Checkout
Jim Jagielski
committed
on 06 Sep 16
Merge r1758307, r1758308, r1758309, r1758311 from trunk:

mpm_winnt: remove 'data' AcceptFilter in favor of 'connect'

The 'data' AcceptFilt… Show more
Merge r1758307, r1758308, r1758309, r1758311 from trunk:

mpm_winnt: remove 'data' AcceptFilter in favor of 'connect'

The 'data' AcceptFilter optimization instructs Windows to wait until

data is received on a connection before completing the AcceptEx

operation. Unfortunately, it seems this isn't performed atomically --

AcceptEx "partially" accepts the incoming connection during the wait for

data, leaving all other incoming connections in the accept queue. This

opens the server to a denial of service.

Since the fix for this requires a substantial rearchitecture (likely

involving multiple outstanding calls to AcceptEx), disable the 'data'

filter for now and replace it with 'connect', which uses the AcceptEx

interface but does not wait for data.

Users running prior releases of httpd on Windows should explicitly move

to a 'connect' AcceptFilter in their configurations if they are

currently using the default 'data' filter.

Many thanks to mludha, Arthur Ramsey, Paul Spangler, and many others for

their assistance in tracking down and diagnosing this issue.

PR: 59970

mpm_winnt: remove the AcceptEx data network bucket

Follow-up to the prior commit: without an incoming data buffer, the

custom network bucket code is now orphaned and we can remove it

entirely. This has the added benefit that we are no longer using the

internal OVERLAPPED.Pointer field, which is discouraged by the MSDN

docs.

mpm_winnt: remove duplication of ap_process_connection

Further follow-up to the previous commit: now that we no longer patch a

network bucket into the brigade, we can revert to calling

ap_process_connection() directly instead of duplicating its logic.

docs: rebuild

Submitted by: jchampion

Reviewed/backported by: jim

Show less