app/vmauth: properly close backend response body

Previously After RoundTrip returns successfully (err == nil, res != nil), the code checks if the original client request's context was canceled. If canceled, it returns immediately without closing res.Body. There is a race window where: 1) RoundTrip completes successfully (res is non-nil) 2) The client cancels the request context (closes connection) 3) The context check at line 484 sees the cancellation 4) The function returns without closing res.Body The response body holds a reference to the underlying TCP connection. Without closing it, the connection is permanently leaked along with the transport goroutines (readLoop + writeLoop or dialConnFor). bug was introduced at https://github.com/VictoriaMetrics/VictoriaMetrics/pull/10233 Fixes https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10833
2026-05-17 08:36:55 +03:00 · 2026-04-17 11:57:13 +03:00
parent fd45463b5f
commit d66b7a2283
2 changed files with 4 additions and 1 deletions
--- a/app/vmauth/main.go
+++ b/app/vmauth/main.go
@@ -481,6 +481,9 @@ func tryProcessingRequest(w http.ResponseWriter, r *http.Request, targetURL *url
 	canRetry := !bbOK || bb.canRetry()

 	res, err := ui.rt.RoundTrip(req)
+	if err == nil {
+		defer func() { _ = res.Body.Close() }()
+	}

 	if errors.Is(r.Context().Err(), context.Canceled) {
 		// Do not retry canceled requests.
@@ -550,7 +553,6 @@ func tryProcessingRequest(w http.ResponseWriter, r *http.Request, targetURL *url
 	w.WriteHeader(res.StatusCode)

 	err = copyStreamToClient(w, res.Body)
-	_ = res.Body.Close()

 	if errors.Is(r.Context().Err(), context.Canceled) {
 		// Do not retry canceled requests.