Proxy Protocol v2 Header Parse Can Fail

[moonchen]

The function NetVConnection::has_proxy_protocol(IOBufferReader *reader) attempts to detect and consume a Proxy Protocol header from an IOBufferReader. It does this by peeking into the reader using memcpy into a fixed-size stack buffer:

https://github.com/apache/trafficserver/blob/e3ec7827e720e691a57f524b1c455609ea7792c8/src/iocore/net/NetVConnection.cc#L54-L60

The size of buf is based on PPv1_CONNECTION_HEADER_LEN_MAX (108 bytes). While this is sufficient for Proxy Protocol v1, Proxy Protocol v2 headers can be significantly larger. The v2 header includes a length field, and the total size (16 + len) can exceed 108 bytes. For example, with Unix sockets:

struct 
{        /* for AF_UNIX sockets, len = 216 */
             uint8_t src_addr[108];
             uint8_t dst_addr[108];
} unix_addr;

This is problematic because ProtocolProbeTrampoline relies on has_proxy_protocol during initial connection setup to detect the protocol. Consequently, valid Proxy Protocol v2 connections using headers larger than ~108 bytes may fail protocol detection.

[maskit]

Both formats are designed to fit in the smallest TCP segment that any TCP/IP host is required to support (576 - 40 = 536 bytes). This ensures that the whole header will always be delivered at once when the socket buffers are still empty at the beginning of a connection.

An easy mitigation would be to increase the buffer size to 536 bytes. But that's still not enough if many TLV fields follow the header.

There is another issue that is slightly related to the buffer size. Current code assumes everything for PROXY protocol (both the header and TLV fields) fits in one buffer block. If the header and/or TLV fields are stored over multiple buffers, ATS fails to parse them.

The trampoline needs a major change if we have to support those cases.