Summary
Envoy will crash when the HTTP async client is handling sendLocalReply under some circumstance, e.g., WebSocket upgrade, and requests mirroring.
Details
The HTTP async client can crash during the sendLocalReply() in HTTP async client.
One reason is HTTP async client is duplicating the status code, and another is the router is destroyed at the destructor of the async stream, while the stream is deferred deleted at first.
This can create a problem where the stream decoder is destroyed but its reference is called in router.onDestroy(), causing a segfault.
This can impact ext_authz if the upgrade and connection header are allowed, and request mirrorring is enabled.
PoC
- config
allowed_headers to match any headers or
patterns:
- exact: upgrade
- exact: connection
- Send WebSocket upgrade requests
- The authentication server sends back
400 to reject the auth request.
- Then Envoy will crash
Impact
Envoy will crash to stop serving any traffic
Credits
Nick Van Dyck ([email protected])
botengyao Remediation developer
yanavlasov Remediation reviewer
phlax Coordinator
vandycknick Reporter
Summary
Envoy will crash when the HTTP async client is handling
sendLocalReplyunder some circumstance, e.g., WebSocket upgrade, and requests mirroring.Details
The HTTP async client can crash during the
sendLocalReply()in HTTP async client.One reason is HTTP async client is duplicating the status code, and another is the router is destroyed at the destructor of the async stream, while the stream is deferred deleted at first.
This can create a problem where the stream decoder is destroyed but its reference is called in
router.onDestroy(), causing a segfault.This can impact ext_authz if the
upgradeandconnectionheader are allowed, and request mirrorring is enabled.PoC
allowed_headersto match any headers or400to reject the auth request.Impact
Envoy will crash to stop serving any traffic
Credits
Nick Van Dyck ([email protected])