BUG/MEDIUM: quic: prevent EMSGSIZE with GSO for larger bufsize

a-denoyelle · a-denoyelle · commit 2fffd85b9762 · 2024-11-26T11:49:30.000+01:00
A UDP datagram cannot be greater than 65535 bytes, as UDP length header
field is encoded on 2 bytes. As such, sendmsg() will reject a bigger
input with error EMSGSIZE. By default, this does not cause any issue as
QUIC datagrams are limited to 1.252 bytes and sent individually.

However, with GSO support, value bigger than 1.252 bytes are specified
on sendmsg(). If using a bufsize equal to or greater than 65535, syscall
could reject the input buffer with EMSGSIZE. As this value is not
expected, the connection is immediately closed by haproxy and the
transfer is interrupted.

This bug can easily reproduced by requesting a large object on loopback
interface and using a bufsize of 65535 bytes. In fact, the limit is
slightly less than 65535, as extra room is also needed for IP + UDP
headers.

Fix this by reducing the count of datagrams encoded in a single GSO
invokation via qc_prep_pkts(). Previously, it was set to 64 as specified
by man 7 udp. However, with 1252 datagrams, this is still too many.
Reduce it to a value of 52. Input to sendmsg will thus be restricted to
at most 65.104 bytes if last datagram is full.

If there is still data available for encoding in qc_prep_pkts(), they
will be written in a separate batch of datagrams. qc_send_ppkts() will
then loop over the whole QUIC Tx buffer and call sendmsg() for each
series of at most 52 datagrams.

This does not need to be backported.
diff --git a/include/haproxy/quic_tx-t.h b/include/haproxy/quic_tx-t.h
@@ -5,6 +5,17 @@
 #define QUIC_DGRAM_HEADLEN  (sizeof(uint16_t) + sizeof(void *))
 #define QUIC_MAX_CC_BUFSIZE (2 * (QUIC_MIN_CC_PKTSIZE + QUIC_DGRAM_HEADLEN))
 
+/* Sendmsg input buffer cannot be bigger than 65535 bytes. This comes from UDP
+ * header which uses a 2-bytes length field. QUIC datagrams are limited to 1252
+ * bytes for now so this does not cause any issue for serialized emission.
+ *
+ * However when using GSO large buffer can be transferred. By default, no more
+ * than 64 datagrams can be emitted via a single GSO call (man 7 udp). This is
+ * still too much with 1252 bytes datagram. Use a 52 datagrams max value, which
+ * ensures sendmsg input will be limited to 65104 bytes.
+ */
+#define QUIC_MAX_GSO_DGRAMS  52
+
 #include <import/eb64tree.h>
 #include <haproxy/list-t.h>
 
diff --git a/src/quic_tx.c b/src/quic_tx.c
@@ -570,6 +570,7 @@ static int qc_prep_pkts(struct quic_conn *qc, struct buffer *buf,
 	int total = 0;
 	struct quic_enc_level *qel, *tmp_qel;
 	int dgram_cnt = 0;
+	/* Restrict GSO emission to comply with sendmsg limitation. See QUIC_MAX_GSO_DGRAMS for more details. */
 	uchar gso_dgram_cnt = 0;
 
 	TRACE_ENTER(QUIC_EV_CONN_IO_CB, qc);
@@ -763,19 +764,15 @@ static int qc_prep_pkts(struct quic_conn *qc, struct buffer *buf,
 			         !(HA_ATOMIC_LOAD(&qc->li->flags) & LI_F_UDP_GSO_NOTSUPP) &&
 			         dglen == qc->path->mtu &&
 			         (char *)end < b_wrap(buf) &&
-			         gso_dgram_cnt < 64) {
+			         ++gso_dgram_cnt < QUIC_MAX_GSO_DGRAMS) {
+
 				/* A datagram covering the full MTU has been
 				 * built, use GSO to built next entry. Do not
 				 * reserve extra space for datagram header.
 				 */
 				prv_pkt = cur_pkt;
 				dglen = 0;
 
-				/* man 7 udp UDP_SEGMENT
-				 * The segment size must be chosen such that at
-				 * most 64 datagrams are sent in a single call
-				 */
-				++gso_dgram_cnt;
 			}
 			else {
 				/* Finalize current datagram if not all frames sent. */
