Quantcast

httpd crashes with SIGSEGV when using "block return 401"

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

httpd crashes with SIGSEGV when using "block return 401"

Jurjen Oskam-3
Hi,

httpd crashes with a segmentation violation when servicing requests with
the following (minimal) config file:

server "default" {
        listen on * port 80
        block return 401
}

It starts up OK, but on the first request this happens:

# httpd -d -v -v
startup
server_privinit: adding server default
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
server_launch: configuring server default
server_launch: running server default
server_launch: configuring server default
server_launch: running server default
server_launch: configuring server default
server_launch: running server default
logger exiting, pid 88769
lost child: pid 18355 terminated; signal 11
server exiting, pid 90619
server exiting, pid 37360
parent terminating, pid 91332


Altering the listening address or port results in the same symptom.
Using other HTTP return codes (I've tried 402, 403, 404 and 405) does
*not* result in a crash; these seem to work as expected.

This happens on OpenBSD 6.0, 6.1 as well as -current.

If I can do anything to diagnose/fix this, please let me know via a
Cc:.

Regards,

Jurjen Oskam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: httpd crashes with SIGSEGV when using "block return 401"

Jonathan Gray-11
On Sun, May 14, 2017 at 10:05:37AM +0200, Jurjen Oskam wrote:

> Hi,
>
> httpd crashes with a segmentation violation when servicing requests with
> the following (minimal) config file:
>
> server "default" {
>         listen on * port 80
>         block return 401
> }
>
> It starts up OK, but on the first request this happens:
>
> # httpd -d -v -v
> startup
> server_privinit: adding server default
> socket_rlimit: max open files 1024
> socket_rlimit: max open files 1024
> socket_rlimit: max open files 1024
> server_launch: configuring server default
> server_launch: running server default
> server_launch: configuring server default
> server_launch: running server default
> server_launch: configuring server default
> server_launch: running server default
> logger exiting, pid 88769
> lost child: pid 18355 terminated; signal 11
> server exiting, pid 90619
> server exiting, pid 37360
> parent terminating, pid 91332
>
>
> Altering the listening address or port results in the same symptom.
> Using other HTTP return codes (I've tried 402, 403, 404 and 405) does
> *not* result in a crash; these seem to work as expected.
>
> This happens on OpenBSD 6.0, 6.1 as well as -current.
>
> If I can do anything to diagnose/fix this, please let me know via a
> Cc:.
>
> Regards,
>
> Jurjen Oskam

Thanks for the report.  The crash occurs when stravis(3) is passed a
NULL msg value.

Index: server_http.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
retrieving revision 1.116
diff -u -p -r1.116 server_http.c
--- server_http.c 16 Mar 2017 10:18:11 -0000 1.116
+++ server_http.c 14 May 2017 08:33:43 -0000
@@ -887,6 +887,8 @@ server_abort_http(struct client *clt, un
  msg = buf;
  break;
  case 401:
+ if (msg == NULL)
+ break;
  if (stravis(&escapedmsg, msg, VIS_DQ) == -1) {
  code = 500;
  extraheader = NULL;
@@ -898,6 +900,8 @@ server_abort_http(struct client *clt, un
  }
  break;
  case 416:
+ if (msg == NULL)
+ break;
  if (asprintf(&extraheader,
     "Content-Range: %s\r\n", msg) == -1) {
  code = 500;

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: httpd crashes with SIGSEGV when using "block return 401"

Florian Obser-2
On Sun, May 14, 2017 at 06:37:55PM +1000, Jonathan Gray wrote:

> On Sun, May 14, 2017 at 10:05:37AM +0200, Jurjen Oskam wrote:
> > Hi,
> >
> > httpd crashes with a segmentation violation when servicing requests with
> > the following (minimal) config file:
> >
> > server "default" {
> >         listen on * port 80
> >         block return 401
> > }
> >
> > It starts up OK, but on the first request this happens:
> >
> > # httpd -d -v -v
> > startup
> > server_privinit: adding server default
> > socket_rlimit: max open files 1024
> > socket_rlimit: max open files 1024
> > socket_rlimit: max open files 1024
> > server_launch: configuring server default
> > server_launch: running server default
> > server_launch: configuring server default
> > server_launch: running server default
> > server_launch: configuring server default
> > server_launch: running server default
> > logger exiting, pid 88769
> > lost child: pid 18355 terminated; signal 11
> > server exiting, pid 90619
> > server exiting, pid 37360
> > parent terminating, pid 91332
> >
> >
> > Altering the listening address or port results in the same symptom.
> > Using other HTTP return codes (I've tried 402, 403, 404 and 405) does
> > *not* result in a crash; these seem to work as expected.
> >
> > This happens on OpenBSD 6.0, 6.1 as well as -current.
> >
> > If I can do anything to diagnose/fix this, please let me know via a
> > Cc:.
> >
> > Regards,
> >
> > Jurjen Oskam
>
> Thanks for the report.  The crash occurs when stravis(3) is passed a
> NULL msg value.

OK florian@

(I was wondering if we should set code = 500 in these cases, but that
would prevent using block return 401 / 416)

>
> Index: server_http.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
> retrieving revision 1.116
> diff -u -p -r1.116 server_http.c
> --- server_http.c 16 Mar 2017 10:18:11 -0000 1.116
> +++ server_http.c 14 May 2017 08:33:43 -0000
> @@ -887,6 +887,8 @@ server_abort_http(struct client *clt, un
>   msg = buf;
>   break;
>   case 401:
> + if (msg == NULL)
> + break;
>   if (stravis(&escapedmsg, msg, VIS_DQ) == -1) {
>   code = 500;
>   extraheader = NULL;
> @@ -898,6 +900,8 @@ server_abort_http(struct client *clt, un
>   }
>   break;
>   case 416:
> + if (msg == NULL)
> + break;
>   if (asprintf(&extraheader,
>      "Content-Range: %s\r\n", msg) == -1) {
>   code = 500;
>

--
I'm not entirely sure you are real.

Loading...