Details
sendOverloadError is going to assume the active request exists when envoy.load_shed_points.http1_server_abort_dispatch is configured. If active_request is nullptr, only onMessageBeginImpl() is called. However, the onMessageBeginImpl will directly return ok status if the stream is already reset leading to the nullptr reference. The downstream reset can actually happen during the H/2 upstream reset,
PoC
- Has http1
http1_server_abort_dispatch configured
- Has the H1 stream be reset by something else
- During dispatching this bug will trigger but we guard with resetStreamCalled
Impact
Envoy will crash
Mitigation
- Disable
http1_server_abort_dispatch load shed point
- Use a high threshold.
Reporter
Boteng Yao
Details
sendOverloadErroris going to assume the active request exists whenenvoy.load_shed_points.http1_server_abort_dispatchis configured. Ifactive_requestis nullptr, only onMessageBeginImpl() is called. However, theonMessageBeginImplwill directly return ok status if the stream is already reset leading to the nullptr reference. The downstream reset can actually happen during the H/2 upstream reset,PoC
http1_server_abort_dispatchconfiguredImpact
Envoy will crash
Mitigation
http1_server_abort_dispatchload shed pointReporter
Boteng Yao