Skip to content

Fix infinite retry loops in flb_tls_net_read/write #11547

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
spstack wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix infinite retry loops in flb_tls_net_read/write #11547

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions include/fluent-bit/tls/flb_tls.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,8 @@
#define FLB_TLS_CLIENT_MODE 0
#define FLB_TLS_SERVER_MODE 1

#define FLB_TLS_DEFAULT_IO_TIMEOUT_S 60

struct flb_tls;
struct flb_connection;

Expand Down
48 changes: 35 additions & 13 deletions src/tls/flb_tls.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
#include <fluent-bit/flb_info.h>
#include <fluent-bit/flb_time.h>
#include <fluent-bit/flb_socket.h>
#include <fluent-bit/tls/flb_tls.h>

#include "openssl.c"

Expand Down Expand Up @@ -329,30 +330,32 @@ int flb_tls_net_read(struct flb_tls_session *session, void *buf, size_t len)
time_t current_timestamp;
struct flb_tls *tls;
int ret;
int timeout_value;

tls = session->tls;

if (session->connection->net->io_timeout > 0) {
timeout_timestamp = time(NULL) + session->connection->net->io_timeout;
timeout_value = session->connection->net->io_timeout;
}
else {
timeout_timestamp = 0;
timeout_value = FLB_TLS_DEFAULT_IO_TIMEOUT_S;
}
Comment on lines 340 to 342
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Preserve io_timeout=0 semantics in TLS sync paths

This fallback changes net.io_timeout=0 from “infinite” to a hard 60-second deadline (FLB_TLS_DEFAULT_IO_TIMEOUT_S), so blocking TLS reads/writes can now fail after 60s even when operators intentionally disabled I/O timeouts (the global default is still 0/infinite in src/flb_network.c:153). In environments with long-lived or bursty TLS connections, repeated WANT_* during idle/backpressure will hit this forced deadline and drop otherwise healthy sessions; the same regression is also present in flb_tls_net_write’s else branch.

Useful? React with 👍 / 👎.

Copy link
Author

@spstack spstack Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suppose the question here is whether this is a realistic scenario that a user would want to block forever, and if it should be the default. The other option is to have io_timeout default to something non-zero I suppose.

Or do nothing and have users specify io_timeout to fix this.

timeout_timestamp = time(NULL) + timeout_value;

retry_read:
ret = tls->api->net_read(session, buf, len);

current_timestamp = time(NULL);

if (ret == FLB_TLS_WANT_READ) {
if (timeout_timestamp > 0 &&
timeout_timestamp <= current_timestamp) {
return ret;
if (ret == FLB_TLS_WANT_READ || ret == FLB_TLS_WANT_WRITE) {
if (timeout_timestamp <= current_timestamp) {
flb_warn("[tls] Read timed out after %d seconds", timeout_value);
return -1;
}

goto retry_read;
}
else if (ret == FLB_TLS_WANT_WRITE) {
// add short delay to prevent CPU hogging
flb_time_msleep(5);

goto retry_read;
}
else if (ret < 0) {
Expand Down Expand Up @@ -435,22 +438,41 @@ int flb_tls_net_read_async(struct flb_coro *co,
int flb_tls_net_write(struct flb_tls_session *session,
const void *data, size_t len, size_t *out_len)
{
time_t timeout_timestamp;
time_t current_timestamp;
size_t total;
int ret;
struct flb_tls *tls;
int timeout_value;

total = 0;
tls = session->tls;

if (session->connection->net->io_timeout > 0) {
timeout_value = session->connection->net->io_timeout;
}
else {
timeout_value = FLB_TLS_DEFAULT_IO_TIMEOUT_S;
}
timeout_timestamp = time(NULL) + timeout_value;

retry_write:
ret = tls->api->net_write(session,
(unsigned char *) data + total,
len - total);

if (ret == FLB_TLS_WANT_WRITE) {
goto retry_write;
}
else if (ret == FLB_TLS_WANT_READ) {
current_timestamp = time(NULL);

if (ret == FLB_TLS_WANT_WRITE || ret == FLB_TLS_WANT_READ) {
if (timeout_timestamp <= current_timestamp) {
flb_warn("[tls] Write timed out after %d seconds", timeout_value);
*out_len = total;
return -1;
}

// add short delay to prevent CPU hogging
flb_time_msleep(5);

goto retry_write;
}
else if (ret < 0) {
Expand Down