Merged
Conversation
…xy#8922) Signed-off-by: Yuchen Dai <silentdai@gmail.com> Signed-off-by: Lizan Zhou <lizan@tetrate.io>
Signed-off-by: Lizan Zhou <lizan@tetrate.io>
Description: Change (non-existent) https://github.com/eile/tclap/ to https://github.com/mirror/tclap/. I didn't validate the new mirror in any way, but the downloded release file sha256sum stays the same. In the future the releases should probably be downloaded from the real upstream. However the release 1.2.1 tarball from https://sourceforge.net/projects/tclap/files/ did not have the same sha256sum as the release file which Envoy uses. Risk Level: Medium Testing: N/A Docs Changes: N/A Release Notes: Fixes envoyproxy#9071 Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Lizan Zhou <lizan@tetrate.io>
Signed-off-by: Lizan Zhou <lizan@tetrate.io>
Signed-off-by: Yan Avlasov <yavlasov@google.com>
Fixes oss-fuzz issue https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18431. Risk level: Low (no functional change). Testing: Additional unit and integration tests added that cover the :method header overflow case and adjacent behaviors. Corpus entry added. Signed-off-by: Harvey Tuch <htuch@google.com>
This can happen during certain early reply cases in the HCM when an encoder filter tries to lookup the cached route/cluster. Signed-off-by: Matt Klein <mklein@lyft.com>
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Signed-off-by: Yan Avlasov <yavlasov@google.com>
Signed-off-by: Yan Avlasov <yavlasov@google.com>
Signed-off-by: Matt Klein <mklein@lyft.com>
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
…nvoyproxy#10017) Signed-off-by: Yangmin Zhu <ymzhu@google.com>
…rbac (envoyproxy#10010) (envoyproxy#10038) Description: Add a new PathMatcher that strips the query and/or fragment string from the ":path" header before matching, use it in route, JWT and RBAC. Risk Level: Low Testing: Added unit tests and integration tests Docs Changes: Updated types.rst for PathMatcher Release Notes: Updated version_history.rst for RBAC API change Signed-off-by: Yangmin Zhu <ymzhu@google.com>
…xy#10201) Signed-off-by: Lizan Zhou <lizan@tetrate.io>
…proxy#10218) Signed-off-by: Lizan Zhou <lizan@tetrate.io>
Previously, the update callback was called only when the secret was received for the first time or when its value changed. This meant that if the same secret (e.g. trusted CA) was used in multiple resources, then resources using it but configured after the secret was already received, remained unconfigured until the secret's value changed. The missing callback should have resulted in transport factories stuck in the "not ready" state, however, because of an incorrect code, the available secret was processed like inlined validation context, and only rules from the "secret" part of the validation context were applied, leading to a complete bypass of rules from the "default" part. Signed-off-by: Piotr Sikora <piotrsikora@google.com> Co-authored-by: Oliver Liu <yonggangl@google.com>
Given that we allow creating zero byte fragments, it'd be good to proactively drain them. For example if someone is doing timing instrumentation and wants to know when Network::Connection data is written to the kernel, it could be useful to have a zero byte sentinel. Risk Level: Low (I don't think anyone is adding zero byte fragments yet) Testing: new unit test Docs Changes: n/a Release Notes: n/a Signed-off-by: Alyssa Wilk <alyssar@chromium.org> Signed-off-by: Jianfei Hu <jianfeih@google.com> Co-authored-by: Lizan Zhou <lizan@tetrate.io>
Signed-off-by: Alyssa Wilk <alyssar@chromium.org> Signed-off-by: Jianfei Hu <jianfeih@google.com> Co-authored-by: Lizan Zhou <lizan@tetrate.io>
Previously, TLS inspector didn't support TLSv1.3 and clients configured to use only TLSv1.3 were not recognized as TLS clients. Because TLS extensions (SNI, ALPN) were not inspected, those connections might have been matched to a wrong filter chain, possibly bypassing some security restrictions in the process. Fixes istio/istio#18695. Signed-off-by: Piotr Sikora <piotrsikora@google.com>
This is similar to the http2 frame protection, but rather than try to guard [header block || last body bytes || last chunk in chunk encoding || trailer block] depending on end stream, which just gets messy, I opted to just add an empty reference counted fragment after the body was serialized, which appears to work just as well with a small theoretical overhead. If folks think the complexity is warranted I can of course do that instead. Risk Level: Medium Testing: new unit tests, integration test Docs Changes: stats documented Release Notes: added Signed-off-by: Alyssa Wilk <alyssar@chromium.org> Signed-off-by: Lizan Zhou <lizan@tetrate.io> Signed-off-by: Jianfei Hu <jianfeih@google.com>
Description: Remove empty slices off the end of buffers after calls to OwnedImpl::commit. The slices reserved when OwnedImpl::reserve is called will sit unused in cases where the 0 bytes are commited, for example, when socket read returns 0 bytes EAGAIN. Trapped slices act like a memory leak until there is a successful read or the socket is closed. Risk Level: low Testing: unit Docs Changes: n/a Release Notes: n/a Signed-off-by: Antonio Vicente <avd@google.com> Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Yangmin Zhu <ymzhu@google.com>
… avoid fragmentation (#117) (#127) Change OwnedImpl::move to force a copy instead of taking ownership of slices in cases where the offered slices are below kCopyThreshold Risk Level: medium, changes to buffer behavior Testing: Unit Tests Docs Changes: N/A Release Notes: N/A Signed-off-by: Antonio Vicente <avd@google.com> Signed-off-by: Yangmin Zhu <ymzhu@google.com>
Signed-off-by: Lizan Zhou <lizan@tetrate.io>
Cherry-picks: 3804528 and removed Windows from CI. dc197e5 5306563 bc2d1d3 660891e a85f8ec Risk Level: Low Testing: CI Docs Changes: Release Notes: Part of envoyproxy#10741 Signed-off-by: Lizan Zhou <lizan@tetrate.io> Co-authored-by: Matt Klein <mklein@lyft.com> Co-authored-by: Sunjay Bhatia <sunjayBhatia@users.noreply.github.com>
Signed-off-by: Lizan Zhou <lizan@tetrate.io> Signed-off-by: Piotr Sikora <piotrsikora@google.com>
…#11461) Enables users of tagged releases to stay on the latest release of a major/minor combination Resolves envoyproxy#11091 Signed-off-by: Sunjay Bhatia <sbhatia@pivotal.io> Signed-off-by: Piotr Sikora <piotrsikora@google.com>
…) (envoyproxy#11464) Signed-off-by: Yan Avlasov <yavlasov@google.com> Signed-off-by: Piotr Sikora <piotrsikora@google.com>
See release notes at https://github.com/nghttp2/nghttp2/releases/tag/v1.41.0. This addresses GHSA-q5wr-xfw9-q7xr. Set nghttp2 internal flood mitigation threshold back to 10K to avoid any changes in Envoy's codec behavior. Signed-off-by: Harvey Tuch <htuch@google.com> Signed-off-by: Yan Avlasov <yavlasov@google.com> Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
This patch separates the Resource class from the resource manager implementation and allows for resource limit tracking in other parts of the code base. Signed-off-by: Tony Allen <tony@allen.gg> Signed-off-by: Lizan Zhou <lizan@tetrate.io>
Add support for per-listener limits on accepted connections. Signed-off-by: Tony Allen <tony@allen.gg> Signed-off-by: Lizan Zhou <lizan@tetrate.io>
This patch adds support for global accepted connection limits. May be configured simultaneously with per-listener connection limits and enforced separately. If the global limit is unconfigured, Envoy will emit a warning during start-up. Global downstream connection count tracking (across all listeners and threads) is performed by the network listener implementation upon acceptance of a socket. The mapping of active socket objects to the actual accepted downstream sockets is assumed to remain bijective. Given that characteristic, the connection counts are tied to the lifetime of the objects. Signed-off-by: Tony Allen <tony@allen.gg> Signed-off-by: Dmitri Dolguikh <ddolguik@redhat.com>
…eject partial headers that exceed configured limits (#145) Improve the robustness of HTTP1 request and response header size checks by including the request URL in the request header size, and add missing header size check when parsing header field names. The missing header field name size check can result in excessive buffering up to a hard-coded 32MB limit until timeout. The missing request URL size check can result in Envoy attempting to route match and proxy HTTP/1.1 requests with URLs up to a hard-coded 32MB limit, which could result in excess memory usage or performance problems in regex route matches. Signed-off-by: Antonio Vicente <avd@google.com> Signed-off-by: John Plevyak <jplevyak@gmail.com>
…ation due to tracking of H2 data and control frames in the output buffer (#144) Add a drain hook to Buffer::OwnedImpl for use by H2 codec to track when data and control frames are sent on the wire. Tracking frames this way avoids high-memory usage due to output buffer fragmentation. Signed-off-by: Antonio Vicente <avd@google.com> Signed-off-by: John Plevyak <jplevyak@gmail.com>
This commit adds a new stream flush timeout to guard against a remote server that does not open window once an entire stream has been buffered for flushing. Additional stats have also been added to better understand the codecs view of active streams as well as amount of data buffered. Signed-off-by: Matt Klein <mklein@lyft.com> Signed-off-by: Dmitri Dolguikh <ddolguik@redhat.com>
This patch separates the Resource class from the resource manager implementation and allows for resource limit tracking in other parts of the code base. Signed-off-by: Tony Allen <tony@allen.gg> Signed-off-by: Lizan Zhou <lizan@tetrate.io> Co-authored-by: Lizan Zhou <lizan@tetrate.io>
Signed-off-by: John Plevyak <jplevyak@gmail.com>
Signed-off-by: Matt Klein <mklein@lyft.com> Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Merge v1.12
…backport-1.4 Signed-off-by: John Plevyak <jplevyak@gmail.com>
Backport 1.4
Member
Author
|
/test test-tsan_envoy_release-1.4 |
bianpengyuan
pushed a commit
to bianpengyuan/envoy
that referenced
this pull request
Apr 15, 2021
Commit Message: Fixing a crash when the decoder receives an empty metadata map. Additional Description: Upon receiving an empty metadata map and trying to decode it an assertion is triggered in debug mode, and a seg-fault occurs in release mode. The proposed fix ignores the empty metadata maps and updates a stats if one is received. Risk Level: Medium for Envoy's running with Metadata support. Testing: Added integration tests. Docs Changes: Added a codec stats counter description. Release Notes: Added bug fix description. Platform Specific Features: N/A. Fixes a fuzz bug: 25303 Signed-off-by: Tony Allen <tony@allen.gg>
bianpengyuan
pushed a commit
to bianpengyuan/envoy
that referenced
this pull request
Apr 15, 2021
istio#252) Commit Message: Fixing a crash when the decoder receives an empty metadata map. Additional Description: Upon receiving an empty metadata map and trying to decode it an assertion is triggered in debug mode, and a seg-fault occurs in release mode. The proposed fix ignores the empty metadata maps and updates a stats if one is received. Risk Level: Medium for Envoy's running with Metadata support. Testing: Added integration tests. Docs Changes: Added a codec stats counter description. Release Notes: Added bug fix description. Platform Specific Features: N/A. Fixes a fuzz bug: 25303 Signed-off-by: Tony Allen <tony@allen.gg>
istio-testing
pushed a commit
that referenced
this pull request
Apr 15, 2021
* backport to 1.17: http: Fixing empty metadata map handling (#230) (#252) Commit Message: Fixing a crash when the decoder receives an empty metadata map. Additional Description: Upon receiving an empty metadata map and trying to decode it an assertion is triggered in debug mode, and a seg-fault occurs in release mode. The proposed fix ignores the empty metadata maps and updates a stats if one is received. Risk Level: Medium for Envoy's running with Metadata support. Testing: Added integration tests. Docs Changes: Added a codec stats counter description. Release Notes: Added bug fix description. Platform Specific Features: N/A. Fixes a fuzz bug: 25303 Signed-off-by: Tony Allen <tony@allen.gg> * ssl: fix crash when peer sends an SSL Alert with an un… (#262) Fix for CVE-2021-28683 (crash when peer sends an SSL Alert with an unknown code) Signed-off-by: Greg Greenway <ggreenway@apple.com> Co-authored-by: Christoph Pakulski <christoph@tetrate.io> Signed-off-by: Tony Allen <tony@allen.gg> * grpc: fix grpc-timeout integer overflow (#254) Fixes CVE-2021-28682, a remotely exploitable integer overflow. Signed-off-by: Asra Ali <asraa@google.com> Co-authored-by: Tony Allen <tony@allen.gg> Co-authored-by: Christoph Pakulski <christoph@tetrate.io> Signed-off-by: Tony Allen <tony@allen.gg> Co-authored-by: Tony Allen <tony@allen.gg> Co-authored-by: Rei Shimizu <Shikugawa@gmail.com> Co-authored-by: Christoph Pakulski <christoph@tetrate.io>
istio-testing
pushed a commit
that referenced
this pull request
Apr 16, 2021
* http: Fixing empty metadata map handling (#230) #250 Commit Message: Fixing a crash when the decoder receives an empty metadata map. Additional Description: Upon receiving an empty metadata map and trying to decode it an assertion is triggered in debug mode, and a seg-fault occurs in release mode. The proposed fix ignores the empty metadata maps and updates a stats if one is received. Risk Level: Medium for Envoy's running with Metadata support. Testing: Added integration tests. Docs Changes: Added a codec stats counter description. Release Notes: Added bug fix description. Platform Specific Features: N/A. Fixes a fuzz bug: 25303 Signed-off-by: Tony Allen <tony@allen.gg> * grpc: fix grpc-timeout integer overflow (#255) Fixes CVE-2021-28682, a remotely exploitable integer overflow. Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Tony Allen <tony@allen.gg> * ssl: fix crash when peer sends an SSL Alert with an unknown code (#259) Fixes CVE-2021-28683 (crash when peer sends an SSL Alert with an unknown code) Signed-off-by: Shikugawa <Shikugawa@gmail.com> Co-authored-by: Christoph Pakulski <christoph@tetrate.io> Signed-off-by: Tony Allen <tony@allen.gg> Co-authored-by: Tony Allen <tony@allen.gg> Co-authored-by: Rei Shimizu <Shikugawa@gmail.com> Co-authored-by: Christoph Pakulski <christoph@tetrate.io>
Monkeyanator
pushed a commit
to Monkeyanator/envoy
that referenced
this pull request
Apr 19, 2021
Commit Message: Fixing a crash when the decoder receives an empty metadata map. Additional Description: Upon receiving an empty metadata map and trying to decode it an assertion is triggered in debug mode, and a seg-fault occurs in release mode. The proposed fix ignores the empty metadata maps and updates a stats if one is received. Risk Level: Medium for Envoy's running with Metadata support. Testing: Added integration tests. Docs Changes: Added a codec stats counter description. Release Notes: Added bug fix description. Platform Specific Features: N/A. Fixes a fuzz bug: 25303 Signed-off-by: Tony Allen <tony@allen.gg>
Monkeyanator
pushed a commit
to Monkeyanator/envoy
that referenced
this pull request
Apr 20, 2021
Commit Message: Fixing a crash when the decoder receives an empty metadata map. Additional Description: Upon receiving an empty metadata map and trying to decode it an assertion is triggered in debug mode, and a seg-fault occurs in release mode. The proposed fix ignores the empty metadata maps and updates a stats if one is received. Risk Level: Medium for Envoy's running with Metadata support. Testing: Added integration tests. Docs Changes: Added a codec stats counter description. Release Notes: Added bug fix description. Platform Specific Features: N/A. Fixes a fuzz bug: 25303 Signed-off-by: Tony Allen <tony@allen.gg>
istio-testing
pushed a commit
that referenced
this pull request
Apr 20, 2021
* http: Fixing empty metadata map handling (#230) (#248) Commit Message: Fixing a crash when the decoder receives an empty metadata map. Additional Description: Upon receiving an empty metadata map and trying to decode it an assertion is triggered in debug mode, and a seg-fault occurs in release mode. The proposed fix ignores the empty metadata maps and updates a stats if one is received. Risk Level: Medium for Envoy's running with Metadata support. Testing: Added integration tests. Docs Changes: Added a codec stats counter description. Release Notes: Added bug fix description. Platform Specific Features: N/A. Fixes a fuzz bug: 25303 Signed-off-by: Adi Suissa-Peleg <adip@google.com> Co-authored-by: Tony Allen <tony@allen.gg> Signed-off-by: Tony Allen <tony@allen.gg> * backport 1.14: grpc: fix grpc-timeout integer-overflow (#257) Fixes CVE-2021-28682, a remotely exploitable integer overflow. Signed-off-by: Asra Ali <asraa@google.com> Co-authored-by: Tony Allen <tony@allen.gg> Signed-off-by: Tony Allen <tony@allen.gg> * v1.14.7 release Signed-off-by: Tony Allen <tony@allen.gg> Co-authored-by: Adi (Suissa) Peleg <adip@google.com> Co-authored-by: Tony Allen <tony@allen.gg> Co-authored-by: Rei Shimizu <Shikugawa@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
For an explanation of how to fill out the fields, please see the relevant section
in PULL_REQUESTS.md
Description:
Risk Level:
Testing:
Docs Changes:
Release Notes:
[Optional Fixes #Issue]
[Optional Deprecated:]