Summary
Envoy will crash when the HTTP async client is handling sendLocalReply
under some circumstance, e.g., WebSocket upgrade, and requests mirroring.
Details
The HTTP async client can crash during the sendLocalReply()
in HTTP async client.
One reason is HTTP async client is duplicating the status code, and another is the router is destroyed at the destructor of the async stream, while the stream is deferred deleted at first.
This can create a problem where the stream decoder is destroyed but its reference is called in router.onDestroy()
, causing a segfault.
This can impact ext_authz if the upgrade
and connection
header are allowed, and request mirrorring is enabled.
PoC
- config
allowed_headers
to match any headers or
patterns:
- exact: upgrade
- exact: connection
- Send WebSocket upgrade requests
- The authentication server sends back
400
to reject the auth request.
- Then Envoy will crash
Impact
Envoy will crash to stop serving any traffic
Credits
Nick Van Dyck ([email protected])
Summary
Envoy will crash when the HTTP async client is handling
sendLocalReply
under some circumstance, e.g., WebSocket upgrade, and requests mirroring.Details
The HTTP async client can crash during the
sendLocalReply()
in HTTP async client.One reason is HTTP async client is duplicating the status code, and another is the router is destroyed at the destructor of the async stream, while the stream is deferred deleted at first.
This can create a problem where the stream decoder is destroyed but its reference is called in
router.onDestroy()
, causing a segfault.This can impact ext_authz if the
upgrade
andconnection
header are allowed, and request mirrorring is enabled.PoC
allowed_headers
to match any headers or400
to reject the auth request.Impact
Envoy will crash to stop serving any traffic
Credits
Nick Van Dyck ([email protected])