You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2022/02/10 17:03:47 UTC
[tomcat] branch 10.0.x updated: Fix BZ 65776. Reduce false positives detecting duplicate accept bug
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.0.x by this push:
new 2b9d155 Fix BZ 65776. Reduce false positives detecting duplicate accept bug
2b9d155 is described below
commit 2b9d1552ca23fbd197cec5803561ecb7f10649e0
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Feb 10 16:02:05 2022 +0000
Fix BZ 65776. Reduce false positives detecting duplicate accept bug
https://bz.apache.org/bugzilla/show_bug.cgi?id=65776
---
java/org/apache/tomcat/util/net/AprEndpoint.java | 22 ++++++++++++++++------
java/org/apache/tomcat/util/net/Nio2Endpoint.java | 18 +++++++++++++-----
java/org/apache/tomcat/util/net/NioEndpoint.java | 18 +++++++++++++-----
webapps/docs/changelog.xml | 4 ++++
4 files changed, 46 insertions(+), 16 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/AprEndpoint.java b/java/org/apache/tomcat/util/net/AprEndpoint.java
index ef6dcdf..ea025f4 100644
--- a/java/org/apache/tomcat/util/net/AprEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AprEndpoint.java
@@ -62,6 +62,7 @@ import org.apache.tomcat.jni.Status;
import org.apache.tomcat.util.ExceptionUtils;
import org.apache.tomcat.util.buf.ByteBufferUtils;
import org.apache.tomcat.util.collections.SynchronizedStack;
+import org.apache.tomcat.util.compat.JrePlatform;
import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
import org.apache.tomcat.util.net.Acceptor.AcceptorState;
import org.apache.tomcat.util.net.openssl.OpenSSLContext;
@@ -118,6 +119,8 @@ public class AprEndpoint extends AbstractEndpoint<Long,Long> implements SNICallB
private int previousAcceptedPort = -1;
private String previousAcceptedAddress = null;
+ private long previouspreviousAcceptedSocketNanoTime = 0;
+
// ------------------------------------------------------------ Constructor
@@ -129,8 +132,8 @@ public class AprEndpoint extends AbstractEndpoint<Long,Long> implements SNICallB
setUseAsyncIO(false);
}
- // ------------------------------------------------------------- Properties
+ // ------------------------------------------------------------- Properties
/**
* Defer accept.
@@ -810,13 +813,20 @@ public class AprEndpoint extends AbstractEndpoint<Long,Long> implements SNICallB
// Do the duplicate accept check here rather than in serverSocketaccept()
// so we can cache the results in the SocketWrapper
AprSocketWrapper wrapper = new AprSocketWrapper(socket, this);
- if (wrapper.getRemotePort() == previousAcceptedPort) {
- if (wrapper.getRemoteAddr().equals(previousAcceptedAddress)) {
- throw new IOException(sm.getString("endpoint.err.duplicateAccept"));
+ // Bug does not affect Windows. Skip the check on that platform.
+ if (!JrePlatform.IS_WINDOWS) {
+ long currentNanoTime = System.nanoTime();
+ if (wrapper.getRemotePort() == previousAcceptedPort) {
+ if (wrapper.getRemoteAddr().equals(previousAcceptedAddress)) {
+ if (currentNanoTime - previouspreviousAcceptedSocketNanoTime < 1000) {
+ throw new IOException(sm.getString("endpoint.err.duplicateAccept"));
+ }
+ }
}
+ previousAcceptedPort = wrapper.getRemotePort();
+ previousAcceptedAddress = wrapper.getRemoteAddr();
+ previouspreviousAcceptedSocketNanoTime = currentNanoTime;
}
- previousAcceptedPort = wrapper.getRemotePort();
- previousAcceptedAddress = wrapper.getRemoteAddr();
connections.put(socket, wrapper);
wrapper.setKeepAliveLeft(getMaxKeepAliveRequests());
diff --git a/java/org/apache/tomcat/util/net/Nio2Endpoint.java b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
index 00719a6..23b9434 100644
--- a/java/org/apache/tomcat/util/net/Nio2Endpoint.java
+++ b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
@@ -44,6 +44,7 @@ import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.ExceptionUtils;
import org.apache.tomcat.util.collections.SynchronizedStack;
+import org.apache.tomcat.util.compat.JrePlatform;
import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
import org.apache.tomcat.util.net.Acceptor.AcceptorState;
import org.apache.tomcat.util.net.jsse.JSSESupport;
@@ -85,9 +86,10 @@ public class Nio2Endpoint extends AbstractJsseEndpoint<Nio2Channel,AsynchronousS
private SynchronizedStack<Nio2Channel> nioChannels;
private SocketAddress previousAcceptedSocketRemoteAddress = null;
+ private long previouspreviousAcceptedSocketNanoTime = 0;
- // --------------------------------------------------------- Public Methods
+ // --------------------------------------------------------- Public Methods
/**
* Number of keep-alive sockets.
@@ -362,11 +364,17 @@ public class Nio2Endpoint extends AbstractJsseEndpoint<Nio2Channel,AsynchronousS
protected AsynchronousSocketChannel serverSocketAccept() throws Exception {
AsynchronousSocketChannel result = serverSock.accept().get();
- SocketAddress currentRemoteAddress = result.getRemoteAddress();
- if (currentRemoteAddress.equals(previousAcceptedSocketRemoteAddress)) {
- throw new IOException(sm.getString("endpoint.err.duplicateAccept"));
+ // Bug does not affect Windows. Skip the check on that platform.
+ if (!JrePlatform.IS_WINDOWS) {
+ SocketAddress currentRemoteAddress = result.getRemoteAddress();
+ long currentNanoTime = System.nanoTime();
+ if (currentRemoteAddress.equals(previousAcceptedSocketRemoteAddress) &&
+ currentNanoTime - previouspreviousAcceptedSocketNanoTime < 1000) {
+ throw new IOException(sm.getString("endpoint.err.duplicateAccept"));
+ }
+ previousAcceptedSocketRemoteAddress = currentRemoteAddress;
+ previouspreviousAcceptedSocketNanoTime = currentNanoTime;
}
- previousAcceptedSocketRemoteAddress = currentRemoteAddress;
return result;
}
diff --git a/java/org/apache/tomcat/util/net/NioEndpoint.java b/java/org/apache/tomcat/util/net/NioEndpoint.java
index 7ef9f4a..f350d04 100644
--- a/java/org/apache/tomcat/util/net/NioEndpoint.java
+++ b/java/org/apache/tomcat/util/net/NioEndpoint.java
@@ -58,6 +58,7 @@ import org.apache.tomcat.util.ExceptionUtils;
import org.apache.tomcat.util.collections.SynchronizedQueue;
import org.apache.tomcat.util.collections.SynchronizedStack;
import org.apache.tomcat.util.compat.JreCompat;
+import org.apache.tomcat.util.compat.JrePlatform;
import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
import org.apache.tomcat.util.net.Acceptor.AcceptorState;
import org.apache.tomcat.util.net.jsse.JSSESupport;
@@ -109,11 +110,11 @@ public class NioEndpoint extends AbstractJsseEndpoint<NioChannel,SocketChannel>
private SynchronizedStack<NioChannel> nioChannels;
private SocketAddress previousAcceptedSocketRemoteAddress = null;
+ private long previouspreviousAcceptedSocketNanoTime = 0;
// ------------------------------------------------------------- Properties
-
/**
* Use System.inheritableChannel to obtain channel from stdin/stdout.
*/
@@ -516,11 +517,18 @@ public class NioEndpoint extends AbstractJsseEndpoint<NioChannel,SocketChannel>
@Override
protected SocketChannel serverSocketAccept() throws Exception {
SocketChannel result = serverSock.accept();
- SocketAddress currentRemoteAddress = result.getRemoteAddress();
- if (currentRemoteAddress.equals(previousAcceptedSocketRemoteAddress)) {
- throw new IOException(sm.getString("endpoint.err.duplicateAccept"));
+
+ // Bug does not affect Windows. Skip the check on that platform.
+ if (!JrePlatform.IS_WINDOWS) {
+ SocketAddress currentRemoteAddress = result.getRemoteAddress();
+ long currentNanoTime = System.nanoTime();
+ if (currentRemoteAddress.equals(previousAcceptedSocketRemoteAddress) &&
+ currentNanoTime - previouspreviousAcceptedSocketNanoTime < 1000) {
+ throw new IOException(sm.getString("endpoint.err.duplicateAccept"));
+ }
+ previousAcceptedSocketRemoteAddress = currentRemoteAddress;
+ previouspreviousAcceptedSocketNanoTime = currentNanoTime;
}
- previousAcceptedSocketRemoteAddress = currentRemoteAddress;
return result;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 3ad0ad2..cf4b3c8 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -143,6 +143,10 @@
ignored when the Connector used an internal executor. (markt)
</fix>
<fix>
+ <bug>65776</bug>: Improve the detection of the Linux duplicate accept
+ bug and reduce (hopefully avoid) instances of false positives. (markt)
+ </fix>
+ <fix>
<bug>65848</bug>: Revert the change that attempted to align the
behaviour of client certificate authentication with NIO or NIO2 with
OpenSSL for TLS between MacOS and Linux/Windows as the root cause was
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org