1 files changed, 45 insertions, 24 deletions

diff --git a/networking/httpd.c b/networking/httpd.c
index 4c04df86f..ed6b0682e 100644
--- a/networking/httpd.c
+++ b/networking/httpd.c
@@ -290,7 +290,29 @@
 //usage:     "\n        -e STRING       HTML encode STRING"
 //usage:     "\n        -d STRING       URL decode STRING"
 
-/* TODO: use TCP_CORK, parse_config() */
+/* Robustness
+ *
+ * Even though the design is geared towards simplicity, it is meant to
+ * survive in a mildly adversarial environment:
+ * - it does not accept unlimited number of connections (-M MAXCONN)
+ * - it requires clients to send their incoming requests quickly
+ *   (HEADER_READ_TIMEOUT)
+ * - if client stops consuming its result ("stalled receiver" attack),
+ *   the server will drop the connection (DATA_WRITE_TIMEOUT)
+ *
+ * To limit the number of simultaneously running CGI children,
+ * you may use the helper tool, httpd_ratelimit_cgi.c:
+ * it replies with "429 Too Many Requests" and exits when limit is exceeded.
+ * The limit can be set per CGI type: "I accept up to 256 connections,
+ * but only up to 100 of them may be to /cgi-bin/simple_cgi,
+ * and 20 to /cgi-bin/HEAVY_cgi".
+ *
+ * TODO:
+ * - do not allow all MAXCONN connections be taken up by the same remote IP.
+ */
+#define HEADER_READ_TIMEOUT 30
+#define DATA_WRITE_TIMEOUT  60
+
 
 #include "libbb.h"
 #include "common_bufsiz.h"
@@ -322,9 +344,6 @@
 #define IOBUF_SIZE 8192
 #define MAX_HTTP_HEADERS_SIZE (32*1024)
 
-#define HEADER_READ_TIMEOUT 30
-#define DATA_WRITE_TIMEOUT 60
-
 #define STR1(s) #s
 #define STR(s) STR1(s)
 
@@ -699,6 +718,7 @@ static int scan_ip_mask(const char *str, unsigned *ipp, unsigned *maskp)
  * path   Path where to look for httpd.conf (without filename).
  * flag   Type of the parse request.
  */
+//TODO: use parse_config() from libbb?
 /* flag param: */
 enum {
         FIRST_PARSE    = 0, /* path will be "/etc" */
@@ -1062,24 +1082,24 @@ static int openServer(void)
 
 /*
  * Log the connection closure and exit.
+ * Two variants: one signals EOF (clean termination),
+ * the other might signal that connection is reset, not closed normally
+ * (usually RST is sent if there is unsent buffered data in the socket buffer).
  */
 static void log_and_exit(void) NORETURN;
 static void log_and_exit(void)
 {
-        /* Paranoia. IE said to be buggy. It may send some extra data
-         * or be confused by us just exiting without SHUT_WR. Oh well. */
-        shutdown(STDOUT_FILENO, SHUT_WR);
-        /* Why??
-        (this also messes up stdin when user runs httpd -i from terminal)
-        ndelay_on(0);
-        while (read(STDIN_FILENO, iobuf, IOBUF_SIZE) > 0)
-                continue;
-        */
-
         if (VERBOSE_3)
                 bb_simple_error_msg("closed");
         _exit(xfunc_error_retval);
 }
+static void send_EOF_and_exit(void) NORETURN;
+static void send_EOF_and_exit(void)
+{
+        /* This makes sure on TCP level, the connection is closed with FIN, not RST */
+        shutdown(STDOUT_FILENO, SHUT_WR);
+        log_and_exit();
+}
 
 /*
  * Create and send HTTP response headers.
@@ -1304,7 +1324,7 @@ static void send_headers_and_exit(int responseNum)
         IF_FEATURE_HTTPD_GZIP(content_gzip = 0;)
         file_size = -1; /* no Last-Modified:, ETag:, Content-Length: */
         send_headers(responseNum);
-        log_and_exit();
+        send_EOF_and_exit();
 }
 
 /*
@@ -1436,7 +1456,7 @@ static NOINLINE void cgi_io_loop_and_exit(int fromCgi_rd, int toCgi_wr, int post
                                         bb_error_msg("CGI killed, signal=%u", WTERMSIG(status));
                         }
 #endif
-                        break;
+                        send_EOF_and_exit();
                 }
 
                 if (pfd[TO_CGI].revents) {
@@ -1500,7 +1520,7 @@ static NOINLINE void cgi_io_loop_and_exit(int fromCgi_rd, int toCgi_wr, int post
                                                 full_write(STDOUT_FILENO, HTTP_200, sizeof(HTTP_200)-1);
                                                 full_write(STDOUT_FILENO, rbuf, out_cnt);
                                         }
-                                        break; /* CGI stdout is closed, exiting */
+                                        send_EOF_and_exit(); /* CGI stdout is closed, exiting */
                                 }
                                 out_cnt += count;
                                 count = 0;
@@ -1535,7 +1555,7 @@ static NOINLINE void cgi_io_loop_and_exit(int fromCgi_rd, int toCgi_wr, int post
                         } else {
                                 count = safe_read(fromCgi_rd, rbuf, IOBUF_SIZE);
                                 if (count <= 0)
-                                        break;  /* eof (or error) */
+                                        send_EOF_and_exit();  /* eof (or error) */
                         }
                         if (full_write(STDOUT_FILENO, rbuf, count) != count)
                                 break;
@@ -1794,10 +1814,10 @@ static NOINLINE void send_file_and_exit(const char *url, int what)
                 dbg("can't open '%s'\n", url);
                 /* Error pages are sent by using send_file_and_exit(SEND_BODY).
                  * IOW: it is unsafe to call send_headers_and_exit
-                 * if what is SEND_BODY! Can recurse! */
+                 * if "what" is SEND_BODY! Can recurse! */
                 if (what != SEND_BODY)
                         send_headers_and_exit(HTTP_NOT_FOUND);
-                log_and_exit();
+                send_EOF_and_exit();
         }
 #if ENABLE_FEATURE_HTTPD_ETAG
         /* ETag is "hex(last_mod)-hex(file_size)" e.g. "5e132e20-417" */
@@ -1925,17 +1945,17 @@ static NOINLINE void send_file_and_exit(const char *url, int what)
                                 if (offset == range_start) /* was it the very 1st sendfile? */
                                         break; /* fall back to read/write loop */
                                 if (VERBOSE_1) {
-                                        if (errno == EAGAIN)
-                                                errno = ETIMEDOUT;
 // SO_SNDTIME on our socket causes write timeouts manifest as EAGAIN "Resource temporarily unavailable".
 // Not the best error message (when reading the log: "Er... what resource?!")
+                                        if (errno == EAGAIN)
+                                                errno = ETIMEDOUT;
                                         bb_simple_perror_msg("sendfile error");
                                 }
                                 log_and_exit();
                         }
                         IF_FEATURE_HTTPD_RANGES(range_len -= count;)
                         if (count == 0 || range_len == 0)
-                                log_and_exit();
+                                send_EOF_and_exit();
                 }
         }
 #endif
@@ -1948,6 +1968,7 @@ static NOINLINE void send_file_and_exit(const char *url, int what)
                                 if (errno == EAGAIN)
                                         errno = ETIMEDOUT;
                                 bb_simple_perror_msg("write error");
+                                log_and_exit();
                         }
                         break;
                 }
@@ -1959,7 +1980,7 @@ static NOINLINE void send_file_and_exit(const char *url, int what)
                 if (VERBOSE_1)
                         bb_simple_perror_msg("read error");
         }
-        log_and_exit();
+        send_EOF_and_exit();
 }
 
 #if ENABLE_FEATURE_HTTPD_ACL_IP