[Varnish] #1055: Long values of shm_reclen is unsafe

Varnish varnish-bugs at varnish-cache.org
Wed Nov 9 12:58:04 CET 2011


#1055: Long values of shm_reclen is unsafe
----------------------+-----------------------------------------------------
 Reporter:  kristian  |       Owner:       
     Type:  defect    |      Status:  new  
 Priority:  normal    |   Milestone:       
Component:  varnishd  |     Version:  trunk
 Severity:  normal    |    Keywords:       
----------------------+-----------------------------------------------------
 Setting and using long values of shm_reclen causes problems as we run into
 other limits which are not dealt with properly, most notably the worker
 workspace.

 See:

 {{{
 varnishtest "Long shm_reclen"

 server s1 {
         rxreq
         txresp
 } -start

 varnish v1 -vcl+backend {
         import std;

         sub vcl_recv {
 std.log("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
         }
 } -start -cliok "param.set shm_reclen 65535"

 client c1 {
         txreq
         rxresp
 } -run
 }}}

 Output:

 {{{

 kristian at freud:~$ varnishtest overload.vtc
 #     top  TEST overload.vtc passed (0.480)
 kristian at freud:~$ varnishtest overload.vtc
 **** top   0.0 macro def varnishd=varnishd
 **** top   0.0 macro def pwd=/home/kristian
 **** top   0.0 macro def topbuild=/home/kristian/../..
 **** top   0.0 macro def bad_ip=10.255.255.255
 **** top   0.0 macro def tmpdir=/tmp/vtc.23549.1ee7ed79
 *    top   0.0 TEST overload.vtc starting
 ***  top   0.0 varnishtest
 *    top   0.0 TEST Long shm_reclen
 ***  top   0.0 server
 **   s1    0.0 Starting server
 **** s1    0.0 macro def s1_addr=127.0.0.1
 **** s1    0.0 macro def s1_port=60755
 **** s1    0.0 macro def s1_sock=127.0.0.1 60755
 *    s1    0.0 Listen on 127.0.0.1 60755
 ***  top   0.0 varnish
 **   s1    0.0 Started on 127.0.0.1 60755
 **   v1    0.0 Launch
 ***  v1    0.0 CMD: cd ${pwd} && ${varnishd} -d -d -n
 /tmp/vtc.23549.1ee7ed79/v1 -l 10m,1m,- -p auto_restart=off -p
 syslog_cli_traffic=off -a '127.0.0.1:0' -S /tmp/vtc.23549.1ee7ed79/v1/_S
 -M '127.0.0.1 47106' -P /tmp/vtc.23549.1ee7ed79/v1/varnishd.pid
 -sfile,/tmp/vtc.23549.1ee7ed79/v1,10M
 ***  v1    0.0 CMD: cd /home/kristian && varnishd -d -d -n
 /tmp/vtc.23549.1ee7ed79/v1 -l 10m,1m,- -p auto_restart=off -p
 syslog_cli_traffic=off -a '127.0.0.1:0' -S /tmp/vtc.23549.1ee7ed79/v1/_S
 -M '127.0.0.1 47106' -P /tmp/vtc.23549.1ee7ed79/v1/varnishd.pid
 -sfile,/tmp/vtc.23549.1ee7ed79/v1,10M
 ***  v1    0.0 PID: 23555
 ***  v1    0.0 debug| Platform: Linux,2.6.38-12-generic-
 pae,i686,-sfile,-smalloc,-hcritbit\n
 ***  v1    0.0 debug| 200 245     \n
 ***  v1    0.0 debug| -----------------------------\n
 ***  v1    0.0 debug| Varnish Cache CLI 1.0\n
 ***  v1    0.0 debug| -----------------------------\n
 ***  v1    0.0 debug| Linux,2.6.38-12-generic-
 pae,i686,-sfile,-smalloc,-hcritbit\n
 ***  v1    0.0 debug| \n
 ***  v1    0.0 debug| Type 'help' for command list.\n
 ***  v1    0.0 debug| Type 'quit' to close CLI session.\n
 ***  v1    0.0 debug| Type 'start' to launch worker process.\n
 ***  v1    0.0 debug| \n
 **** v1    0.1 CLIPOLL 1 0x1 0x0
 ***  v1    0.1 CLI connection fd = 9
 ***  v1    0.1 CLI RX  107
 **** v1    0.1 CLI RX| durjbesuecbyckgwozrzhzytnfqyucly\n
 **** v1    0.1 CLI RX| \n
 **** v1    0.1 CLI RX| Authentication required.\n
 **** v1    0.1 CLI TX| auth
 2c03d88f4efe5c174cd115f35d4aa8e311707ce289d00a2f5a532007214ac023\n
 ***  v1    0.1 CLI RX  200
 **** v1    0.1 CLI RX| -----------------------------\n
 **** v1    0.1 CLI RX| Varnish Cache CLI 1.0\n
 **** v1    0.1 CLI RX| -----------------------------\n
 **** v1    0.1 CLI RX| Linux,2.6.38-12-generic-
 pae,i686,-sfile,-smalloc,-hcritbit\n
 **** v1    0.1 CLI RX| \n
 **** v1    0.1 CLI RX| Type 'help' for command list.\n
 **** v1    0.1 CLI RX| Type 'quit' to close CLI session.\n
 **** v1    0.1 CLI RX| Type 'start' to launch worker process.\n
 **** v1    0.1 CLI TX| vcl.inline vcl1 << %XJEIFLH|)Xspa8P\n
 **** v1    0.1 CLI TX| backend s1 { .host = "127.0.0.1"; .port = "60755";
 }\n
 **** v1    0.1 CLI TX| \n
 **** v1    0.1 CLI TX| \n
 **** v1    0.1 CLI TX| \timport std;\n
 **** v1    0.1 CLI TX| \n
 **** v1    0.1 CLI TX| \tsub vcl_recv {\n
 **** v1    0.1 CLI TX|
 \t\tstd.log("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...
 ***  v1    0.2 CLI RX  200
 **** v1    0.2 CLI RX| VCL compiled.
 **** v1    0.2 CLI TX| vcl.use vcl1
 ***  v1    0.2 CLI RX  200
 **   v1    0.2 Start
 **** v1    0.2 CLI TX| start
 ***  v1    0.3 debug| child (23568) Started\n
 **** v1    0.3 vsl|     0 WorkThread   - 0xb50d200c start
 **** v1    0.3 vsl|     0 CLI          - Rd vcl.load "vcl1"
 ./vcl.5W0vwA9C.so
 **** v1    0.3 vsl|     0 CLI          - Wr 200 36 Loaded
 "./vcl.5W0vwA9C.so" as "vcl1"
 **** v1    0.3 vsl|     0 CLI          - Rd vcl.use "vcl1"
 **** v1    0.3 vsl|     0 CLI          - Wr 200 0
 **** v1    0.3 vsl|     0 CLI          - Rd start
 **** v1    0.3 vsl|     0 Debug        - Acceptor is epoll
 **** v1    0.3 vsl|     0 CLI          - Wr 200 0
 ***  v1    0.3 CLI RX  200
 **** v1    0.3 CLI TX| debug.xid 1000
 ***  v1    0.3 debug| Child (23568) said Not running as root, no priv-
 sep\n
 ***  v1    0.3 debug| Child (23568) said Child starts\n
 ***  v1    0.3 debug| Child (23568) said SMF.s0 mmap'ed 10485760 bytes of
 10485760\n
 **** v1    0.3 vsl|     0 WorkThread   - 0xb73ff00c start
 **** v1    0.3 vsl|     0 WorkThread   - 0xb50c100c start
 **** v1    0.3 vsl|     0 WorkThread   - 0xb50b000c start
 **** v1    0.3 vsl|     0 WorkThread   - 0xb509f00c start
 **** v1    0.3 vsl|     0 WorkThread   - 0xb508e00c start
 **** v1    0.3 vsl|     0 WorkThread   - 0xb507d00c start
 **** v1    0.3 vsl|     0 WorkThread   - 0xb506c00c start
 **** v1    0.3 vsl|     0 WorkThread   - 0xb505b00c start
 **** v1    0.3 vsl|     0 WorkThread   - 0xb504a00c start
 ***  v1    0.3 CLI RX  200
 **** v1    0.3 CLI RX| XID is 1000
 **** v1    0.3 CLI TX| debug.listen_address
 **** v1    0.3 vsl|     0 CLI          - Rd debug.xid 1000
 **** v1    0.3 vsl|     0 CLI          - Wr 200 11 XID is 1000
 ***  v1    0.3 CLI RX  200
 **** v1    0.3 CLI RX| 127.0.0.1 45836\n
 **   v1    0.3 Listen on 127.0.0.1 45836
 **** v1    0.3 macro def v1_addr=127.0.0.1
 **** v1    0.3 macro def v1_port=45836
 **** v1    0.3 macro def v1_sock=127.0.0.1 45836
 **** v1    0.3 CLI TX| param.set shm_reclen 65535
 **** v1    0.4 vsl|     0 CLI          - Rd debug.listen_address
 **** v1    0.4 vsl|     0 CLI          - Wr 200 16 127.0.0.1 45836

 ***  v1    0.4 CLI RX  200
 **   v1    0.4 CLI 200 <param.set shm_reclen 65535>
 ***  top   0.4 client
 **   c1    0.4 Starting client
 **   c1    0.4 Waiting for client
 ***  c1    0.4 Connect to 127.0.0.1 45836
 ***  c1    0.4 connected fd 10 from 127.0.0.1 36171 to 127.0.0.1 45836
 ***  c1    0.4 txreq
 **** c1    0.4 txreq| GET / HTTP/1.1\r\n
 **** c1    0.4 txreq| \r\n
 ***  c1    0.4 rxresp
 ---- c1    0.4 HTTP rx failed (fd:10 read: Connection reset by peer)
 ***  v1    0.4 debug| Child (23568) died signal=11\n
 ***  v1    0.4 debug| Child cleanup complete\n
 *    top   0.4 RESETTING after overload.vtc
 **   s1    0.4 Waiting for server
 **** s1    0.4 macro undef s1_addr
 **** s1    0.4 macro undef s1_port
 **** s1    0.4 macro undef s1_sock
 **   v1    1.4 Wait
 **   v1    1.4 R 23555 Status: 0000
 *    top   1.4 TEST overload.vtc FAILED

 #     top  TEST overload.vtc FAILED (1.423) exit=1
 }}}

 Note particularly that this did NOT segfault consistently.

-- 
Ticket URL: <https://www.varnish-cache.org/trac/ticket/1055>
Varnish <https://varnish-cache.org/>
The Varnish HTTP Accelerator




More information about the varnish-bugs mailing list