Underflow in Chunk::Parse leads to a hard lockup when parsing a chunk

[vaxerski]

I have a reverse-proxy written with Pistache, and every 10 minutes to a few hours, the proxy gets stuck. The CPU usage rises to 200%, and the proxy is unable to continue at all.

I've caught some stacktraces, and it seems that it's stuck advancing through a TE stream buffer.

While another thread is supposedly waiting for that to finish on a mutex

I've built with debug right now and will wait until it happens again and provide locals.

There is a timeout set for the requests of 30s, but it does not seem to do anything.

In any case, even if the TE is incorrect (or malicious), pistache should not just die. The reverse-proxy is for a git forge (forgejo) so it uses TE quite a lot for the git revs, I've definitely spotted that with git clones via HTTP(s).

[vaxerski]

backtrace with a token redacted: pistache_bt.txt

logs get stuck:

I managed to reproduce it. I'll give a repro case in a moment.

Edit: never mind, can't seem to reproduce on my Arch desktop by pointing it to my remote git forge, but I can reliably hang the forge forever by going to a particularly long commit that takes like 2s to generate.

I've printed message->body_ and it just hangs at a random point in the middle of the html.

For the request, one can query https://codetest.hyprland.org/hyprwm/hyprland-wiki/commit/127ae0022574d315abfc524b97c322fba23b9a96 (please don't do code., that will hang my actual forge, codetest. right now skips the proxy)

[vaxerski]

Managed to reproduce it with my proxy on my local machine by a backup of the entire git forge running on my desktop. Due to all the secrets, etc, and the sheer size, it will be hard to clearly "post" a repro case.

The address for the request is above, and relevant lines from my proxy are here:
https://github.com/vaxerski/checkpoint/blob/7e1a99a6918dd034b9891ee34d2f74bfb9a16e74/src/core/Handler.cpp#L304-L376

If I find anything else of note, I'll update the thread. For now, not sure why this happens

[vaxerski]

aah. Now I see why this happens :P

2048 - 2049 = underflow