From 2050b6f3eedf34af167f103b20f83808add18859 Mon Sep 17 00:00:00 2001 From: Tim Perry Date: Thu, 24 Aug 2023 16:05:02 +0100 Subject: [PATCH 1/2] net: fix crash due to simultaneous close/shutdown on JS Stream Sockets A JS stream socket wraps a stream, exposing it as a socket for something on top which needs a socket specifically (e.g. an HTTP server). If the internal stream is closed in the same tick as the layer on top attempts to close this stream, the race between doShutdown and doClose results in an uncatchable exception. A similar race can happen with doClose and doWrite. It seems legitimate these can happen in parallel, so this resolves that by explicitly detecting and handling that situation: if a close is in progress, both doShutdown & doWrite allow doClose to run finishShutdown/Write for them, cancelling the operation, without trying to use this._handle (which will be null) in the meantime. --- lib/internal/js_stream_socket.js | 20 ++++++ ...test-http2-client-connection-tunnelling.js | 71 +++++++++++++++++++ 2 files changed, 91 insertions(+) create mode 100644 test/parallel/test-http2-client-connection-tunnelling.js diff --git a/lib/internal/js_stream_socket.js b/lib/internal/js_stream_socket.js index 8bc19296620b3f..68e1802a63b012 100644 --- a/lib/internal/js_stream_socket.js +++ b/lib/internal/js_stream_socket.js @@ -21,6 +21,7 @@ const { ERR_STREAM_WRAP } = require('internal/errors').codes; const kCurrentWriteRequest = Symbol('kCurrentWriteRequest'); const kCurrentShutdownRequest = Symbol('kCurrentShutdownRequest'); const kPendingShutdownRequest = Symbol('kPendingShutdownRequest'); +const kPendingClose = Symbol('kPendingClose'); function isClosing() { return this[owner_symbol].isClosing(); } @@ -94,6 +95,7 @@ class JSStreamSocket extends Socket { this[kCurrentWriteRequest] = null; this[kCurrentShutdownRequest] = null; this[kPendingShutdownRequest] = null; + this[kPendingClose] = false; this.readable = stream.readable; this.writable = stream.writable; @@ -135,10 +137,17 @@ class JSStreamSocket extends Socket { this[kPendingShutdownRequest] = req; return 0; } + assert(this[kCurrentWriteRequest] === null); assert(this[kCurrentShutdownRequest] === null); this[kCurrentShutdownRequest] = req; + if (this[kPendingClose]) { + // If doClose is pending, the stream & this._handle are gone. We can't do + // anything. doClose will call finishShutdown with ECANCELED for us shortly. + return 0; + } + const handle = this._handle; process.nextTick(() => { @@ -164,6 +173,13 @@ class JSStreamSocket extends Socket { assert(this[kCurrentWriteRequest] === null); assert(this[kCurrentShutdownRequest] === null); + if (this[kPendingClose]) { + // If doClose is pending, the stream & this._handle are gone. We can't do + // anything. doClose will call finishWrite with ECANCELED for us shortly. + this[kCurrentWriteRequest] = req; // Store req, for doClose to cancel + return 0; + } + const handle = this._handle; const self = this; @@ -217,6 +233,8 @@ class JSStreamSocket extends Socket { } doClose(cb) { + this[kPendingClose] = true; + const handle = this._handle; // When sockets of the "net" module destroyed, they will call @@ -234,6 +252,8 @@ class JSStreamSocket extends Socket { this.finishWrite(handle, uv.UV_ECANCELED); this.finishShutdown(handle, uv.UV_ECANCELED); + this[kPendingClose] = false; + cb(); }); } diff --git a/test/parallel/test-http2-client-connection-tunnelling.js b/test/parallel/test-http2-client-connection-tunnelling.js new file mode 100644 index 00000000000000..6e04121ca71ea8 --- /dev/null +++ b/test/parallel/test-http2-client-connection-tunnelling.js @@ -0,0 +1,71 @@ +'use strict'; + +const common = require('../common'); +const fixtures = require('../common/fixtures'); +if (!common.hasCrypto) + common.skip('missing crypto'); +const assert = require('assert'); +const net = require('net'); +const tls = require('tls'); +const h2 = require('http2'); + +// This test sets up an H2 proxy server, and tunnels a request over one of its streams +// back to itself, via TLS, and then closes the TLS connection. On some Node versions +// (v18 & v20 up to 20.5.1) the resulting JS Stream Socket fails to shutdown correctly +// in this case, and crashes due to a null pointer in finishShutdown. + +const tlsOptions = { + key: fixtures.readKey('agent1-key.pem'), + cert: fixtures.readKey('agent1-cert.pem'), + ALPNProtocols: ['h2'] +}; + +const netServer = net.createServer((socket) => { + socket.allowHalfOpen = false; + // ^ This allows us to trigger this reliably, but it's not strictly required + // for the bug and crash to happen, skipping this just fails elsewhere later. + + h2Server.emit('connection', socket); +}); + +const h2Server = h2.createSecureServer(tlsOptions, (req, res) => { + res.writeHead(200); + res.end(); +}); + +h2Server.on('connect', (req, res) => { + res.writeHead(200, {}); + netServer.emit('connection', res.stream); +}); + +netServer.listen(0, common.mustCall(() => { + const proxyClient = h2.connect(`https://localhost:${netServer.address().port}`, { + rejectUnauthorized: false + }); + + const proxyReq = proxyClient.request({ + ':method': 'CONNECT', + ':authority': 'example.com:443' + }); + + proxyReq.on('response', common.mustCall((response) => { + assert.strictEqual(response[':status'], 200); + + // Create a TLS socket within the tunnel, and start sending a request: + const tlsSocket = tls.connect({ + socket: proxyReq, + ALPNProtocols: ['h2'], + rejectUnauthorized: false + }); + + proxyReq.on('close', common.mustCall(() => { + proxyClient.close(); + netServer.close(); + })); + + // Forcibly kill the TLS socket + tlsSocket.destroy(); + + // This results in an async error in affected Node versions, before the 'close' event + })); +})); From fb9611bd5d2940ac0ab2c835a4c10d07ebd7b99e Mon Sep 17 00:00:00 2001 From: Tim Perry Date: Fri, 25 Aug 2023 14:16:35 +0100 Subject: [PATCH 2/2] net: use asserts in JS Socket Stream to catch races in future --- lib/internal/js_stream_socket.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/internal/js_stream_socket.js b/lib/internal/js_stream_socket.js index 68e1802a63b012..70d6d03069f3f1 100644 --- a/lib/internal/js_stream_socket.js +++ b/lib/internal/js_stream_socket.js @@ -149,6 +149,7 @@ class JSStreamSocket extends Socket { } const handle = this._handle; + assert(handle !== null); process.nextTick(() => { // Ensure that write is dispatched asynchronously. @@ -181,6 +182,8 @@ class JSStreamSocket extends Socket { } const handle = this._handle; + assert(handle !== null); + const self = this; let pending = bufs.length;