Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-24358

[GSS](7.4.z) UNDERTOW-2228 - Undertow write-timeout can cause a truncate response for request coming through keep-alive connection

    XMLWordPrintable

Details

    • False
    • None
    • False
    • Hide

      1. Configure write-timeout on http-lister (and ajp-listener) in undertow subsystem. For example:

              <subsystem xmlns="urn:jboss:domain:undertow:12.0" ...>
            ...(snip)...
            <server name="default-server">
                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" record-request-start-time="true" write-timeout="5000" />
                <ajp-listener name="ajp" socket-binding="ajp" record-request-start-time="true" write-timeout="5000"/>
                <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <http-invoker security-realm="ApplicationRealm"/>
                    <access-log pattern="%h %l %u %t &quot;%r&quot; %s %b %I %S %T"/>
                </host>
            </server>
            ...(snip)...
        </subsystem>

      2. Deploy a war that contains the following example.jsp which write larger response than the default buffer size (16KB) and emulate long request processing with Thread.sleep():

      <%
System.out.println("example.jsp - start");
// int size = 8 * 1024; // 8KB
int size = 16 * 1024; // 16KB - default buffer size

char[] buffer = new char[size];
for (int i = 0; i < size; i++) {
    buffer[i] = 'X';
}

try {
    // emulate long request processing
    System.out.println("sleep 10 seconds");
    Thread.sleep(10*1000L);
} catch (Exception ignore) {}

out.print("start");
// out.flush();
out.write(buffer);
out.print("end");
System.out.println("example.jsp - end");
%>

      3. Use the following curl command to send a single request to example.jsp

      $ curl -v http://127.0.0.1:8080/example/example.jsp

      This request can be processed successfully and the response contains all content ("start" + 16KB size of "X" + "end")

      4. Use the following curl command to send two requests (1st one for the welcome content and 2nd one for example.jsp), so the 2nd request for example.jsp will be sent through the same keep-alive connection. Please make sure that execute the following command in one line.

      $ curl -v http://127.0.0.1:8080/ http://127.0.0.1:8080/example/example.jsp

      Then, you will see that the curl command shows "curl: (18) transfer closed with outstanding read data remaining" on the 2nd request for example.jsp. And the response is truncated in the middle of 16KB size of "X", so you do not see the last "end" in the response. If you enable (uncomment) "out.flush()" in the above example.jsp, the response is truncated before 16KB size of "X", so you see only the first "start" in the response.

      Another easy step to reproduce with web browser. This reproducer does not need "Thread.sleep()" in the application.

      1. Deploy a war that contains the following example2.jsp which write larger response than the default buffer size (16KB):

      <%
System.out.println("example.jsp - start");
// int size = 8 * 1024; // 8KB
int size = 16 * 1024; // 16KB - default buffer size

char[] buffer = new char[size];
for (int i = 0; i < size; i++) {
    buffer[i] = 'X';
}

out.println("start");
// out.flush();
out.write(buffer);
out.println();
out.println("end");
System.out.println("example.jsp - end");
%>

      2. Access example2.jsp with web browser 

      $ curl -v http://127.0.0.1:8080/example/example.jsp

      This request can be processed successfully and the response contains all content ("start" + 16KB size of "X" + "end")

      3. Wait for several seconds like 10 seconds which is longer than configure write-timeout (5000 = 5 seconds in this case) and is shorter than the default no-request-timeout (60000 = 60 seconds)

      4. Reload the previews page to access the same example2.jsp again through the same keep-alive connection.

      You will see the response is truncated in the middle of 16KB size of "X", so you do not see the last "end" in the response. If you enable (uncomment) "out.flush()" in the above jsp, the response is truncated before 16KB size of "X", so you see only the first "start" in the response.

      Show
      1. Configure write-timeout on http-lister (and ajp-listener) in undertow subsystem. For example: <subsystem xmlns= "urn:jboss:domain:undertow:12.0" ...> ...(snip)... <server name= " default -server" > <http-listener name= " default " socket-binding= "http" redirect-socket= "https" enable-http2= " true " record-request-start-time= " true " write-timeout= "5000" /> <ajp-listener name= "ajp" socket-binding= "ajp" record-request-start-time= " true " write-timeout= "5000" /> <https-listener name= "https" socket-binding= "https" security-realm= "ApplicationRealm" enable-http2= " true " /> <host name= " default -host" alias= "localhost" > <location name= "/" handler= "welcome-content" /> <http-invoker security-realm= "ApplicationRealm" /> <access-log pattern= "%h %l %u %t &quot;%r&quot; %s %b %I %S %T" /> </host> </server> ...(snip)... </subsystem> 2. Deploy a war that contains the following example.jsp which write larger response than the default buffer size (16KB) and emulate long request processing with Thread.sleep(): <% System .out.println( "example.jsp - start" ); // int size = 8 * 1024; // 8KB int size = 16 * 1024; // 16KB - default buffer size char [] buffer = new char [size]; for ( int i = 0; i < size; i++) { buffer[i] = 'X' ; } try { // emulate long request processing System .out.println( "sleep 10 seconds" ); Thread .sleep(10*1000L); } catch (Exception ignore) {} out.print( "start" ); // out.flush(); out.write(buffer); out.print( "end" ); System .out.println( "example.jsp - end" ); %> 3. Use the following curl command to send a single request to example.jsp $ curl -v http: //127.0.0.1:8080/example/example.jsp This request can be processed successfully and the response contains all content ("start" + 16KB size of "X" + "end") 4. Use the following curl command to send two requests (1st one for the welcome content and 2nd one for example.jsp), so the 2nd request for example.jsp will be sent through the same keep-alive connection. Please make sure that execute the following command in one line. $ curl -v http: //127.0.0.1:8080/ http://127.0.0.1:8080/example/example.jsp Then, you will see that the curl command shows "curl: (18) transfer closed with outstanding read data remaining" on the 2nd request for example.jsp. And the response is truncated in the middle of 16KB size of "X", so you do not see the last "end" in the response. If you enable (uncomment) "out.flush()" in the above example.jsp, the response is truncated before 16KB size of "X", so you see only the first "start" in the response. — Another easy step to reproduce with web browser. This reproducer does not need "Thread.sleep()" in the application. 1. Deploy a war that contains the following example2.jsp which write larger response than the default buffer size (16KB): <% System .out.println( "example.jsp - start" ); // int size = 8 * 1024; // 8KB int size = 16 * 1024; // 16KB - default buffer size char [] buffer = new char [size]; for ( int i = 0; i < size; i++) { buffer[i] = 'X' ; } out.println( "start" ); // out.flush(); out.write(buffer); out.println(); out.println( "end" ); System .out.println( "example.jsp - end" ); %> 2. Access example2.jsp with web browser $ curl -v http: //127.0.0.1:8080/example/example.jsp This request can be processed successfully and the response contains all content ("start" + 16KB size of "X" + "end") 3. Wait for several seconds like 10 seconds which is longer than configure write-timeout (5000 = 5 seconds in this case) and is shorter than the default no-request-timeout (60000 = 60 seconds) 4. Reload the previews page to access the same example2.jsp again through the same keep-alive connection. You will see the response is truncated in the middle of 16KB size of "X", so you do not see the last "end" in the response. If you enable (uncomment) "out.flush()" in the above jsp, the response is truncated before 16KB size of "X", so you see only the first "start" in the response.

    Description

      Truncate reponse can happen unexpectedly for request comming through keep-alive connection due to the force connection closure by the write-timeout setting. This is similar to JBEAP-20814 that happened with read-timeout setting. (Note that JBEAP-20814 does not happened for ajp-listener but only for http-listener. However, this issue happens on both http-listener and ajp-listener.)

      If I understand correctly, the current write-timeout setting works like the following:

      • WriteTimeoutStreamSinkConduit#handleWriteTimeout() checks if currentTime exceeds expireTime of the write-timeout and bump the expireTime if it's not expired.
      • The WriteTimeoutStreamSinkConduit#handleWriteTimeout() check is triggered after the write() operation. So, the expiration basically happens when the duration takes longer than write-timeout between the multiple write() operations.

      However, the problem is the expireTime in WriteTimeoutStreamSinkConduit never resets to -1 even after completing an exchange (request/response) or before starting an new exchange (request/response). So, the write-timeout can be easily expired for requests that come through the same keep-alive connections.

      Also, the write() operation happens actually when flushing content to the response. So, it appears that the WriteTimeoutStreamSinkConduit#handleWriteTimeout() check happens after either of the following:

      • after writing out all response content when the response content size is smaller than the default buffer size (16KB)
      • after writing each response buffer (16KB) when the response content size is larger than the default buffer size (16KB)
      • after an application invokes response flush() of ServletOutputStream (or Servlet Writer) explicitly

      So, if the response content size is smaller than the default buffer size (16KB) and an application does not invoke response flush, the check happens after writing all content of the response. So, the problem is not revealed luckily in this scenario.
      However, if the response content size is larger than the default buffer size (16KB) or an application invokes response flush() in pieces explicitly, this response truncate issue happens after writing the first buffer.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2228 [GSS](7.4.z) Undertow write-timeout can cause a truncate response for request coming through keep-alive connection

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-25257 [GSS](8.0.z) UNDERTOW-2228 - Undertow write-timeout can cause a truncate response for request coming through keep-alive connection

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-25032 (7.4.z) Upgrade Undertow from 2.2.25.SP3-redhat-00001 to 2.2.26.SP1-redhat-00001

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is related to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-23722 [GSS](7.4.z) UNDERTOW-2241 Undertow write-timeout can cause missing the last zero-length chunk in long polling

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified
          relates to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-24842 [GSS](7.4.z) UNDERTOW-2228 - Undertow write-timeout can cause a closing TCP connection without response for long-running remote EJB request

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            People

              thofman Tomas Hofman
              rhn-support-mmiura Masafumi Miura
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: