Bug #119633 MySQL Router crashes (SIGSEGV) in cno_when_h1_head when REST API receives empty/malformed HTTP request
Submitted: 6 Jan 19:55
Reporter: Stylianos Malathouras Email Updates:
Status: Open Impact on me:
None 
Category:MySQL Router Severity:S3 (Non-critical)
Version:8.4.7 OS:Red Hat (9.5)
Assigned to: CPU Architecture:x86
Tags: 8.4.7, mysqlrouter, SIGSEGV

[6 Jan 19:55] Stylianos Malathouras 
Description:
MySQL Router 8.4.7 crashes with segmentation fault when the REST API 
(http_server) receives an empty or malformed HTTP request.

The crash occurs in the HTTP/1.1 header parser (libcno) with ~6800+ 
recursive frames, indicating the async TLS completion handler fails 
to terminate properly on invalid input.

Environment:
- MySQL Router 8.4.7-1.el9
- REST API enabled on port 8443 with TLS
- Likely triggered by health check or probe sending no HTTP data

Stack trace (top frames):
#0  cno_when_h1_head (c=0x7fe59870c400) at core.c:1016
#1  cno_consume() at core.c:1316
#2  http::base::Connection<...>::on_net_receive() at connection.h:279
#3  http::base::Connection<...>::do_net_recv() at connection.h:249
#4-6850  SslIoCompletionToken::do_it() / do_token() [recursive]

Local variables at crash show empty/null HTTP request:
headers = {{name = {data = 0x0, size = 0}, ...} <repeats 66 times>}
m = {code = 0, method = {data = 0x0, size = 0}, path = {data = 0x0, size = 0}}

Expected: Router should gracefully reject invalid HTTP requests
Actual: Stack overflow from recursive async callbacks, process crashes

Workaround: Disable [http_server] section in mysqlrouter.conf

How to repeat:
Send any empty or malformed HTTP request.

Suggested fix:
Workaround: Disable [http_server] section in mysqlrouter.conf