl = sslvc->ssl;
     SSLNetVCDetach(sslvc->ssl);
     sslvc->ssl = nullptr;
   }
@@ -1409,7 +1410,7 @@ UnixNetVConnection::migrateToCurrentThread(Continuation *cont, EThread *t)
   // Create new VC:
   UnixNetVConnection *netvc = nullptr;
   if (save_ssl) {
-    SSLNetVConnection *sslvc = static_cast<SSLNetVConnection *>(sslNetProcessor.allocate_vc(t));
+    sslvc = static_cast<SSLNetVConnection *>(sslNetProcessor.allocate_vc(t));
     if (sslvc->populate(hold_con, cont, save_ssl) != EVENT_DONE) {
       sslvc->do_io_close();
       sslvc = nullptr;
@@ -1427,6 +1428,9 @@ UnixNetVConnection::migrateToCurrentThread(Continuation *cont, EThread *t)
       netvc->set_context(get_context());
     }
   }
+  if (netvc) {
+    netvc->options = this->options;
+  }
   // Do not mark this closed until the end so it does not get freed by the other thread too soon
   this->do_io_close();
   return netvc;

iocore/net/quic/Makefile.am

@@ -18,6 +18,7 @@
 
 AM_CPPFLAGS += \
   $(iocore_include_dirs) \
+  -I$(abs_top_srcdir)/include \
   -I$(abs_top_srcdir)/lib \
   -I$(abs_top_srcdir)/lib/records \
   -I$(abs_top_srcdir)/proxy \

plugins/header_rewrite/conditions.cc

@@ -344,12 +344,15 @@ ConditionUrl::append_value(std::string &s, const Resources &res)
     TSDebug(PLUGIN_NAME, "   Scheme to match is: %.*s", i, q_str);
     break;
   case URL_QUAL_URL:
-  case URL_QUAL_NONE:
-    q_str = TSUrlStringGet(bufp, url, &i);
-    s.append(q_str, i);
-    TSDebug(PLUGIN_NAME, "   URL to match is: %.*s", i, q_str);
+  case URL_QUAL_NONE: {
+    // TSUrlStringGet returns an allocated char * we must free
+    char *non_const_q_str = TSUrlStringGet(bufp, url, &i);
+    s.append(non_const_q_str, i);
+    TSDebug(PLUGIN_NAME, "   URL to match is: %.*s", i, non_const_q_str);
+    TSfree(non_const_q_str);
     break;
   }
+  }
 }
 
 bool

proxy/hdrs/HdrHeap.cc

@@ -400,6 +400,9 @@ HdrHeap::evacuate_from_str_heaps(HdrStrHeap *new_heap)
     while (data < h->m_free_start) {
       HdrHeapObjImpl *obj = reinterpret_cast<HdrHeapObjImpl *>(data);
 
+      // Object length cannot be 0 by design, otherwise something is wrong + infinite loop here!
+      ink_release_assert(0 != obj->m_length);
+
       switch (obj->m_type) {
       case HDR_HEAP_OBJ_URL:
         ((URLImpl *)obj)->move_strings(new_heap);
@@ -440,6 +443,9 @@ HdrHeap::required_space_for_evacuation()
     while (data < h->m_free_start) {
       HdrHeapObjImpl *obj = reinterpret_cast<HdrHeapObjImpl *>(data);
 
+      // Object length cannot be 0 by design, otherwise something is wrong + infinite loop here!
+      ink_release_assert(0 != obj->m_length);
+
       switch (obj->m_type) {
       case HDR_HEAP_OBJ_URL:
         ret += ((URLImpl *)obj)->strings_length();
@@ -514,6 +520,9 @@ HdrHeap::sanity_check_strs()
     while (data < h->m_free_start) {
       HdrHeapObjImpl *obj = reinterpret_cast<HdrHeapObjImpl *>(data);
 
+      // Object length cannot be 0 by design, otherwise something is wrong + infinite loop here!
+      ink_release_assert(0 != obj->m_length);
+
       switch (obj->m_type) {
       case HDR_HEAP_OBJ_URL:
         ((URLImpl *)obj)->check_strings(heaps, num_heaps);
@@ -937,6 +946,9 @@ HdrHeap::unmarshal(int buf_length, int obj_type, HdrHeapObjImpl **found_obj, Ref
     HdrHeapObjImpl *obj = reinterpret_cast<HdrHeapObjImpl *>(obj_data);
     ink_assert(obj_is_aligned(obj));
 
+    // Object length cannot be 0 by design, otherwise something is wrong + infinite loop here!
+    ink_release_assert(0 != obj->m_length);
+
     if (obj->m_type == static_cast<unsigned>(obj_type) && *found_obj == nullptr) {
       *found_obj = obj;
     }

proxy/http/HttpSM.cc

@@ -1809,10 +1809,13 @@ HttpSM::state_http_server_open(int event, void *data)
   case VC_EVENT_ACTIVE_TIMEOUT:
   case VC_EVENT_ERROR:
   case NET_EVENT_OPEN_FAILED: {
-    NetVConnection *vc = server_session->get_netvc();
-    if (vc) {
-      server_connection_provided_cert = vc->provided_cert();
+    if (server_session) {
+      NetVConnection *vc = server_session->get_netvc();
+      if (vc) {
+        server_connection_provided_cert = vc->provided_cert();
+      }
     }
+
     t_state.current.state = HttpTransact::CONNECTION_ERROR;
     // save the errno from the connect fail for future use (passed as negative value, flip back)
     t_state.current.server->set_connect_fail(event == NET_EVENT_OPEN_FAILED ? -reinterpret_cast<intptr_t>(data) : ECONNABORTED);

proxy/http3/Makefile.am

@@ -19,6 +19,7 @@
 
 AM_CPPFLAGS += \
   $(iocore_include_dirs) \
+  -I$(abs_top_srcdir)/include \
   -I$(abs_top_srcdir)/proxy/api/ts \
   -I$(abs_top_srcdir)/lib \
   -I$(abs_top_srcdir)/lib/records \

src/traffic_quic/Makefile.inc

@@ -20,6 +20,7 @@ bin_PROGRAMS += traffic_quic/traffic_quic
 traffic_quic_traffic_quic_CPPFLAGS = \
 	$(AM_CPPFLAGS) \
 	$(iocore_include_dirs) \
+	-I$(abs_top_srcdir)/include \
 	-I$(abs_top_srcdir)/lib \
 	-I$(abs_top_srcdir)/lib/records \
 	-I$(abs_top_srcdir)/mgmt \